-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io" #5401
Comments
Hi, I have. The validatingwebhook service is not reachable in my private GKE cluster. I needed to open the 8443 port from the master to the pods. A quick fix if you don't want to do the above and have the webhook fully operational is to remove the validatingwebhookconfiguration or setting the failurePolicy to Ignore. I believe some fixes are needed in the deploy/static/provider/cloud/deploy.yaml as the webhooks will not always work out of the box. |
A quick update on the above, the certificate error should be managed by the patch job that exists in the deployment so that part should be a non-issue. |
Hi, I am a beginner in setting a k8s and ingress. Update: error is : |
I'm also facing this issue, on a fresh cluster from AWS where I only did
And deployed a react service (which I can port-forward to and it works fine). I then tried to apply both my own ingress and the example ingress
I'm getting this error:
I traced it down to this Logs:
Any ideas? Seems strange to get this on a newly setup cluster where I followed the instructions correctly. |
I might have solved it.. I followed this guide for the helm installation: https://kubernetes.github.io/ingress-nginx/deploy/ But when I followed this guide instead: https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/ The error doesn't occur. If you have this issue try it out by deleting your current helm installation. Get the name:
Delete and apply stable release:
|
@johan-lejdung not really, that is a different ingress controller. |
@aledbf I use 0.31.1 still has same problem
|
@aledbf Same error. Bare-metal installation.
|
I added a note about the webhook port in https://kubernetes.github.io/ingress-nginx/deploy/ and the links for the additional steps in GKE |
i still have the problem updatei disable the webhook, the error go away fix workaroundhelm install my-release ingress-nginx/ingress-nginx Caution!!!! it's may not resolve the issue properly.now status
exec kubectl get svc,podsNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE NAME READY STATUS RESTARTS AGE my ingress.yamlapiVersion: networking.k8s.io/v1beta1 namespace: foospec: tls: what I Dowhen i run kubectl apply -f new-ingress.yaml my apiserver log blow:I0504 06:22:13.286582 1 trace.go:116] Trace[1725513257]: "Create" url:/apis/networking.k8s.io/v1beta1/namespaces/default/ingresses,user-agent:kubectl/v1.18.2 (linux/amd64) kubernetes/52c56ce,client:192.168.0.133 (started: 2020-05-04 06:21:43.285686113 +0000 UTC m=+59612.475819043) (total time: 30.000880829s): |
Why close this issue? What is the solution? |
@eltonbfw update to 0.32.0 and make sure the API server can reach the POD running the ingress controller |
I have the same problem,and i use 0.32.0. |
For the specific issue, my problem did turn out to be an issue with internal communication. @aledbf added notes to the documentation to verify connectivity. I had internal communication issues caused by Centos 8's move to nftables. In my case, I needed additional "rich" allow rules in firewalld for:
|
I have the same issue, baremetal install with CentOS 7 worker nodes. |
Have the same issue with 0.32.0 on HA baremetal cluster with strange behaviour:
In the api-server logs errors look like that
The main question is why the first ingress is created the most of times and the second is always failed to create? Upd. Also this comment on SO might be useful in investigating causes of problems. Upd 2. When rewrite annotation is removed, the manifest is applied without errors. Upd 3. It fails in combination with multiple paths and with rewrite annotation. @aledbf Looks like a bug. |
We have this issue on baremetal k3s cluster. Our http proxy logged these traffic.
|
me too |
If you are using the baremetal install from Kelsey Hightower, my suggestion is to install kubelet on your master nodes, start calico/flannel or whatever you use for CNI, label your nodes as masters so you have no other pods started there and then your control-plane would be able to communicate with your nginx deployment and the issue should be fixed. At least this is how it worked for me. |
@aledbf This issue still occurs |
@andrei-matei Kelsey's cluster works perfectly even without additional CNI plugins and kubelet SystemD services installed on master nodes. All you need is to add a route to Services' CIDR Updated: got both of them working |
@aduncmj I found this solution https://stackoverflow.com/questions/61365202/nginx-ingress-service-ingress-nginx-controller-admission-not-found kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission |
@aduncmj i did the same, thank you for sharing the findings. I m curious if this can be handled without manual intervention. |
@opensourceonly This worked for me, you can try it, you should add a pathType for Ingress configuration. #5445 |
I don't think deleting all
|
Hi @tehkapa, what resource do you apply this to? Can you post a yaml containing the spec? Thank you. |
On EKS, a security group rule needs to be added on the Node Security Group tcp/8443 from the Cluster Security Group. |
@mihaigalos is the global configmap. you can apply it when you install ingress via helm. like this
|
In case using terraform:
|
I updated from nginx-ingress to ingress-nginx in GKE, so if this helps anyone I needed to add a FW rule to allow 8443 from the API server to my nodes. As per deploy instructions: I'm not sure why it was NOT needed in nginx-ingress. |
Double check if there is any networkpolicy has been set Error I was getting...
