DEV Community

Discussion on: Writing a very basic kubernetes mutating admission webhook

Collapse
 
nrobert13 profile image
Robert Nemeti

Hey Alex, thanks for the great article. quick question, if you let the api server sign your tls certificate, why do u need to load the apiserver's CA into the mutatingwebhook? shouldn't the apiserver trust the certificate signed by itself automatically?

Collapse
 
ineedale profile image
Alex Leonhardt

Hi Robert, I'm not sure where you're seeing that? It is however loading the signed Cert and the Key, here:

log.Fatal(s.ListenAndServeTLS("./ssl/mutateme.pem", "./ssl/mutateme.key"))
Collapse
 
nrobert13 profile image
Robert Nemeti

Hi Alex, thanks for the reply. What I meant is that in you ssl.sh script you create the tsl csr, upload it into the apiserver, and you sign it ( basically with the CA of the apiserver )

kubectl certificate approve ${CSR_NAME}
``

then you get the CA fron the apiserver and put it into the `mutatingwebhookconfiguration` resource:

  • caBundle (we will get this from the k8s cluster itself)



So basically you sign the certificate with the apiserver's CA and you load the CA into apiserver with the `caBundle` field. Shouldn't the apiserver already trust it's own CA?
Thread Thread
 
ineedale profile image
Alex Leonhardt

Ooohhhh - you're right! Shouldn't be needed if you sign it with the K8S cluster's CA, it's only needed when you use your own CA.

For reference: godoc.org/k8s.io/api/admissionregi...

// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
    // If unspecified, system trust roots on the apiserver are used.
    // +optional
    CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
Thread Thread
 
nrobert13 profile image
Robert Nemeti

I tried without caBundle, but it doesn't work, it is complaining about unknown certificate. I thought maybe you know why ....

Thread Thread
 
ineedale profile image
Alex Leonhardt

Hmm.. potentially something to do with the api server "client" portion not trusting its own (k8s) CA - just like curl, I'm pretty sure it'll use whatever system CAs are installed by default (ca-certs package?);

I've not further looked into this so cannot really help too much, but I'd check if the API servers own CAs are actually configured to be trusted when the api server is "the client".

Sorry if I cannot be more of help, but short of knowing what your setup is and how things are configured, I don't think I can help much more here.