istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/help/ops/setup/webhook/index.md

59 lines
2.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Dynamic Admission Webhooks Overview
description: Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise.
weight: 10
---
From [Kubernetes mutating and validating webhook mechanisms](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/):
{{< tip >}}
Admission webhooks are HTTP callbacks that receive admission requests
and do something with them. You can define two types of admission
webhooks, validating admission webhook and mutating admission
webhook. With validating admission webhooks, you may reject requests
to enforce custom admission policies. With mutating admission
webhooks, you may change requests to enforce custom defaults.
{{< /tip >}}
Istio uses `ValidatingAdmissionWebhooks` for validating Istio
configuration and `MutatingAdmissionWebhooks` for automatically
injecting the sidecar proxy into user pods.
The webhook setup guides assuming general familiarity with Kubernetes
Dynamic Admission Webhooks. Consult the [Kubernetes API references](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/) for
detailed documentation of the mutating and validating webhook configuration.
## Verify dynamic admission webhook prerequisites
See the [quick start prerequisites](/docs/setup/kubernetes/install/kubernetes/#prerequisites)
for Kubernetes provider specific setup instructions. Webhooks will not
function properly if the cluster is misconfigured. You can follow
these steps once the cluster has been configured and dynamic
webhooks and dependent features are not functioning properly.
1. Verify youre using a supported version ({{< supported_kubernetes_versions >}}) of
[`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) and of the Kubernetes server:
{{< text bash >}}
$ kubectl version --short
Client Version: v1.10.2
Server Version: v1.10.4-gke.0
{{< /text >}}
1. `admissionregistration.kubernetes.io/v1beta1` should be enabled
{{< text bash >}}
$ kubectl api-versions |grep admissionregistration.Kubernetes.io/v1beta1
admissionregistration.Kubernetes.io/v1beta1
{{< /text >}}
1. Verify `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` plugins are
listed in the `kube-apiserver --enable-admission-plugins`. Access
to this flag is [provider specific](/docs/setup/kubernetes/install/kubernetes/#prerequisites).
1. Verify the Kubernetes api-server has network connectivity to the
webhook pod. e.g. incorrect `http_proxy` settings can interfere
api-server operation (see related issues
[here](https://github.com/kubernetes/kubernetes/pull/58698#discussion_r163879443)
and [here](https://github.com/kubernetes/kubeadm/issues/666) for more information).
Reference in New Issue View Git Blame Copy Permalink