K
Q

Why does my kubernetes webook only get called on create and not on update?

3/27/2019

I have a working mutating admission hook for kubernetes. It is called when I first deploy and app using helm. But it is not called when I update using helm. It will in fact call it if I change the version number for the deployment. But if only the content changed, then it skips calling the hook.

How can I make it always call the hook for any deployment?

Here is my hook config:

    apiVersion: admissionregistration.k8s.io/v1beta1
    kind: MutatingWebhookConfiguration
    metadata:
    name: appcfg-mutator
    webhooks:
    - name: appcfg-mutator.devops.primerica.com
        clientConfig:
        service:
            name: appcfg-mutator
            namespace: appcfg-mutator
            path: "/"
        caBundle: {{ .Values.webhook.caBundle }}
        rules:
        - operations: ["*"]
            apiGroups: [""]
            apiVersions: ["v1","v1beta1","v1beta2"]
            resources: ["pod","deployments","namespaces","services"]
        failurePolicy: Fail

I log all requests as soon as they arrive and before deserializing the http rq body so I can see it's not getting called each update. Only on create, delete or when version field in yaml is changed.

-- Jerico Sandhorn
kubernetes

Similar Questions

How to install Fluentd plugins on k8s
kubectl: pod status showing up as <none> status while using custom columns
kubectl proxy can't talk to API server
Rancher container taking over host IP
How to set up rate limiting for Kubernetes admission controllers?
sandbox in ubuntu kubernetes

1 Answer

3/28/2019

Turns out I had a typo in my mutator config for "pod" instead of "pods". Plus, I was misunderstanding and expecting to see "deployments" updates since I was actually changing the "Deployment" kind yaml. Its just "pods" that I needed.

Here is the correction:

resources: ["pods","deployments","namespaces","services"]
-- Jerico Sandhorn
Source: StackOverflow