Comments (14)
longwuyuan
commented on June 4, 2024
/triage accepted
/priority important-soon
@ViliusS thanks for reporting this. I will check and then maybe others will comment too
/assign
from ingress-nginx.
longwuyuan
commented on June 4, 2024
- Can you post your
k get networkpolicies.networking.k8s.io -A - Need to dig if there is reason for the change
from ingress-nginx.
longwuyuan
commented on June 4, 2024
@strongjz @Gacko as the reporting user mentions, that PR did clearly disable netpol in values, among other changes to netpol. I am looking for reasons but wondering if you already are well aware and can comment on why we made that change.
from ingress-nginx.
longwuyuan
commented on June 4, 2024
@ViliusS what do you mean admission webhook can not handle changes ?
I am using v1.10.0 and I added and changed ingresses and so I am assuming admission webhook checked the changes and allowed them as my changes were valid
from ingress-nginx.
longwuyuan
commented on June 4, 2024
Does your issues description mean this webhook is there but not doing any checks on my ingress resource changes ?
% k get validatingwebhookconfigurations.admissionregistration.k8s.io ingress-nginx-admission
NAME WEBHOOKS AGE
ingress-nginx-admission 1 9d
[~]
from ingress-nginx.
Gacko
commented on June 4, 2024
Before that PR there was a network policy basically allowing any ingress to the controller:
This network policy was controlled by the admission webhook configuration, so without admission webhooks, the controller would not have a network policy at all, not even for the other ports.
Additionally all the other network policies were already disabled by default. So the network policy we are talking about probably was rendered by mistake and if your setup was relying on network policies would not have been enough to make Ingress NGINX run.
See the original PR for further reasoning: #10238
To sum it up: The PR just aligned when network policies are being rendered (not at all by default) and put responsibilities where they belong to (controller has it's own network policy, other components like admission webhooks just add or remove the respective ports from it instead of mistakenly allowing all ingress).
from ingress-nginx.
longwuyuan
commented on June 4, 2024
ok, what I discovered from the PR is that netol needs to be explicitly enabled in the helm chart so that means while generating the static yaml manifests, we are not enabling netpol
from ingress-nginx.
Gacko
commented on June 4, 2024
Yes, the static files were never meant for setups relying on network policies. Even if the static files would allow access to the webhook port, they would still miss policies for...
... egress from the controller pod to any
... egress from the admission webhook patch job to the API server
... probably some other access
from ingress-nginx.
longwuyuan
commented on June 4, 2024
ok @Gacko ' s comment explains much of it now
@ViliusS please do elaborate what you mean by "This makes admission webhooks unable to handle ingress changes." . From @Gacko 's comment, the layman takeaway seems like the netpol in place earlier was cosmetic of sorts so that PR changed it to optional via helm chart values file and static manifests are now created without that cosmetic netpol.
from ingress-nginx.
longwuyuan
commented on June 4, 2024
/remove-kind bug
/remove-priority important-soon
/kind support
from ingress-nginx.
Gacko
commented on June 4, 2024
/assign
from ingress-nginx.
ViliusS
commented on June 4, 2024
I just tried a bare install of NGINX Controller 1.10.0 on a clean Kubernetes cluster and it works. Then tried on my production cluster and it works there too now. Sorry for the noise, no idea why it didn't work repeatedly before. Maybe that's because I have completely cleaned the admission Kubernetes Jobs before reinstalling controller this time.
Just for completeness of this ticket, by "This makes admission webhooks unable to handle ingress changes" I meant that admission webhook was there and it detected the ingress changes (be it new URL rule, or a completely new ingress), but it failed the validation with an error (sorry I don't have exact error anymore). Since the validation failed the changes didn't propagate to the controller.
The only way to fix this under 1.9.x series was to either change webhook validation policy to failurePolicy: Ignore or allow ingress/egress in the NetworkPolicy for the admission hook.
from ingress-nginx.
Gacko
commented on June 4, 2024
But your changes are working now?
from ingress-nginx.
ViliusS
commented on June 4, 2024
Yes, it works now. I will close this ticket.
from ingress-nginx.
Related Issues (20)
- Error retrieving resource lock ingress-nginx/ingress-controller-leader HOT 5
- Currently, the server code snippet is used to determine the user agent to jump to. Strangely, it did not take effect. HOT 7
- Performance Issue: Ingress creation in a cluster with many existing ingresses get slow admission webhook response HOT 11
- Ingress nginx controller changed load balancer when updating managed nodegroups AWS EKS HOT 4
- GRPC GOAWAY HOT 7
- Adapt the nginx.org/rewrites from the official nginxinc helm chart HOT 10
- Nginx ingress(v1.1.0) crashed HOT 4
- port 443 endpoint intermittent timeout HOT 3
- Configured DH param for ingress nginx controller but not working HOT 4
- Proposal to merge `images/nginx-1.25` into `images/nginx` and remove redundancy HOT 11
- Can we add header as nginx metric in prometheus HOT 2
- oAuth annotations not working on openshift but working in tanzu HOT 8
- X-Forwarded-Port is always fixed to 443. HOT 5
- Expose multiple ports to the same host HOT 5
- Feature to customize the leader election LeaderElection Time to Live HOT 1
- Enabling opentelemetry fails with helm v4.10.0 HOT 2
- Problems using grpcs in ingress nginx HOT 3
- `connection refused` errors whenever an nginx controller pod is terminated HOT 6
- Impact of Maxmind R2 presigned URLs HOT 6
- GeoIP2 docs mention incorrect folder for mounted volumes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.