Skip to content

apiserver uses wrong CommonName to verify service certificates for aggregated API Server when External admission controller is enabled #56385

New issue
New issue
Closed
Closed
apiserver uses wrong CommonName to verify service certificates for aggregated API Server when External admission controller is enabled#56385
Assignees
caesarxuchaodeads2k
Labels
area/admission-controlkind/bugCategorizes issue or PR as related to a bug.milestone/needs-approvalpriority/critical-urgentHighest priority. Must be actively worked on as someone's top priority right now.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.
Milestone
v1.9
@patrickshan

Description

@patrickshan
patrickshan
opened on Nov 27, 2017

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:
After you configured webhook admission controller (ExternalAdmissionHookConfiguration) inside your cluster pointing to a service, apiserver will try to verify your new APIService certs against that admission controller service's Common Name.
For example, a webhook admission controller is registered inside the cluster pointing to a service called "webhook" inside kube-system namespace (Common Name is webhook.kube-system.svc in this case). When you try to register a new APIService called v1beta1.testapiservice.k8s.io pointing to a service testapiservice inside testns namespace after that webhook admission controller was registered, you will see error inside apiserver log like this:
E1127 01:22:06.230506 1 controller.go:111] loading OpenAPI spec for "v1beta1.testapiservice.k8s.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error: 'x509: certificate is valid for testapiservice, testapiservice.testns, testapiservice.testns.svc, testapiservice.testns.svc.cluster.local, not webhook.kube-system.svc'
And aggregation layer cannot talk to the custom apiserver due to invalid certs.

What you expected to happen:
apiserver should only verify the new aggregated API Server certs against its own service's Common Name and shouldn't verify it against webhook admission controller service's Common Name.

How to reproduce it (as minimally and precisely as possible):

  1. register a webhook admission controller inside your cluster like the example here using service webhook.kube-system.svc
  2. register a new aggregated API Server using service testapiservice.testns.svc
  3. aggregation layer cannot talk to the custom apiserver and kube-apiserver generates error logs because it couldn't find valid Common Name webhook.kube-system.svc for your aggregated API Server service.

Anything else we need to know?:
On the other hand admission controller works fine without any problem in this case described above.
We also tried deploying them in a different order. So deploy the aggregated API Server first and then register the admission controller webhook. In that case, the aggregated API server works fine but admission controller webhook won't work. From kube-apiserver log, you can see it's trying to verify the webhook admission controller service certs against aggregated API Server service's Common Name.

Environment:

  • Kubernetes version (use kubectl version): 1.8.3
  • Cloud provider or hardware configuration: Aws
  • OS (e.g. from /etc/os-release): Container Linux by CoreOS 1576.2.0 (Ladybug)
  • Kernel (e.g. uname -a): 4.13.11-coreos
  • Install tools:
  • Others:

/sig api-machinery

Metadata

Metadata

Assignees

Labels

area/admission-controlkind/bugCategorizes issue or PR as related to a bug.milestone/needs-approvalpriority/critical-urgentHighest priority. Must be actively worked on as someone's top priority right now.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions