Validating Admission Webhook doesn't get called

Question

Validating Admission Webhook doesn't get called

openshiftninja opened this issue 6 years ago · 4 comments

I'm trying to test a validating admission webhook that would call the Anchore Image Scanning solution before a pod is created. I'm running this on OpenShift Origin 3.10 using MiniShift. Is there anything I need to configure to turn on the validating admission webhooks? Everything seems to be working fine except the hook not actually getting called.

Version

$ oc version
oc v3.10.0+dd10d17
kubernetes v1.10.0+b81c8f8
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://192.168.42.58:8443
openshift v3.10.0+2fddd08-32
kubernetes v1.10.0+b81c8f8

Steps To Reproduce

Following the steps for https://github.com/viglesiasce/kubernetes-anchore-image-validator, which was created for Kubernetes. I was able to install Helm (https://blog.osninja.io/deploying-anchore-engine-on-openshift/), give the tiller service account cluster admin access, give anyuid to the required service accounts, and then validate that I have the engine up as well as the validator service which answers the webhook and then calls the engine.

Installed the image validator webservice and verified it is running and answering calls
Created validating webhook yaml (attached:
validating-webook.yaml.txt)

Current Result

Not seeing the webhook get called, which should be at the /apis/admission.anchore.io/v1beta1/imagechecks URL of the analysis-anchore-policy-validator service in the anchore-engine namespace

Expected Result

No such call being made - possibly I'm just missing something that is need to enable these validating webhooks to get called

Additional Information

Diagnostics:
diagnostics.txt
anchore-engine resources:
anchore-engine.json.txt
default resources:

Answer 1 · 2018-09-05T20:44:34.000Z

@openshift/sig-master

Answer 2 · 2018-09-06T09:49:05.000Z

The admission webhook are not enabled yet. We are working on doing so for 3.11: #20744

Answer 3 · 2018-09-06T16:18:46.000Z

Ok. I don't suppose there is a way to enable them manually? Not a big deal, so I'm going to go ahead and close this.

Answer 4 · 2018-09-06T17:32:11.000Z

Ok. I don't suppose there is a way to enable them manually? Not a big deal, so I'm going to go ahead and close this.

You can, compare openshift/openshift-ansible#7983.