Webhook fails: couldn't find resource FlowSchema, couldn't find PriorityLevelConfiguration

flant / cert-manager-webhook-regru

The webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes

Apache License 2.0

35 stars 13 forks source link

Webhook fails: couldn't find resource FlowSchema, couldn't find PriorityLevelConfiguration #6

Closed dm2029 closed 1 year ago

dm2029 commented 2 years ago

Webhook failes during certificate request with the following error message:

pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource

Are we are missing some APIs / dependencies in our k8s setup (or maybe even our k8s version is not supported)? Couldn't find any requirements in docs.

We use:

k8s - 1.21.1
webhook - 1.0.0

wildGecko commented 1 year ago

Hello! This is not a bug or a problem. There are no restrictions on k8s. We have the same logs, but the certificates are issued correctly. See

the server could not find the requested resource

this means that there are no necessary APIs or resources in the cluster. This can be checked with the following commands:

kubectl api-resources
kubectl api-versions

If you do not have certificates issued, could you provide logs from the pod with a hook and the logs of the cert-manager at the time of creating the certificate resource?

c0rnoTa commented 1 year ago

I have a lot of error messages like this

Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0119 20:39:57.047230       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Seems like we need additional ClusterRoleBinding to list resources in flowcontrol.apiserver.k8s.io API group. I have not researched if it is safe or not.

It could be another issue.

k8s 1.22.2
webhook 1.0.1

dm2029 commented 1 year ago

Sorry for delay. We finally managed to get it working. We had an error in configuration on our side.

We still have the same logs, but certificated was issued succesflly, webhooked worked.

So, I guess it's fine to close this issue. Thanks!