istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/help/ops/setup/validation/index.html

261 lines
32 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Configuration Validation Webhook"><meta name=description content="Describes Istio's use of Kubernetes webhooks for server-side configuration validation."><meta name=keywords content=microservices,services,mesh><meta property=og:title content="Configuration Validation Webhook"><meta property=og:type content=website><meta property=og:description content="Describes Istio's use of Kubernetes webhooks for server-side configuration validation."><meta property=og:url content=/v1.1/help/ops/setup/validation/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Configuration Validation Webhook</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Configuration Validation Webhook";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.1/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<span title="A bunch of resources to help you deploy, configure and use Istio.">Help</span>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/help\/ops\/setup\/validation\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/help\/ops\/setup\/validation\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="A bunch of resources to help you deploy, configure and use Istio."><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#help"/></svg>Need Help?</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Operations Guide"><button class=show aria-hidden=true></button><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.1/help/ops/>Operations Guide</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.1/help/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.1/help/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.1/help/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.1/help/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.1/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.1/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.1/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.1/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.1/help/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.1/help/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Demonstrates how to debug authorization." href=/v1.1/help/ops/security/debugging-authorization/>Debugging Authorization</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.1/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.1/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.1/help/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.1/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.1/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.1/help/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.1/help/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.1/help/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.1/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.1/help/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.1/help/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button class=show aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.1/help/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.1/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><span role=treeitem class=current title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation.">Configuration Validation Webhook</span></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.1/help/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.1/help/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.1/help/ops/setup/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.1/help/ops/misc/>Miscellaneous</a></li></ul></li><li role=treeitem aria-label=FAQ><button aria-hidden=true></button><a title="Frequently Asked Questions about Istio." href=/v1.1/help/faq/>FAQ</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General Q &amp; A." href=/v1.1/help/faq/general/>General</a></li><li role=none><a role=treeitem title="Setup Q &amp; A." href=/v1.1/help/faq/setup/>Setup</a></li><li role=none><a role=treeitem title="Security Q &amp; A." href=/v1.1/help/faq/security/>Security</a></li><li role=none><a role=treeitem title="Mixer Q &amp; A." href=/v1.1/help/faq/mixer/>Mixer</a></li><li role=none><a role=treeitem title="Metrics and Logs Q &amp; A." href=/v1.1/help/faq/metrics-and-logs/>Metrics and Logs</a></li><li role=none><a role=treeitem title="Distributed Tracing Q &amp; A." href=/v1.1/help/faq/distributed-tracing/>Distributed Tracing</a></li><li role=none><a role=treeitem title="Traffic Management Q &amp; A." href=/v1.1/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.1/help/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/help/ title="A bunch of resources to help you deploy, configure and use Istio.">Help</a></li><li><a href=/v1.1/help/ops/ title="Hints, tips, tricks about running an Istio mesh.">Operations Guide</a></li><li><a href=/v1.1/help/ops/setup/ title="Helps you diagnose and repair Istio installations.">Installation and Setup</a></li><li>Configuration Validation Webhook</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Configuration Validation Webhook</h1><p class=byline><span title="1008 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>5 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Seemingly valid configuration is rejected"><a href=#seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</a><li role=none aria-label="Invalid configuration is accepted"><a href=#invalid-configuration-is-accepted>Invalid configuration is accepted</a><li role=none aria-label="Creating configuration fails with x509 certificate errors"><a href=#creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</a><li role=none aria-label="Creating configuration fails with no such hosts or no endpoints available errors"><a href=#creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</a></ol><hr></div></nav><p>Galleys configuration validation ensures user authored Istio
configuration is syntactically and semantically valid. It uses a
Kubernetes <code>ValidatingWebhook</code>. The <code>istio-galley</code>
<code>ValidationWebhookConfiguration</code> has two webhooks.</p><ul><li><p><code>pilot.validation.istio.io</code> - Served on path <code>/admitpilot</code> and is
responsible for validating configuration consumed by Pilot
(e.g. <code>VirtualService</code>, Authentication).</p></li><li><p><code>mixer.validation.istio.io</code> - Served on path <code>/admitmixer</code> and is
responsible for validating configuration consumed by Mixer.</p></li></ul><p>Both webhooks are implemented by the <code>istio-galley</code> service on
port 443. Each webhook has its own <code>clientConfig</code>, <code>namespaceSelector</code>,
and <code>rules</code> section. Both webhooks are scoped to all namespaces. The
<code>namespaceSelector</code> should be empty. Both rules apply to Istio Custom
Resource Definitions (CRDs).</p><h2 id=seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</h2><p>Manually verify your configuration is correct, cross-referencing
<a href=/v1.1/docs/reference/config>Istio API reference</a> when
necessary.</p><h2 id=invalid-configuration-is-accepted>Invalid configuration is accepted</h2><p>Verify the <code>istio-galley</code> <code>validationwebhookconfiguration</code> exists and
is correct. The <code>apiVersion</code>, <code>apiGroup</code>, and <code>resource</code> of the
invalid configuration should be listed in one of the two <code>webhooks</code>
entries.</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml>$ kubectl get validatingwebhookconfiguration istio-galley -o yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: istio-galley
name: istio-galley
ownerReferences:
- apiVersion: extensions/v1beta1
blockOwnerDeletion: true
controller: true
kind: Deployment
name: istio-galley
uid: 5c64585d-91c6-11e8-a98a-42010a8001a8
webhooks:
- clientConfig:
