https://rancher.com/ logo
Powered by
Title
a

abundant-noon-17295

05/23/2023, 8:27 AM
is it possible to config api-server 
dnsPolicy
, currently it is set to 
ClusterFirst
and since api-server is static pod using hostnetwork, the 
dnsPolicy
will fallback to 
default
behaviour https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
c

creamy-pencil-82913

05/23/2023, 8:29 AM
To what end?
a

abundant-noon-17295

05/23/2023, 8:34 AM
trying to build webhook authentication
api-server talks to a ldap-auth service inside cluster
just wondering why dnsPolicy is not set to 
ClusterFirstWithHostNet
c

creamy-pencil-82913

05/24/2023, 3:31 PM
You're supposed to specify the service info in the webhook clientConfig, instead of using the url. I linked you to the docs in the GH issue you opened.
a

abundant-noon-17295

05/24/2023, 3:33 PM
clientconfig is for admission webhook, but for webhook authentication from official doc, the config is different
c

creamy-pencil-82913

05/24/2023, 3:37 PM
Hmm, interesting that is true.
We don't want it to use cluster DNS because then it is dependent on something else within the cluster; the apiserver should be standalone. I'm not sure what the suggested pattern is for auth webhooks deployed within the cluster. I suspect that these are usually used to auth to services outside the cluster, such as a cloud provider.
a

abundant-noon-17295

05/24/2023, 4:00 PM
it’s common to auth against ldap for corp AD
i understand your point, to avoid circular dependency
for now i just use external dns for the auth proxy inside the cluster, but it’s a waste routing
#rke2Join Slack
Powered by