jondkelley commented 3 years ago

Describe the bug

When applying an example addresspool pool, it just shows the webhook is a 404

kubectl apply -f addresspool.yaml

Error from server (InternalError): error when creating "0101_addresspool.yaml": Internal error occurred: failed calling webhook "maddresspool.kb.io": the server could not find the requested resource

Environments

Coil Version: 2.0.9
OS: K8s v1.20.7 on Debian 10 (Via kubespray v2.16.0)

To Reproduce Steps to reproduce the behavior:

Generate with kustomize build . > coil.yaml
kubectl apply -f coil,.yaml
Create the addresspool.yaml as seen in some documentation

apiVersion: coil.cybozu.com/v2
kind: AddressPool
metadata:
  name: default
spec:
  blockSizeBits: 0
  subnets:
  - ipv4: 192.168.0.0/22

See error Error from server (InternalError): error when creating "0101_addresspool.yaml": Internal error occurred: failed calling webhook "maddresspool.kb.io": the server could not find the requested resource

Expected behavior A new addresspool resource should be created so I can use the addressblock resource (I think) within my egress resource so the pod can run with an external address from the pool. (Otherwise my egress SNAT pod gets a CNI error about "network: failed to allocate address")

Additional context my coil.yaml

images:
- name: coil
  newTag: 2.0.9
  newName: ghcr.io/cybozu-go/coil

resources:
- config/default
# If you are using CKE (github.com/cybozu-go/cke) and wwant to use
# its webhook installation feature, comment the above line and
# uncomment the below line.
#- config/cke

# If you want to enable coil-router, uncomment the following line.
# Note that coil-router can work only for clusters where all the
# nodes are in a flat L2 network.
- config/pod/coil-router.yaml

# If your cluster has enabled PodSecurityPolicy, uncomment the
# following line.
#- config/default/pod_security_policy.yaml

patchesStrategicMerge:
# Uncomment the following if you want to run Coil with Calico network policy.
- config/pod/compat_calico.yaml

# Edit netconf.json to customize CNI configurations
configMapGenerator:
- name: coil-config
  namespace: system
  files:
  - cni_netconf=./netconf.json

# Adds namespace to all resources.
namespace: kube-system

# Labels to add to all resources and selectors.
commonLabels:
  app.kubernetes.io/name: coil

jondkelley commented 3 years ago

kubectl logs coil-router-c7rd2 -n kube-system

I0817 20:59:46.300659       1 request.go:668] Waited for 1.0455664s due to client-side throttling, not priority and fairness, request: GET:https://10.233.0.1:443/apis/discovery.k8s.io/v1beta1?timeout=32s
{"level":"info","ts":1629233987.2252128,"logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":9388"}
{"level":"info","ts":1629233987.2283497,"logger":"setup","msg":"starting manager"}
{"level":"info","ts":1629233987.232593,"logger":"controller-runtime.manager.controller.addressblock","msg":"Starting EventSource","reconciler group":"coil.cybozu.com","reconciler kind":"AddressBlock","source":"kind source: /, Kind="}
{"level":"info","ts":1629233987.2332098,"logger":"controller-runtime.manager.controller.addressblock","msg":"Starting Controller","reconciler group":"coil.cybozu.com","reconciler kind":"AddressBlock"}
{"level":"info","ts":1629233987.2358675,"logger":"controller-runtime.manager","msg":"starting metrics server","path":"/metrics"}
{"level":"info","ts":1629233989.3575451,"logger":"controller-runtime.manager.controller.addressblock","msg":"Starting workers","reconciler group":"coil.cybozu.com","reconciler kind":"AddressBlock","worker count":1}