# caBundle should be non-empty. This is periodically (re)patched
# every second by the webhook service using the ca-cert
# from the mounted service account secret.
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
# service corresponds to the Kubernetes service that implements the
# webhook, e.g. istio-galley.istio-system.svc:443
name: istio-galley
namespace: istio-system
path: /admitpilot
failurePolicy: Fail
name: pilot.validation.istio.io
namespaceSelector: {}
rules:
- apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- httpapispecs
- httpapispecbindings
- quotaspecs
- quotaspecbindings
- apiGroups:
- rbac.istio.io
apiVersions:
- &#39;*&#39;
operations:
- CREATE
- UPDATE
resources:
- &#39;*&#39;
- apiGroups:
- authentication.istio.io
apiVersions:
- &#39;*&#39;
operations:
- CREATE
- UPDATE
resources:
- &#39;*&#39;
- apiGroups:
- networking.istio.io
apiVersions:
- &#39;*&#39;
operations:
- CREATE
- UPDATE
resources:
- destinationrules
- envoyfilters
- gateways
- virtualservices
- clientConfig:
# caBundle should be non-empty. This is periodically (re)patched
# every second by the webhook service using the ca-cert
# from the mounted service account secret.
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1VENDQWMyZ0F3SUJBZ0lRVzVYNWpJcnJCemJmZFdLaWVoaVVSakFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFLRXhGck9ITXVZMngxYzNSbGNpNXNiMk5oYkRBZUZ3MHhPREEzTWpjeE56VTJNakJhRncweApPVEEzTWpjeE56VTJNakJhTUJ3eEdqQVlCZ05WQkFvVEVXczRjeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdVMi9SdWlyeTNnUzdPd2xJRCtaaGZiOEpOWnMKK05OL0dRWUsxbVozb3duaEw4dnJHdDBhenpjNXFuOXo2ZEw5Z1pPVFJXeFVCYXVJMUpOa3d0dSt2NmRjRzlkWgp0Q2JaQWloc1BLQWQ4MVRaa3RwYkNnOFdrcTRyNTh3QldRemNxMldsaFlPWHNlWGtRejdCbStOSUoyT0NRbmJwCjZYMmJ4Slc2OGdaZkg2UHlNR0libXJxaDgvZ2hISjFha3ptNGgzc0VGU1dTQ1Y2anZTZHVJL29NM2pBem5uZlUKU3JKY3VpQnBKZmJSMm1nQm4xVmFzNUJNdFpaaTBubDYxUzhyZ1ZiaHp4bWhpeFhlWU0zQzNHT3FlRUthY0N3WQo0TVczdEJFZ3NoN2ovZGM5cEt1ZG1wdFBFdit2Y2JnWjdreEhhazlOdFV2YmRGempJeTMxUS9Qd1NRSURBUUFCCm95TXdJVEFPQmdOVkhROEJBZjhFQkFNQ0FnUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBUUVBTnRLSnVkQ3NtbTFzU3dlS2xKTzBIY1ZMQUFhbFk4ZERUYWVLNksyakIwRnl0MkM3ZUtGSAoya3JaOWlkbWp5Yk8xS0djMVlWQndNeWlUMGhjYWFlaTdad2g0aERRWjVRN0k3ZFFuTVMzc2taR3ByaW5idU1aCmg3Tm1WUkVnV1ZIcm9OcGZEN3pBNEVqWk9FZzkwR0J6YXUzdHNmanI4RDQ1VVRJZUw3M3hwaUxmMXhRTk10RWEKd0NSelplQ3lmSUhra2ZrTCtISVVGK0lWV1g2VWp2WTRpRDdRR0JCenpHZTluNS9KM1g5OU1Gb1F3bExjNHMrTQpnLzNQdnZCYjBwaTU5MWxveXluU3lkWDVqUG5ibDhkNEFJaGZ6OU8rUTE5UGVULy9ydXFRNENOancrZmVIbTBSCjJzYmowZDd0SjkyTzgwT2NMVDlpb05NQlFLQlk3cGlOUkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
# service corresponds to the Kubernetes service that implements the
# webhook, e.g. istio-galley.istio-system.svc:443
name: istio-galley
namespace: istio-system
path: /admitmixer
failurePolicy: Fail
name: mixer.validation.istio.io
namespaceSelector: {}
rules:
- apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- rules
- attributemanifests
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- noops
- opas
- prometheuses
- rbacs
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
- apikeys
- authorizations
- checknothings
- listentries
- logentries
- metrics
- quotas
- reportnothings
- servicecontrolreports
- tracespans
</code></pre><p>If the <code>validatingwebhookconfiguration</code> doesnt exist, verify the
<code>istio-galley-configuration</code> <code>configmap</code> exists. <code>istio-galley</code> uses
the data from this configmap to create and update the
<code>validatingwebhookconfiguration</code>.</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml>$ kubectl -n istio-system get configmap istio-galley-configuration -o jsonpath=&#39;{.data}&#39;
map[validatingwebhookconfiguration.yaml:apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley
namespace: istio-system
labels:
app: istio-galley
chart: galley-1.0.0
release: istio
heritage: Tiller
webhooks:
- name: pilot.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: istio-system
path: &#34;/admitpilot&#34;
caBundle: &#34;&#34;
rules:
- operations:
(... snip ...)
