Closed ncdc closed 4 months ago
I'm not sure we need this controller running?
// NewClusterAuthenticationTrustController returns a controller that will maintain the kube-system configmap/extension-apiserver-authentication // that holds information about how to aggregated apiservers are recommended (but not required) to configure themselves.
We don't support aggregated apiservers.
Oh... but I just found this:
"proxy-client-cert-file", // Client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. It is expected that this cert includes a signature from the CA in the --requestheader-client-ca-file flag. That CA is published in the 'extension-apiserver-authentication' configmap in the kube-system namespace. Components receiving calls from kube-aggregator should use that CA to perform their half of the mutual TLS verification.
So it sounds like webhooks should be checking this configmap?
@sttts
Issues go stale after 90d of inactivity.
After a furter 30 days, they will turn rotten.
Mark the issue as fresh with /remove-lifecycle stale
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
/close
@kcp-ci-bot: Closing this issue.
Seeing this happen multiple times (and then periodically) in a topology with the front-proxy (
sharded-test-server
):Do not see this without the proxy (
test-server
)