K
Q

How to install Kubernetes webhook without ClusterRole?

4/30/2020

I tried to install webhook in a single namespace, but got error:

2020-04-30T19:08:28.364Z    INFO    setup   Intializing operator
2020-04-30T19:08:28.373Z    ERROR   setup   unable to initialise operator   {"error": "customresourcedefinitions.apiextensions.k8s.io \"seldondeployments.machinelearning.seldon.io\" is forbidden: User \"system:serviceaccount:team-xxxx:seldon-manager\" cannot get resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io \"seldon-webhook-role-team-xxxx\" not found"}
github.com/go-logr/zapr.(*zapLogger).Error
    /go/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128
main.main
    /workspace/main.go:95
runtime.main
    /usr/local/go/src/runtime/proc.go:203

Our yaml file:

---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: team-xxxx/seldon-serving-cert
  creationTimestamp: null
  labels:
    app: seldon
    app.kubernetes.io/instance: seldon-core-operator
    app.kubernetes.io/name: seldon-core-operator
    app.kubernetes.io/version: 1.1.1-SNAPSHOT
  name: seldon-mutating-webhook-configuration-team-xxxx
  namespace: team-xxxx
webhooks:
- clientConfig:
    caBundle: 4HQ0
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /mutate-machinelearning-seldon-io-v1-seldondeployment
  failurePolicy: Fail
  name: v1.mseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
- clientConfig:
    caBundle: LS0tLS1CRUdJ0K
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /mutate-machinelearning-seldon-io-v1alpha2-seldondeployment
  failurePolicy: Fail
  name: v1alpha2.mseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
- clientConfig:
    caBundle: LS0tL
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /mutate-machinelearning-seldon-io-v1alpha3-seldondeployment
  failurePolicy: Fail
  name: v1alpha3.mseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations: {}
  creationTimestamp: null
  labels:
    app: seldon
    app.kubernetes.io/instance: seldon-core-operator
    app.kubernetes.io/name: seldon-core-operator
    app.kubernetes.io/version: 1.1.1-SNAPSHOT
    release: webhook
  name: seldon-webhook-role-team-xxxx
  namespace: team-xxxx
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
- apiGroups:
  - apps
  resources:
  - deployments/finalizers
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions/finalizers
  verbs:
  - get
  - patch
  - update
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations: {}
  labels:
    app: seldon
    app.kubernetes.io/instance: seldon-core-operator
    app.kubernetes.io/name: seldon-core-operator
    app.kubernetes.io/version: 1.1.1-SNAPSHOT
    heritage: pmk
    release: webhook
  name: seldon-webhook-rolebinding-team-xxxx
  namespace: team-xxxx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: seldon-webhook-role-team-xxxx
subjects:
- kind: ServiceAccount
  name: seldon-manager
  namespace: team-xxxx
...
---
apiVersion: v1
kind: Service
metadata:
  annotations: {}
  labels:
    app: seldon
    app.kubernetes.io/instance: seldon-core-operator
    app.kubernetes.io/name: seldon-core-operator
    app.kubernetes.io/version: 1.1.1-SNAPSHOT
    heritage: pmk
  name: seldon-webhook-service
  namespace: team-xxxx
spec:
  ports:
  - port: 443
    targetPort: 443
  selector:
    app: seldon
    app.kubernetes.io/instance: seldon1
    app.kubernetes.io/name: seldon
    app.kubernetes.io/version: v0.5
    control-plane: seldon-controller-manager
...
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: team-xxxx/seldon-serving-cert
  creationTimestamp: null
  labels:
    app: seldon
    app.kubernetes.io/instance: seldon-core-operator
    app.kubernetes.io/name: seldon-core-operator
    app.kubernetes.io/version: 1.1.1-SNAPSHOT
    release: webhook
  name: seldon-validating-webhook-configuration-team-xxxx
  namespace: team-xxxx
webhooks:
- clientConfig:
    caBundle: LS0S0K
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /validate-machinelearning-seldon-io-v1-seldondeployment
  failurePolicy: Fail
  name: v1.vseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
- clientConfig:
    caBundle: LS0tLS1CRLS0K
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /validate-machinelearning-seldon-io-v1alpha2-seldondeployment
  failurePolicy: Fail
  name: v1alpha2.vseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
- clientConfig:
    caBundle: LS0tLS1CLS0K
    service:
      name: seldon-webhook-service
      namespace: team-xxxx
      path: /validate-machinelearning-seldon-io-v1alpha3-seldondeployment
  failurePolicy: Fail
  name: v1alpha3.vseldondeployment.kb.io
  namespaceSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: seldon.io/controller-id
      operator: DoesNotExist
  rules:
  - apiGroups:
    - machinelearning.seldon.io
    apiVersions:
    - v1alpha3
    operations:
    - CREATE
    - UPDATE
    resources:
    - seldondeployments
    scope: Namespaced
...

How to install the webhook in a single namespace? Any comments welcomed. Thanks

-- BAE
google-kubernetes-engine
kubernetes
webhooks

Similar Questions

How to set kubernetes secret key name when using --from-file other than filename?
Can't connect to kubernetes API from inside the cluster
How to solve Error: validation: chart.metadata is required on Mac using microk8s
cert-manager challange stuck in waiting `Waiting for http-01 challenge propagation: failed to perform self check GET request`

0 Answers