This message was deleted.
# rke2a
adamant-kite-43734
05/23/2023, 8:27 AMThis message was deleted.
c
creamy-pencil-82913
05/23/2023, 8:29 AMTo what end?
a
abundant-noon-17295
05/23/2023, 8:34 AMtrying to build webhook authentication
abundant-noon-17295
05/23/2023, 8:34 AMapi-server talks to a ldap-auth service inside cluster
abundant-noon-17295
05/23/2023, 8:36 AMjust wondering why dnsPolicy is not set to
ClusterFirstWithHostNetc
creamy-pencil-82913
05/24/2023, 3:31 PMYou're supposed to specify the service info in the webhook clientConfig, instead of using the url. I linked you to the docs in the GH issue you opened.
a
abundant-noon-17295
05/24/2023, 3:33 PMclientconfig is for admission webhook, but for webhook authentication from official doc, the config is different
c
creamy-pencil-82913
05/24/2023, 3:37 PMHmm, interesting that is true.
creamy-pencil-82913
05/24/2023, 3:38 PMWe don't want it to use cluster DNS because then it is dependent on something else within the cluster; the apiserver should be standalone. I'm not sure what the suggested pattern is for auth webhooks deployed within the cluster. I suspect that these are usually used to auth to services outside the cluster, such as a cloud provider.
a
abundant-noon-17295
05/24/2023, 4:00 PMit’s common to auth against ldap for corp AD
abundant-noon-17295
05/24/2023, 4:01 PMi understand your point, to avoid circular dependency
abundant-noon-17295
05/24/2023, 4:04 PMfor now i just use external dns for the auth proxy inside the cluster, but it’s a waste routing
5 Views