jasiekkm
Reputation: 113
x509: certificate is not valid for any names, but wanted to match admission-controller.opa-istio.svc
I m trying to enable mTLS in STRICT mode in Istio on my cluster with OPA, but when I try to create a pod, I m getting error:
Error from server (InternalError): Internal error occurred: failed calling webhook "istio.openpolicyagent.org": failed to call webhook: Post "https://admission-controller.opa-istio.svc:443/v0/data/istio/inject?timeout=10s": x509: certificate is not valid for any names, but wanted to match admission-controller.opa-istio.svc
I have followed https://github.com/open-policy-agent/opa/issues/2477#issuecomment-646815932, but without progress.
Is anyone know where should look for a root cause?
I have created peer authentication with mode: STRICT for istio-system namespace, I am able to create pods in other namespaces, untouched by OPA (opa-istio-injection=enabled).
Upvotes: 3
Views: 769
Answers (0)
Related Questions
- Failed calling webhook "namespace.sidecar-injector.istio.io"
- Nginx Ingress: service "ingress-nginx-controller-admission" not found
- dial tcp 10.97.138.229:443: connect: connection refused
- Route TCP traffic from ingress-nginx to istio service mesh with mTLS mode STRICT
- AWS EKS Returns Error 'certificate has expired or is not yet valid'
- Istio 1.5.7 installation fails on kubernetes 1.18.6 with centos 7.8(3.10.0-1127.el7.x86_64) with calico network CNI
- failed calling webhook inferenceservice.kfserving-webhook-server.defaulter , x509 certificate error in kubeflow
- Is it possible to always mount a config map to all pods in Kubernetes