Reputation: 1093
Can k8s webhook self-sign pan-domain certificate
k8s webhook requires tls verification, the official document says that the server certificate requires <svc_name>.<svc_namespace>.svc.
But when I deploy with helm, I may not know which namespace will be deployed in. The svc_name generally does not change, so is there some way to match any namespace. such as <svc_name>.<any_namespace>.svc.
Is there a method implementation that works for arbitrary namespaces?
I really appreciate any help with this
k8s version is 1.18
Attach a sample of my self-signed certificate
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN = webhook.kube-system.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = webhook.kube-system.svc
Upvotes: 0
Views: 388
Answers (1)
Reputation: 3224
Posted community wiki answer for better visibility. Feel free to expand it.
EDIT: The workaround presented by the original poster (@moluzhui):
At present, I provide ValidatingWebhookConfiguration in
chart/templatein advance and write it through.Files.Get
As stated in the official documentation:
Note: When using
clientConfig.service, the server cert must be valid for<svc_name>.<svc_namespace>.svc.
The namespace name is required - this is how DNS in Kubernetes works - by using service and namespace name.
However, there is a good article which presents best practices of managing TLS certificates for Kubernetes Admission Webhooks - 5 Ways of Managing TLS Certificates for your Kubernetes Admission Webhooks. Maybe some of them will be useful to you and will be solution for your issue:
- for helm - use Certificator project and Helm Hooks - it automatically patches
caBundlefield - setup init container to create a certificate and provide CA bundle to the API server
- generate certificate with cert-manager CA Injector and inject them to WebhookConfiguration
You can also set up URL with a location of the webhook, where you don't have to use caBundle:
Expects the TLS certificate to be verified using system trust roots, so does not specify a caBundle.
Answering your comment:
Well, then I can only use multiple DNS(1,2,3...) to preset the name space that may be deployed. Does this affect efficiency?
Probably depends how many namespaces you want to deploy, but for sure it is not good practice.
Another solution from the comment (thanks to @JWhy user):
You may create another service at a predictable location (i.e. in a specific namespace) and link that to your actual service in the less predictable namespace. See stackoverflow.com/a/44329470/763875
Upvotes: 1
Related Questions
- In k8s, how to automatically add a root certificate of a self-signed certificate between pods?
- webhook: tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]
- kubernetes traffic with own certificates
- How to create a "CertificateSigningRequest" with apiVersion "certificates.k8s.io/v1" for a webhook
- Trusting self signed certificate inside pod
- failed calling webhook "v1.vseldondeployment.kb.io". x509: certificate signed by unknown authority
- failed calling webhook inferenceservice.kfserving-webhook-server.defaulter , x509 certificate error in kubeflow
- Does k8s support https liveness and readness probe
- Mutating Webhook does not invoke endpoint because certificate signed by unknown authority
- Cert-manager fails on kubernetes with webhooks