kubectl logs coil-controller-5f84d47464-4gk9l -n kube-system

I0817 20:59:46.280108       1 request.go:668] Waited for 1.044655991s due to client-side throttling, not priority and fairness, request: GET:https://10.233.0.1:443/apis/extensions/v1beta1?timeout=32s
{"level":"info","ts":1629233987.2199273,"logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":9386"}
{"level":"info","ts":1629233987.2632246,"logger":"controller-runtime.builder","msg":"skip registering a mutating webhook, admission.Defaulter interface is not implemented","GVK":"coil.cybozu.com/v2, Kind=AddressPool"}
{"level":"info","ts":1629233987.2635157,"logger":"controller-runtime.builder","msg":"Registering a validating webhook","GVK":"coil.cybozu.com/v2, Kind=AddressPool","path":"/validate-coil-cybozu-com-v2-addresspool"}
{"level":"info","ts":1629233987.2641158,"logger":"controller-runtime.webhook","msg":"registering webhook","path":"/validate-coil-cybozu-com-v2-addresspool"}
{"level":"info","ts":1629233987.2646642,"logger":"controller-runtime.builder","msg":"Registering a mutating webhook","GVK":"coil.cybozu.com/v2, Kind=Egress","path":"/mutate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.265002,"logger":"controller-runtime.webhook","msg":"registering webhook","path":"/mutate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.2653246,"logger":"controller-runtime.builder","msg":"Registering a validating webhook","GVK":"coil.cybozu.com/v2, Kind=Egress","path":"/validate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.2657044,"logger":"controller-runtime.webhook","msg":"registering webhook","path":"/validate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.266029,"logger":"setup","msg":"starting manager"}
{"level":"info","ts":1629233987.267568,"logger":"controller-runtime.manager","msg":"starting metrics server","path":"/metrics"}
I0817 20:59:47.267754       1 leaderelection.go:243] attempting to acquire leader lease kube-system/coil-leader...
{"level":"info","ts":1629233987.2693503,"logger":"controller-runtime.webhook.webhooks","msg":"starting webhook server"}
{"level":"info","ts":1629233987.271229,"logger":"controller-runtime.certwatcher","msg":"Updated current TLS certificate"}
{"level":"info","ts":1629233987.2719083,"logger":"controller-runtime.webhook","msg":"serving webhook server","host":"","port":9443}
{"level":"info","ts":1629233987.2722394,"logger":"controller-runtime.certwatcher","msg":"Starting certificate watcher"}
root@node1:/home/k8s# kubectl logs coil-controller-5f84d47464-thdpn -n kube-system
I0817 20:59:46.292722       1 request.go:668] Waited for 1.042046902s due to client-side throttling, not priority and fairness, request: GET:https://10.233.0.1:443/apis/node.k8s.io/v1beta1?timeout=32s
{"level":"info","ts":1629233987.222262,"logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":9386"}
{"level":"info","ts":1629233987.2576647,"logger":"controller-runtime.builder","msg":"skip registering a mutating webhook, admission.Defaulter interface is not implemented","GVK":"coil.cybozu.com/v2, Kind=AddressPool"}
{"level":"info","ts":1629233987.2579515,"logger":"controller-runtime.builder","msg":"Registering a validating webhook","GVK":"coil.cybozu.com/v2, Kind=AddressPool","path":"/validate-coil-cybozu-com-v2-addresspool"}
{"level":"info","ts":1629233987.2587316,"logger":"controller-runtime.webhook","msg":"registering webhook","path":"/validate-coil-cybozu-com-v2-addresspool"}
{"level":"info","ts":1629233987.259258,"logger":"controller-runtime.builder","msg":"Registering a mutating webhook","GVK":"coil.cybozu.com/v2, Kind=Egress","path":"/mutate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.2594967,"logger":"controller-runtime.webhook","msg":"registering webhook","path":"/mutate-coil-cybozu-com-v2-egress"}
{"level":"info","ts":1629233987.259736,"logger":"controller-runtime.builder","msg":"Registering a validating webhook","GVK":"coil.cybozu.com/v2, Kind=Egress","path":"/validate-coil-cybozu-com-v2-egress"}

ymmt2005 commented 3 years ago

the server could not find the requested resource

This seems that AddressPool CRD is not applied yet.

my coil.yaml

It is just a plain copy of v2/kustomization.yaml.

Would you check your kustomize version? We are using version 4.1.3.

jondkelley commented 3 years ago

My apologies, here's the kustomize rendered coil.yaml, I only provided my config for kustomize.

https://gist.github.com/jondkelley/635cf4815e0ef134abb6359ad0670ae6

The CRD for addresspools.coil.cybozu.com is in the cluster currently, but still has the strange webhook CRD error.

$ sudo kubectl get crd | grep cybozu
addressblocks.coil.cybozu.com                         2021-08-17T20:59:40Z
addresspools.coil.cybozu.com                          2021-08-17T20:59:40Z
blockrequests.coil.cybozu.com                         2021-08-17T20:59:40Z
egresses.coil.cybozu.com                              2021-08-17T20:59:40Z

jondkelley commented 3 years ago

I'm on kustomize/v4.2.0 as well on my side.

ymmt2005 commented 3 years ago

There are some anomalies in the rendered coil.yaml like this: https://gist.github.com/jondkelley/635cf4815e0ef134abb6359ad0670ae6#file-coil-yaml-L367-L371

Could you check the MutatingWebhookConfiguration and Service?