</code></pre><p>If the webhook array in <code>istio-galley-configuration</code> is empty and
you&rsquo;re using <code>helm template</code> or <code>helm install</code>, verify <code>--set
galley.enabled</code> and <code>--set global.configValidation=true</code> options are
set. If you&rsquo;re not using helm, you&rsquo;ll need to find a generate
YAML that includes the populated webhook array.</p><p>The <code>istio-galley</code> validation configuration is fail-close. If
configuration exists and is scoped properly, the webhook will be
invoked. A missing <code>caBundle</code>, bad certificate, or network connectivity
problem will produce an error message when the resource is
created/updated. If you dont see any error message and the webhook
wasnt invoked and the webhook configuration is valid, your cluster is
misconfigured.</p><h2 id=creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</h2><p><code>x509: certificate signed by unknown authority</code> related errors are
typically caused by an empty <code>caBundle</code> in the webhook
configuration. Verify that it is not empty (see <a href=#invalid-configuration-is-accepted>verify webhook
configuration</a>). The
<code>istio-galley</code> deployment consciously reconciles webhook configuration
used the <code>istio-galley-configuration</code> <code>configmap</code> and root certificate
mounted from <code>istio.istio-galley-service-account</code> secret in the
<code>istio-system</code> namespace.</p><ol><li><p>Verify the <code>istio-galley</code> pod(s) are running:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system get pod -listio=galley
NAME READY STATUS RESTARTS AGE
istio-galley-5dbbbdb746-d676g 1/1 Running 0 2d
</code></pre></li><li><p>Verify youre using Istio version &gt;= 1.0.0. Older version of Galley
did not properly re-patch the <code>caBundle</code>. This typically happened
when the <code>istio.yaml</code> was re-applied, overwriting a previously
patched <code>caBundle</code>.</p><pre><code class=language-bash data-expandlinks=true>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
kubectl -n istio-system exec ${pod} -it /usr/local/bin/galley version| grep ^Version; \
done
Version: 1.0.0
</code></pre></li><li><p>Check the Galley pod logs for errors. Failing to patch the
<code>caBundle</code> should print an error.</p><pre><code class=language-bash data-expandlinks=true>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
kubectl -n istio-system logs ${pod} \
done
</code></pre></li><li><p>If the patching failed, verify the RBAC configuration for Galley:</p><pre><code class=language-bash data-expandlinks=true data-outputis=yaml>$ kubectl get clusterrole istio-galley-istio-system -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: istio-galley
name: istio-galley-istio-system
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- &#39;*&#39;
- apiGroups:
- config.istio.io
resources:
- &#39;*&#39;
verbs:
- get
- list
- watch
- apiGroups:
- &#39;*&#39;
resourceNames:
- istio-galley
resources:
- deployments
verbs:
- get
</code></pre><p><code>istio-galley</code> needs <code>validatingwebhookconfigurations</code> write access to
create and update the <code>istio-galley</code> <code>validatingwebhookconfiguration</code>.</p></li></ol><h2 id=creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</h2><p>Validation is fail-close. If the <code>istio-galley</code> pod is not ready,
configuration cannot be created and updated. In such cases youll see
an error about <code>no endpoints available</code>.</p><p>Verify the <code>istio-galley</code> pod(s) are running and endpoints are ready.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system get pod -listio=galley
NAME READY STATUS RESTARTS AGE
istio-galley-5dbbbdb746-d676g 1/1 Running 0 2d
</code></pre><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system get endpoints istio-galley
NAME ENDPOINTS AGE
istio-galley 10.48.6.108:10514,10.48.6.108:443 3d
</code></pre><p>If the pods or endpoints aren&rsquo;t ready, check the pod logs and
status for any indication about why the webhook pod is failing to start
and serve traffic.</p><pre><code class=language-bash data-expandlinks=true>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o jsonpath=&#39;{.items[*].metadata.name}&#39;); do \
kubectl -n istio-system logs ${pod} \
done
</code></pre><pre><code class=language-bash data-expandlinks=true>$ for pod in $(kubectl -n istio-system get pod -listio=galley -o name); do \
kubectl -n istio-system describe ${pod} \
done
</code></pre></article><nav class=pagenav><div class=left><a title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.1/help/ops/setup/webhook/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Dynamic Admission Webhooks Overview</a></div><div class=right><a title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.1/help/ops/setup/injection/>Sidecar Injection Webhook<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Seemingly valid configuration is rejected"><a href=#seemingly-valid-configuration-is-rejected>Seemingly valid configuration is rejected</a><li role=none aria-label="Invalid configuration is accepted"><a href=#invalid-configuration-is-accepted>Invalid configuration is accepted</a><li role=none aria-label="Creating configuration fails with x509 certificate errors"><a href=#creating-configuration-fails-with-x509-certificate-errors>Creating configuration fails with x509 certificate errors</a><li role=none aria-label="Creating configuration fails with no such hosts or no endpoints available errors"><a href=#creating-configuration-fails-with-no-such-hosts-or-no-endpoints-available-errors>Creating configuration fails with <code>no such hosts</code> or <code>no endpoints available</code> errors</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink