search

dowjones / k8s-webhook

Companion code for a DJ Tech blog post https://medium.com/dowjones/how-did-that-sidecar-get-there-4dcd73f1a0a4
Other
22 stars 9 forks source link

Error in apiserver: 'certificate signed by unknown authority'. #1

Open amiraroshan opened 5 years ago

amiraroshan commented 5 years ago

I followed the instruction (copied & pasted rootCA.crt in hook.yaml). After creating the test deployment, the POD test is not created. The error in the apiserver pod’s log indicates an invalid certificate (certificate signed by unknown authority). As a result K8s apiserver fails to create the POD ‘test’ (expected failurePolicy: Fail).

kubectl logs -n kube-system kube-apiserver-localhost.localdomain -f … dispatcher.go:72] Failed calling webhook, failing closed webhook-service.default.svc: failed calling admission webhook “webhook-service.default.svc”: Post https://webhook-service.default.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority

scott2449 commented 4 years ago

Did you notice this bit of the post:

make sure to cut and paste that into the caBundle field of hook.yaml

This is referring to moving the generated output from the docker file to the Kubernetes resource yamls before applying them (or you can reapply)