$ kubectl -n kube-system get svc coilv2-webhook-service -o wide
$ kubectl -n kube-system get svc coilv2-webhook-service -o yaml
$ kubectl get mutatingwebhookconfigurations coilv2-mutating-webhook-configuration -o yaml

jondkelley commented 3 years ago

Thanks for looking, let me know if I can provide additional detail around the current state.

kubectl -n kube-system get svc coilv2-webhook-service -o wide
NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE   SELECTOR
coilv2-webhook-service   ClusterIP   10.233.52.121   <none>        443/TCP   8h    app.kubernetes.io/component=coil-controller,app.kubernetes.io/name=coil

kubectl -n kube-system get svc coilv2-webhook-service -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"coil"},"name":"coilv2-webhook-service","namespace":"kube-system"},"spec":{"ports":[{"port":443,"protocol":"TCP","targetPort":9443}],"selector":{"app.kubernetes.io/component":"coil-controller","app.kubernetes.io/name":"coil"}}}
  creationTimestamp: "2021-08-17T20:59:41Z"
  labels:
    app.kubernetes.io/name: coil
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:app.kubernetes.io/name: {}
      f:spec:
        f:ports:
          .: {}
          k:{"port":443,"protocol":"TCP"}:
            .: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
        f:selector:
          .: {}
          f:app.kubernetes.io/component: {}
          f:app.kubernetes.io/name: {}
        f:sessionAffinity: {}
        f:type: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-08-17T20:59:41Z"
  name: coilv2-webhook-service
  namespace: kube-system
  resourceVersion: "61620"
  uid: b6afdf9c-778d-4fa4-a26f-8ad135478ede
spec:
  clusterIP: 10.233.52.121
  clusterIPs:
  - 10.233.52.121
  ports:
  - port: 443
    protocol: TCP
    targetPort: 9443
  selector:
    app.kubernetes.io/component: coil-controller
    app.kubernetes.io/name: coil
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

kubectl get mutatingwebhookconfigurations coilv2-mutating-webhook-configuration -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"admissionregistration.k8s.io/v1","kind":"MutatingWebhookConfiguration","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"coil"},"name":"coilv2-mutating-webhook-configuration"},"webhooks":[{"admissionReviewVersions":["v1","v1beta1"],"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZaVENDQTAyZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFoTVI4d0hRWURWUVFERXhaamIybHMKZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUNBWERUSXhNRGd4TmpFNU1qVXpNRm9ZRHpJeE1qRXdOekl6TVRreQpOVE13V2pBaE1SOHdIUVlEVlFRREV4WmpiMmxzZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUlJQ0lqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBeUxzY2g5OFNrMEtyRjlhM0szZ2V3U3VMMEhydy9SQ0MKVzJybisxUXNodk9CaUxGeEM0QW1kYzhxbmpwYUZoZDZVNTJwWDNXdDVZa0plNVZFZThaTnJ4c0Z4d0hRTk5vdgpMV1I5KzNXZlpnZjNPR0JMVFp4TFNrTXpxYmQrRHlUM3BOK0hmTmEvOVFBcUhPVHlJTXNoc3VaTWYzelFnWjRqClJhcE1WakhCUFdsY3B0d0hHMVVEOWpxNzI0M0xDdjgvZ091NGU2dk9KeHE3ZlNSNU1yMnhiMlNDWGdmSVArbEcKaUQrWHhDQU9oNWZHSzIyQVdCQWljczA2eElRRXFQTmRhYk12MXhSY3E4UUExQ3dSbWZxTklLakkzNkxDNTVLSgpzWVN2aExuYkNvMDdON20vNnI4TXkxdXByT2V4dEhqSVJCV1JIOHNLcVBnbzRWRFl0dTRmcm9obVB6cGQzQjN3CjhXVUk1RjRjcnlGYjFLOWE4VXUvOEIvbTFTOGVnZER2UEVubW9ZTHNHSVpzM3Ryclg5Y0NSOHFaQ0lvOWxoU2cKSFdxVHIzMFhzNnFHaFpKZlhVQnZaYzZ1bTUvaFNsM2JVYXRFR0VIcmhmWE5LOHpxS0RQYzBXOVVvd01QSEFhYgowNXdGRjBiTytUUVBsVzAySGVHNnFlYVI1bTA5ZXczWGhBaXJRbzFHRUkxNSsxQnZaRHFLT0tnc2EwcTZYN3JTCkpjS3pPVmlORWJUYk81UGczVHhITGw4Q3hRSTFMRW8vUWY5REJFY3FuOFg0MGpPNy9JQjJxSlVzb3FYdjBpOUgKYjhnYUlLTDlxOXY1b1N0eDQySUJyRFhTWWdheTFxVk9HVWREcGh0UUc3Zm9mR01VcXBOTFdEUHo1Y2JFVVdJSQplbE94QVZRRHpIa0NBd0VBQWFPQnBUQ0JvakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdFd0RBWURWUjBUQVFIL0JBSXdBREJ0QmdOVkhSRUVaakJrZ2laamIybHNkakl0ZDJWaWFHOXYKYXkxelpYSjJhV05sTG10MVltVXRjM2x6ZEdWdExuTjJZNElpWTI5cGJIWXlMWGRsWW1odmIyc3RjMlZ5ZG1sagpaUzVyZFdKbExYTjVjM1JsYllJV1kyOXBiSFl5TFhkbFltaHZiMnN0YzJWeWRtbGpaVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQWdFQXJzWnZFNG1vcE4rRndRbUpwdGltNGcycTZyOTR0YVhIODVnOFBHNGJaVjk0NUNWMVhwb3cKcmZ4aVZYQ3p4bXBkRHBXTVdUYXRsRjNwZ3BnR1k0dHEydnRLWjhkT3lxNGhmbTJsU0RPb1M4ajB6dzRzUE1uUgo3c0hEQmYwVXp6cFpxUnREYWlKSXJEdzgvQXR1TEd0SUpRQzJ3M2lZcFdqV2kycEdXc25tT3lGdnVvWnYwQkwyCnc1VGwxWit4Q3cvMUtwUVg1Y1BkeVFCK0NrOWd5M2cvT1M4a040ZGcza3NkMHpoZnJ4eFdYNWtvbGZTQ1pONWsKZ1VhanNxckZkT2d3Y2FZZHFDbFYzWFY0T2xmZ25TcHF5eTBIWW8xZnh3a25QWGgrUXZlRUUxK2U5NEJTbjNzdgppdHN3NzZXcUpnUEFnZkhtYTVUb3pvanJJT1hVcW5tSUpKVXJnWXExcFphV1BGWERaOVN2VGo1VEZ3R1FrTUY5CjBCTmVQNjlhTXpXbmFEdHM2aUt6RWpyWlVtcVhCTmZwTGJaQjJORS9HWlB1Q3NBVk52clZKZE5ZcXZzYWt6a04Kei9NT3ozTVFYbWM0ZDRiSEg1Z0hTZXY2bjJwSTlDWUd1bjRBUnJ1WDFrV1lNSzAxRE9wYU9xVjZ5b0VKUGF1UgpITGFYaTRBYXpZL1BSMFJ2N3l4cjBvejVvU1N1L24rVDJydlJEL1NpQXZDdmhCZDhmTmhVRFBRRWJ5eXZMRVRDCk1nMGZZS2I5a0lRSkNHR0Qwb0pDV2h4QUwvYml4T1RvM1dPY0tQd0FtcVJMU2Rnek5aTXdpdHZjSzYySitZSHUKc3Q5VkVYcDQ1S3I2MlZjc1NMRG4wZUg2aU5hTEd3dU5zb25WM1VjVEFOVVlwZnB2cnRvY1ptVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","service":{"name":"coilv2-webhook-service","namespace":"kube-system","path":"/mutate-coil-cybozu-com-v2-addresspool"}},"failurePolicy":"Fail","name":"maddresspool.kb.io","rules":[{"apiGroups":["coil.cybozu.com"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["addresspools"]}],"sideEffects":"None"},{"admissionReviewVersions":["v1","v1beta1"],"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZaVENDQTAyZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFoTVI4d0hRWURWUVFERXhaamIybHMKZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUNBWERUSXhNRGd4TmpFNU1qVXpNRm9ZRHpJeE1qRXdOekl6TVRreQpOVE13V2pBaE1SOHdIUVlEVlFRREV4WmpiMmxzZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUlJQ0lqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBeUxzY2g5OFNrMEtyRjlhM0szZ2V3U3VMMEhydy9SQ0MKVzJybisxUXNodk9CaUxGeEM0QW1kYzhxbmpwYUZoZDZVNTJwWDNXdDVZa0plNVZFZThaTnJ4c0Z4d0hRTk5vdgpMV1I5KzNXZlpnZjNPR0JMVFp4TFNrTXpxYmQrRHlUM3BOK0hmTmEvOVFBcUhPVHlJTXNoc3VaTWYzelFnWjRqClJhcE1WakhCUFdsY3B0d0hHMVVEOWpxNzI0M0xDdjgvZ091NGU2dk9KeHE3ZlNSNU1yMnhiMlNDWGdmSVArbEcKaUQrWHhDQU9oNWZHSzIyQVdCQWljczA2eElRRXFQTmRhYk12MXhSY3E4UUExQ3dSbWZxTklLakkzNkxDNTVLSgpzWVN2aExuYkNvMDdON20vNnI4TXkxdXByT2V4dEhqSVJCV1JIOHNLcVBnbzRWRFl0dTRmcm9obVB6cGQzQjN3CjhXVUk1RjRjcnlGYjFLOWE4VXUvOEIvbTFTOGVnZER2UEVubW9ZTHNHSVpzM3Ryclg5Y0NSOHFaQ0lvOWxoU2cKSFdxVHIzMFhzNnFHaFpKZlhVQnZaYzZ1bTUvaFNsM2JVYXRFR0VIcmhmWE5LOHpxS0RQYzBXOVVvd01QSEFhYgowNXdGRjBiTytUUVBsVzAySGVHNnFlYVI1bTA5ZXczWGhBaXJRbzFHRUkxNSsxQnZaRHFLT0tnc2EwcTZYN3JTCkpjS3pPVmlORWJUYk81UGczVHhITGw4Q3hRSTFMRW8vUWY5REJFY3FuOFg0MGpPNy9JQjJxSlVzb3FYdjBpOUgKYjhnYUlLTDlxOXY1b1N0eDQySUJyRFhTWWdheTFxVk9HVWREcGh0UUc3Zm9mR01VcXBOTFdEUHo1Y2JFVVdJSQplbE94QVZRRHpIa0NBd0VBQWFPQnBUQ0JvakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdFd0RBWURWUjBUQVFIL0JBSXdBREJ0QmdOVkhSRUVaakJrZ2laamIybHNkakl0ZDJWaWFHOXYKYXkxelpYSjJhV05sTG10MVltVXRjM2x6ZEdWdExuTjJZNElpWTI5cGJIWXlMWGRsWW1odmIyc3RjMlZ5ZG1sagpaUzVyZFdKbExYTjVjM1JsYllJV1kyOXBiSFl5TFhkbFltaHZiMnN0YzJWeWRtbGpaVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQWdFQXJzWnZFNG1vcE4rRndRbUpwdGltNGcycTZyOTR0YVhIODVnOFBHNGJaVjk0NUNWMVhwb3cKcmZ4aVZYQ3p4bXBkRHBXTVdUYXRsRjNwZ3BnR1k0dHEydnRLWjhkT3lxNGhmbTJsU0RPb1M4ajB6dzRzUE1uUgo3c0hEQmYwVXp6cFpxUnREYWlKSXJEdzgvQXR1TEd0SUpRQzJ3M2lZcFdqV2kycEdXc25tT3lGdnVvWnYwQkwyCnc1VGwxWit4Q3cvMUtwUVg1Y1BkeVFCK0NrOWd5M2cvT1M4a040ZGcza3NkMHpoZnJ4eFdYNWtvbGZTQ1pONWsKZ1VhanNxckZkT2d3Y2FZZHFDbFYzWFY0T2xmZ25TcHF5eTBIWW8xZnh3a25QWGgrUXZlRUUxK2U5NEJTbjNzdgppdHN3NzZXcUpnUEFnZkhtYTVUb3pvanJJT1hVcW5tSUpKVXJnWXExcFphV1BGWERaOVN2VGo1VEZ3R1FrTUY5CjBCTmVQNjlhTXpXbmFEdHM2aUt6RWpyWlVtcVhCTmZwTGJaQjJORS9HWlB1Q3NBVk52clZKZE5ZcXZzYWt6a04Kei9NT3ozTVFYbWM0ZDRiSEg1Z0hTZXY2bjJwSTlDWUd1bjRBUnJ1WDFrV1lNSzAxRE9wYU9xVjZ5b0VKUGF1UgpITGFYaTRBYXpZL1BSMFJ2N3l4cjBvejVvU1N1L24rVDJydlJEL1NpQXZDdmhCZDhmTmhVRFBRRWJ5eXZMRVRDCk1nMGZZS2I5a0lRSkNHR0Qwb0pDV2h4QUwvYml4T1RvM1dPY0tQd0FtcVJMU2Rnek5aTXdpdHZjSzYySitZSHUKc3Q5VkVYcDQ1S3I2MlZjc1NMRG4wZUg2aU5hTEd3dU5zb25WM1VjVEFOVVlwZnB2cnRvY1ptVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=","service":{"name":"coilv2-webhook-service","namespace":"kube-system","path":"/mutate-coil-cybozu-com-v2-egress"}},"failurePolicy":"Fail","name":"megress.kb.io","rules":[{"apiGroups":["coil.cybozu.com"],"apiVersions":["v2"],"operations":["CREATE"],"resources":["egresses"]}],"sideEffects":"None"}]}
  creationTimestamp: "2021-08-17T20:59:42Z"
  generation: 1
  labels:
    app.kubernetes.io/name: coil
  managedFields:
  - apiVersion: admissionregistration.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:app.kubernetes.io/name: {}
      f:webhooks:
        .: {}
        k:{"name":"maddresspool.kb.io"}:
          .: {}
          f:admissionReviewVersions: {}
          f:clientConfig:
            .: {}
            f:caBundle: {}
            f:service:
              .: {}
              f:name: {}
              f:namespace: {}
              f:path: {}
              f:port: {}
          f:failurePolicy: {}
          f:matchPolicy: {}
          f:name: {}
          f:namespaceSelector: {}
          f:objectSelector: {}
          f:reinvocationPolicy: {}
          f:rules: {}
          f:sideEffects: {}
          f:timeoutSeconds: {}
        k:{"name":"megress.kb.io"}:
          .: {}
          f:admissionReviewVersions: {}
          f:clientConfig:
            .: {}
            f:caBundle: {}
            f:service:
              .: {}
              f:name: {}
              f:namespace: {}
              f:path: {}
              f:port: {}
          f:failurePolicy: {}
          f:matchPolicy: {}
          f:name: {}
          f:namespaceSelector: {}
          f:objectSelector: {}
          f:reinvocationPolicy: {}
          f:rules: {}
          f:sideEffects: {}
          f:timeoutSeconds: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-08-17T20:59:42Z"
  name: coilv2-mutating-webhook-configuration
  resourceVersion: "61643"
  uid: 2419f26c-0890-4ea4-9416-5ba0ec0643db
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZaVENDQTAyZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFoTVI4d0hRWURWUVFERXhaamIybHMKZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUNBWERUSXhNRGd4TmpFNU1qVXpNRm9ZRHpJeE1qRXdOekl6TVRreQpOVE13V2pBaE1SOHdIUVlEVlFRREV4WmpiMmxzZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUlJQ0lqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBeUxzY2g5OFNrMEtyRjlhM0szZ2V3U3VMMEhydy9SQ0MKVzJybisxUXNodk9CaUxGeEM0QW1kYzhxbmpwYUZoZDZVNTJwWDNXdDVZa0plNVZFZThaTnJ4c0Z4d0hRTk5vdgpMV1I5KzNXZlpnZjNPR0JMVFp4TFNrTXpxYmQrRHlUM3BOK0hmTmEvOVFBcUhPVHlJTXNoc3VaTWYzelFnWjRqClJhcE1WakhCUFdsY3B0d0hHMVVEOWpxNzI0M0xDdjgvZ091NGU2dk9KeHE3ZlNSNU1yMnhiMlNDWGdmSVArbEcKaUQrWHhDQU9oNWZHSzIyQVdCQWljczA2eElRRXFQTmRhYk12MXhSY3E4UUExQ3dSbWZxTklLakkzNkxDNTVLSgpzWVN2aExuYkNvMDdON20vNnI4TXkxdXByT2V4dEhqSVJCV1JIOHNLcVBnbzRWRFl0dTRmcm9obVB6cGQzQjN3CjhXVUk1RjRjcnlGYjFLOWE4VXUvOEIvbTFTOGVnZER2UEVubW9ZTHNHSVpzM3Ryclg5Y0NSOHFaQ0lvOWxoU2cKSFdxVHIzMFhzNnFHaFpKZlhVQnZaYzZ1bTUvaFNsM2JVYXRFR0VIcmhmWE5LOHpxS0RQYzBXOVVvd01QSEFhYgowNXdGRjBiTytUUVBsVzAySGVHNnFlYVI1bTA5ZXczWGhBaXJRbzFHRUkxNSsxQnZaRHFLT0tnc2EwcTZYN3JTCkpjS3pPVmlORWJUYk81UGczVHhITGw4Q3hRSTFMRW8vUWY5REJFY3FuOFg0MGpPNy9JQjJxSlVzb3FYdjBpOUgKYjhnYUlLTDlxOXY1b1N0eDQySUJyRFhTWWdheTFxVk9HVWREcGh0UUc3Zm9mR01VcXBOTFdEUHo1Y2JFVVdJSQplbE94QVZRRHpIa0NBd0VBQWFPQnBUQ0JvakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdFd0RBWURWUjBUQVFIL0JBSXdBREJ0QmdOVkhSRUVaakJrZ2laamIybHNkakl0ZDJWaWFHOXYKYXkxelpYSjJhV05sTG10MVltVXRjM2x6ZEdWdExuTjJZNElpWTI5cGJIWXlMWGRsWW1odmIyc3RjMlZ5ZG1sagpaUzVyZFdKbExYTjVjM1JsYllJV1kyOXBiSFl5TFhkbFltaHZiMnN0YzJWeWRtbGpaVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQWdFQXJzWnZFNG1vcE4rRndRbUpwdGltNGcycTZyOTR0YVhIODVnOFBHNGJaVjk0NUNWMVhwb3cKcmZ4aVZYQ3p4bXBkRHBXTVdUYXRsRjNwZ3BnR1k0dHEydnRLWjhkT3lxNGhmbTJsU0RPb1M4ajB6dzRzUE1uUgo3c0hEQmYwVXp6cFpxUnREYWlKSXJEdzgvQXR1TEd0SUpRQzJ3M2lZcFdqV2kycEdXc25tT3lGdnVvWnYwQkwyCnc1VGwxWit4Q3cvMUtwUVg1Y1BkeVFCK0NrOWd5M2cvT1M4a040ZGcza3NkMHpoZnJ4eFdYNWtvbGZTQ1pONWsKZ1VhanNxckZkT2d3Y2FZZHFDbFYzWFY0T2xmZ25TcHF5eTBIWW8xZnh3a25QWGgrUXZlRUUxK2U5NEJTbjNzdgppdHN3NzZXcUpnUEFnZkhtYTVUb3pvanJJT1hVcW5tSUpKVXJnWXExcFphV1BGWERaOVN2VGo1VEZ3R1FrTUY5CjBCTmVQNjlhTXpXbmFEdHM2aUt6RWpyWlVtcVhCTmZwTGJaQjJORS9HWlB1Q3NBVk52clZKZE5ZcXZzYWt6a04Kei9NT3ozTVFYbWM0ZDRiSEg1Z0hTZXY2bjJwSTlDWUd1bjRBUnJ1WDFrV1lNSzAxRE9wYU9xVjZ5b0VKUGF1UgpITGFYaTRBYXpZL1BSMFJ2N3l4cjBvejVvU1N1L24rVDJydlJEL1NpQXZDdmhCZDhmTmhVRFBRRWJ5eXZMRVRDCk1nMGZZS2I5a0lRSkNHR0Qwb0pDV2h4QUwvYml4T1RvM1dPY0tQd0FtcVJMU2Rnek5aTXdpdHZjSzYySitZSHUKc3Q5VkVYcDQ1S3I2MlZjc1NMRG4wZUg2aU5hTEd3dU5zb25WM1VjVEFOVVlwZnB2cnRvY1ptVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    service:
