From 43bb7f45ca8c2ccc55260ad00e173faaa313be28 Mon Sep 17 00:00:00 2001
From: Qiming <tengqim@cn.ibm.com>
Date: Mon, 30 Apr 2018 09:39:16 +0800
Subject: [PATCH] Document the limitation of the Admission Webhook (#8072)

In current implementation, the webhook *service* must be accessible at
port 443. The communication to the webhook may fail otherwise.
---
 docs/admin/extensible-admission-controllers.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/admin/extensible-admission-controllers.md b/docs/admin/extensible-admission-controllers.md
index 51bcac6787..6f6519dd96 100644
--- a/docs/admin/extensible-admission-controllers.md
+++ b/docs/admin/extensible-admission-controllers.md
@@ -129,6 +129,12 @@ apiserver sends an `admissionReview` request to webhook as specified in the
 After you create the webhook configuration, the system will take a few seconds
 to honor the new configuration.
 
+**Note** When the webhook plugin is deployed into the Kubernetes cluster as a
+service, it has to expose its service on the 443 port. The communication
+between the API server and the webhook service may fail if a different port
+is used.
+{: .note}
+
 ### Authenticate apiservers
 
 If your admission webhooks require authentication, you can configure the