Once below networkpolicy was applied, the issue was gone
|
Make sure both our your nginx-ingress pod and service work properly. My case was that I was assigning the wrong public IP which didn't exist in the corresponding resource group in AKS. |
I don't think you need both an ingress and an egress rule but just the ingress one. The first of these two rules should be enough. For anyone using the
|
correct, and this resolved issue for me on EKS 1.23 |
You are right, ingress is enough. |
For GKE private nodes, this should help
Example
You can also list the existing rules for the cluster
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#step_3_add_a_firewall_rule |
…ingress controller Fix following error when deploying an exposed service in eks-public: > Error: release artifact-caching-proxy failed, and has been uninstalled due to atomic being set: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://public-nginx-ingress-ingress-nginx-controller-admission.public-nginx-ingress.svc:443/networking/v1/ingresses?timeout=10s": context deadline exceeded Ref: kubernetes/ingress-nginx#5401 (comment)
thanks @Clasyc, your hint worked for me |
@Clasyc and everyone also: On EKS created from terraform-aws-modules/eks/aws module (version 17.x though) a security group is automatically created by the module itself, for the Worker Nodes that has a rule which allows traffic from the Control Plane security group on ports 1025-65535 for TCP. This rule also includes the pre-defined description "Allow worker pods to receive communication from the cluster control plane". Does this not cover the case of the security group mentioned above? If it does, I am still facing this issue but intermittently, especially when I am deploying massive workloads through Helm (the Ingresses have been checked and are OK as far as their correctness is concerned). It almost seems like a flood-protection mechanism because if I let it cooldown then I don't get it anymore. Am I missing something here? |
@sotiriougeorge Same here: eks created by tf module, from time to time see those errors. I think amount of errors decreases when controller is scaled up. At least it seems so for me on prod with two replicas compared to dev with one. |
Thank you for the sanity check! Appreciated. I will try to scale up to more replicas and see what comes of it. However it would be good if through this GitHub issue there was some consensus on how to fight it holistically or if there is anything that needs to be changed on the controller side. |
Just a heads up here: when the protocol is set to "-1", it means "All Traffic". This opens up all ports, making the from_port/to_port values moot. This may be too permissive in some cases. Setting to"tcp" will allow you to limit/set the port range to 8443. Having had the same issues noted above and finding this solution, I found the rule wasn't what I was expecting. Had troubles finding the rule because I was searching by port. |
For those who is using GKE, this is the sample Terraform code I use to open port 8443:
Refer to this to get target_tags. |
I too faced the same error when I was applying the command -> C:\Users\Pavithra Kanmaniraja\Documents\kubernetes-sample-apps>kubectl apply -f ingressdemons1.yaml -n demons1 So I tried to remove the namespace from the cluster, but it does not remove everything that I created when I installed ingress to my cluster. Then, I deleted the existing ValidatingWebhookConfiguration by using the command -> C:\Users\Pavithra Kanmaniraja>kubectl delete ValidatingWebhookConfiguration nginx-ingress-ingress-nginx-admission After that, I applied the command -> C:\Users\Pavithra Kanmaniraja>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml Next, again apply the command -> C:\Users\Pavithra Kanmaniraja\Documents\kubernetes-sample-apps>kubectl apply -f ingressdemons1.yaml -n ingress-nginx Finally, the ingress is created now. |
Blocked port 8443 is one of the known root causes for this error
…On Thu, 3 Aug, 2023, 11:09 am Pavithra Kanmanirajah, < ***@***.***> wrote:
I too faced the same error when I was applying the command ->
*C:\Users\Pavithra Kanmaniraja\Documents\kubernetes-sample-apps>kubectl
apply -f ingressdemons1.yaml -n demons1*
Error from server (InternalError): error when creating
"ingressdemons1.yaml": Internal error occurred: failed calling webhook "
validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "
https://nginx-ingress-ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s
<https://nginx-ingress-ingress-nginx-controller-admission.ingress-nginx.svc/networking/v1/ingresses?timeout=10s>":
service "nginx-ingress-ingress-nginx-controller-admission" not found
So I tried to remove the namespace from the cluster, but it does not
remove everything that I created when I installed ingress to my cluster.
Then, I deleted the existing ValidatingWebhookConfiguration by using the
command ->
*C:\Users\Pavithra Kanmaniraja>kubectl delete
ValidatingWebhookConfiguration nginx-ingress-ingress-nginx-admission*
validatingwebhookconfiguration.admissionregistration.k8s.io
"nginx-ingress-ingress-nginx-admission" deleted
After that, I applied the command ->
*C:\Users\Pavithra Kanmaniraja>kubectl apply -f
https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml
<https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml>*
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx configured
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx configured
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
ingressclass.networking.k8s.io/nginx unchanged
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission
created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission configured
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission
configured
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
Next, again apply the command ->
*C:\Users\Pavithra Kanmaniraja\Documents\kubernetes-sample-apps>kubectl
apply -f ingressdemons1.yaml -n ingress-nginx*
ingress.networking.k8s.io/doksexample-ingress created
Finally, the ingress is created now.
—
Reply to this email directly, view it on GitHub
<#5401 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWRSMI2VA3WOAQBTEQTXTM2Q5ANCNFSM4ML2P6LQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
ingress-nginx ingress.networking.k8s.io/doksexample-ingress created is not command, how about it |
you can resolve that by opening the port : 443 and 8443 in each machine of your cluster |
For me this policy slowed my issue:
You need to allow the communication from the api server in the cluster to the ingress-controller pod. |
Hello everyone, I try to set up a Kubernetes cluster on Azure VMs with Ubuntu. |
Hi all,
When I apply the ingress's configuration file named ingress-myapp.yaml by command
kubectl apply -f ingress-myapp.yaml
, there was an error. The complete error is as follows:This is my ingress:
Has anyone encountered this problem?
The text was updated successfully, but these errors were encountered: