Hey Alex, thanks for the great article. quick question, if you let the api server sign your tls certificate, why do u need to load the apiserver's CA into the mutatingwebhook? shouldn't the apiserver trust the certificate signed by itself automatically?
Hi Alex, thanks for the reply. What I meant is that in you ssl.sh script you create the tsl csr, upload it into the apiserver, and you sign it ( basically with the CA of the apiserver )
kubectl certificate approve ${CSR_NAME}
``
then you get the CA fron the apiserver and put it into the `mutatingwebhookconfiguration` resource:
caBundle (we will get this from the k8s cluster itself)
So basically you sign the certificate with the apiserver's CA and you load the CA into apiserver with the `caBundle` field. Shouldn't the apiserver already trust it's own CA?
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
Hmm.. potentially something to do with the api server "client" portion not trusting its own (k8s) CA - just like curl, I'm pretty sure it'll use whatever system CAs are installed by default (ca-certs package?);
I've not further looked into this so cannot really help too much, but I'd check if the API servers own CAs are actually configured to be trusted when the api server is "the client".
Sorry if I cannot be more of help, but short of knowing what your setup is and how things are configured, I don't think I can help much more here.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey Alex, thanks for the great article. quick question, if you let the api server sign your tls certificate, why do u need to load the apiserver's CA into the mutatingwebhook? shouldn't the apiserver trust the certificate signed by itself automatically?
Hi Robert, I'm not sure where you're seeing that? It is however loading the signed Cert and the Key, here:
Hi Alex, thanks for the reply. What I meant is that in you
ssl.sh
script you create the tsl csr, upload it into the apiserver, and you sign it ( basically with the CA of the apiserver )Ooohhhh - you're right! Shouldn't be needed if you sign it with the K8S cluster's CA, it's only needed when you use your own CA.
For reference: godoc.org/k8s.io/api/admissionregi...
I tried without caBundle, but it doesn't work, it is complaining about unknown certificate. I thought maybe you know why ....
Hmm.. potentially something to do with the api server "client" portion not trusting its own (k8s) CA - just like
curl
, I'm pretty sure it'll use whatever system CAs are installed by default (ca-certs package?);I've not further looked into this so cannot really help too much, but I'd check if the API servers own CAs are actually configured to be trusted when the api server is "the client".
Sorry if I cannot be more of help, but short of knowing what your setup is and how things are configured, I don't think I can help much more here.