      name: coilv2-webhook-service
      namespace: kube-system
      path: /mutate-coil-cybozu-com-v2-addresspool
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: maddresspool.kb.io
  namespaceSelector: {}
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - coil.cybozu.com
    apiVersions:
    - v2
    operations:
    - CREATE
    resources:
    - addresspools
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZaVENDQTAyZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFoTVI4d0hRWURWUVFERXhaamIybHMKZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUNBWERUSXhNRGd4TmpFNU1qVXpNRm9ZRHpJeE1qRXdOekl6TVRreQpOVE13V2pBaE1SOHdIUVlEVlFRREV4WmpiMmxzZGpJdGQyVmlhRzl2YXkxelpYSjJhV05sTUlJQ0lqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBeUxzY2g5OFNrMEtyRjlhM0szZ2V3U3VMMEhydy9SQ0MKVzJybisxUXNodk9CaUxGeEM0QW1kYzhxbmpwYUZoZDZVNTJwWDNXdDVZa0plNVZFZThaTnJ4c0Z4d0hRTk5vdgpMV1I5KzNXZlpnZjNPR0JMVFp4TFNrTXpxYmQrRHlUM3BOK0hmTmEvOVFBcUhPVHlJTXNoc3VaTWYzelFnWjRqClJhcE1WakhCUFdsY3B0d0hHMVVEOWpxNzI0M0xDdjgvZ091NGU2dk9KeHE3ZlNSNU1yMnhiMlNDWGdmSVArbEcKaUQrWHhDQU9oNWZHSzIyQVdCQWljczA2eElRRXFQTmRhYk12MXhSY3E4UUExQ3dSbWZxTklLakkzNkxDNTVLSgpzWVN2aExuYkNvMDdON20vNnI4TXkxdXByT2V4dEhqSVJCV1JIOHNLcVBnbzRWRFl0dTRmcm9obVB6cGQzQjN3CjhXVUk1RjRjcnlGYjFLOWE4VXUvOEIvbTFTOGVnZER2UEVubW9ZTHNHSVpzM3Ryclg5Y0NSOHFaQ0lvOWxoU2cKSFdxVHIzMFhzNnFHaFpKZlhVQnZaYzZ1bTUvaFNsM2JVYXRFR0VIcmhmWE5LOHpxS0RQYzBXOVVvd01QSEFhYgowNXdGRjBiTytUUVBsVzAySGVHNnFlYVI1bTA5ZXczWGhBaXJRbzFHRUkxNSsxQnZaRHFLT0tnc2EwcTZYN3JTCkpjS3pPVmlORWJUYk81UGczVHhITGw4Q3hRSTFMRW8vUWY5REJFY3FuOFg0MGpPNy9JQjJxSlVzb3FYdjBpOUgKYjhnYUlLTDlxOXY1b1N0eDQySUJyRFhTWWdheTFxVk9HVWREcGh0UUc3Zm9mR01VcXBOTFdEUHo1Y2JFVVdJSQplbE94QVZRRHpIa0NBd0VBQWFPQnBUQ0JvakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJCkt3WUJCUVVIQXdFd0RBWURWUjBUQVFIL0JBSXdBREJ0QmdOVkhSRUVaakJrZ2laamIybHNkakl0ZDJWaWFHOXYKYXkxelpYSjJhV05sTG10MVltVXRjM2x6ZEdWdExuTjJZNElpWTI5cGJIWXlMWGRsWW1odmIyc3RjMlZ5ZG1sagpaUzVyZFdKbExYTjVjM1JsYllJV1kyOXBiSFl5TFhkbFltaHZiMnN0YzJWeWRtbGpaVEFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQWdFQXJzWnZFNG1vcE4rRndRbUpwdGltNGcycTZyOTR0YVhIODVnOFBHNGJaVjk0NUNWMVhwb3cKcmZ4aVZYQ3p4bXBkRHBXTVdUYXRsRjNwZ3BnR1k0dHEydnRLWjhkT3lxNGhmbTJsU0RPb1M4ajB6dzRzUE1uUgo3c0hEQmYwVXp6cFpxUnREYWlKSXJEdzgvQXR1TEd0SUpRQzJ3M2lZcFdqV2kycEdXc25tT3lGdnVvWnYwQkwyCnc1VGwxWit4Q3cvMUtwUVg1Y1BkeVFCK0NrOWd5M2cvT1M4a040ZGcza3NkMHpoZnJ4eFdYNWtvbGZTQ1pONWsKZ1VhanNxckZkT2d3Y2FZZHFDbFYzWFY0T2xmZ25TcHF5eTBIWW8xZnh3a25QWGgrUXZlRUUxK2U5NEJTbjNzdgppdHN3NzZXcUpnUEFnZkhtYTVUb3pvanJJT1hVcW5tSUpKVXJnWXExcFphV1BGWERaOVN2VGo1VEZ3R1FrTUY5CjBCTmVQNjlhTXpXbmFEdHM2aUt6RWpyWlVtcVhCTmZwTGJaQjJORS9HWlB1Q3NBVk52clZKZE5ZcXZzYWt6a04Kei9NT3ozTVFYbWM0ZDRiSEg1Z0hTZXY2bjJwSTlDWUd1bjRBUnJ1WDFrV1lNSzAxRE9wYU9xVjZ5b0VKUGF1UgpITGFYaTRBYXpZL1BSMFJ2N3l4cjBvejVvU1N1L24rVDJydlJEL1NpQXZDdmhCZDhmTmhVRFBRRWJ5eXZMRVRDCk1nMGZZS2I5a0lRSkNHR0Qwb0pDV2h4QUwvYml4T1RvM1dPY0tQd0FtcVJMU2Rnek5aTXdpdHZjSzYySitZSHUKc3Q5VkVYcDQ1S3I2MlZjc1NMRG4wZUg2aU5hTEd3dU5zb25WM1VjVEFOVVlwZnB2cnRvY1ptVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    service:
      name: coilv2-webhook-service
      namespace: kube-system
      path: /mutate-coil-cybozu-com-v2-egress
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: megress.kb.io
  namespaceSelector: {}
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - coil.cybozu.com
    apiVersions:
    - v2
    operations:
    - CREATE
    resources:
    - egresses
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10

