https://rancher.com/ logo
Title
a

abundant-noon-17295

05/23/2023, 8:27 AM
is it possible to config api-server
dnsPolicy
, currently it is set to
ClusterFirst
and since api-server is static pod using hostnetwork, the
dnsPolicy
will fallback to
default
behaviour https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
c

creamy-pencil-82913

05/23/2023, 8:29 AM
To what end?
a

abundant-noon-17295

05/23/2023, 8:34 AM
trying to build webhook authentication
api-server talks to a ldap-auth service inside cluster
just wondering why dnsPolicy is not set to
ClusterFirstWithHostNet
c

creamy-pencil-82913

05/24/2023, 3:31 PM
You're supposed to specify the service info in the webhook clientConfig, instead of using the url. I linked you to the docs in the GH issue you opened.
a

abundant-noon-17295

05/24/2023, 3:33 PM
clientconfig is for admission webhook, but for webhook authentication from official doc, the config is different
c

creamy-pencil-82913

05/24/2023, 3:37 PM
Hmm, interesting that is true.
We don't want it to use cluster DNS because then it is dependent on something else within the cluster; the apiserver should be standalone. I'm not sure what the suggested pattern is for auth webhooks deployed within the cluster. I suspect that these are usually used to auth to services outside the cluster, such as a cloud provider.
a

abundant-noon-17295

05/24/2023, 4:00 PM
it’s common to auth against ldap for corp AD
i understand your point, to avoid circular dependency
for now i just use external dns for the auth proxy inside the cluster, but it’s a waste routing