// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
Hmm.. potentially something to do with the api server "client" portion not trusting its own (k8s) CA - just like curl, I'm pretty sure it'll use whatever system CAs are installed by default (ca-certs package?);
I've not further looked into this so cannot really help too much, but I'd check if the API servers own CAs are actually configured to be trusted when the api server is "the client".
Sorry if I cannot be more of help, but short of knowing what your setup is and how things are configured, I don't think I can help much more here.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Ooohhhh - you're right! Shouldn't be needed if you sign it with the K8S cluster's CA, it's only needed when you use your own CA.
For reference: godoc.org/k8s.io/api/admissionregi...
I tried without caBundle, but it doesn't work, it is complaining about unknown certificate. I thought maybe you know why ....
Hmm.. potentially something to do with the api server "client" portion not trusting its own (k8s) CA - just like
curl
, I'm pretty sure it'll use whatever system CAs are installed by default (ca-certs package?);I've not further looked into this so cannot really help too much, but I'd check if the API servers own CAs are actually configured to be trusted when the api server is "the client".
Sorry if I cannot be more of help, but short of knowing what your setup is and how things are configured, I don't think I can help much more here.