ymmt2005 commented 3 years ago

It looks perfectly normal. I have no ideas.

jondkelley commented 3 years ago

I could be on the wrong path, but I might have more info.

I ran kubectl port-forward coil-controller-5f84d47464-4gk9l 9443:9443 -n kube-system

and tried to test the endpoint https://github.com/cybozu-go/coil/blob/a68ea5cae2f0748a553ef545a9e5e3324d117374/v2/config/webhook/manifests.v1.yaml#L16

Doesn't seem to have a resource for address pool (see below), so this maybe why I get failed calling webhook "maddresspool.kb.io": the server could not find the requested resource

curl https://localhost:9443/mutate-coil-cybozu-com-v2-addresspool -k
Handling connection for 9443
404 page not found

Otherwise, things like the egress CRD webhook works but I presume it's because the webhook endpoint works in the coil-controller

curl https://localhost:9443/mutate-coil-cybozu-com-v2-egress -k
Handling connection for 9443
{"response":{"uid":"","allowed":false,"status":{"metadata":{},"message":"contentType=, expected application/json","code":400}}}

morimoto-cybozu commented 3 years ago

@jondkelley Hi. The mutating webhook of AddressPool is a recently implemented feature. It is not included in the released version of Coil. The container image you are using is 2.0.9 of ghcr.io/cybozu-go/coil. To use this image, please checkout v2.0.9 tag of the Coil repository and run kustomize build . > coil.yaml on that tag.

ymmt2005 commented 3 years ago

@morimoto-cybozu Thanks. Would you please consider releasing a new version including this?

jondkelley commented 3 years ago

Install worked on tag 2.0.9, thanks for checking!

cybozu-go / coil

Cannot create AddressPool objects due to mutating webhook? #169

kubectl apply -f addresspool.yaml

kubectl logs coil-router-c7rd2 -n kube-system

kubectl logs coil-controller-5f84d47464-4gk9l -n kube-system