Comments (8)
A firewall in gcp was blocking the request. It worked when I allowed traffic to port 8080 from the kubernetes master nodes (172.16.0.0/28).
Thanks again for your time:)
from vault-k8s.
A firewall in gcp was blocking the request. It worked when I allowed traffic to port 8080 from the kubernetes master nodes (172.16.0.0/28).
Thanks again for your time:)
this one comment saved me tons of time ... using GKE private clusters ... had to create a firewall rule so control plane can communicate with pods directly ... essentially opening up 8080 from source "master address range" otherwise the mutatingwebhookconfiguration prevents all new pods from starting (configerror) because the control plane timeouts on trying to communicate with agent injector pod.
thanks and cheers
from vault-k8s.
Hi @krep-dr, are you using istio?
from vault-k8s.
@jasonodonnell Thanks for looking into this. No I donβt use istio. Will the injector log when receiving a request from the webhook?
from vault-k8s.
It will, yes. Is the injector running in the vault
namespace? The deploy
scripts sets it to that namespace by default.
from vault-k8s.
Yes it is
from vault-k8s.
As the other comments suggested the helm chart doesn't know if you have a private GKE cluster.
Enable communication between the control plane to the nodes.
Here's an example in terraform.
resource "google_compute_firewall" "gke-master-to-node" {
name = "gke-master-to-node"
project = "{YOUR_PROJECT_ID}"
network = "{YOUR_COMPUTE_NETWORK_ID}"
allow {
protocol = "all"
# all ports exposed or ["443"]
}
source_ranges = ["{MASTER_IPV4_CIDR_BLOCK}"] # e.g "10.1.0.0/28"
target_tags = ["gke-node"] # nodes must be tagged
}
from vault-k8s.
I had the same problem. I configured group security in aws and now it's working..
from vault-k8s.
Related Issues (20)
- vault-agent-init stuck in 403 permission denied with message `Error making API request` HOT 1
- Support for custom http headers
- Allow disabling resource limits by default in agent injector
- 'n/a' injected instead of empty value
- Could not load TLS keypair: tls: failed to find any PEM data in certificate input HOT 1
- Add option to configure a vault proxy instead of an agent HOT 1
- Injector failure mode prevents Pod deletion HOT 3
- Injector sidecar is working for inject Pod manifest but Deployment manifest doesn't work HOT 1
- Agent injector should set a maxSize for its tmpfs mount
- Vault agent overwrites kubernetes managedFields
- Allow configuration of the init/sidecar container names globally HOT 1
- Injected config tries to use IRSA token instead of the k8s service account token
- Webhook tries to add initContainer during UPDATE HOT 4
- Stuned deleting of a pod whose parents are job.
- vault.hashicorp.com/agent-init-first does not work with init containers coming from annotations
- Azure authentication method doesn't work with federated token
- Support for an agent-image built FROM scratch
- Auth config block can support common arguments from env and flags
- Tokens not revoked on Vault Agent Shutdown created via a Job using the /agent/v1/quit endpoint HOT 3
- Pipeline Request: Rebuild Dockerhub Image HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-k8s.