mistake:

error: error validating "STDIN": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false

in new namespace called injection, injected container needs nginx-configmap but it does not current namespace.

The following issues were found in Gopkg.toml:

✗ unable to deduce repository and source type for "k8s.io/apimachinery": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/apimachinery?go-get=1": Get http://k8s.io/apimachinery?go-get=1: EOF
✗ unable to deduce repository and source type for "k8s.io/api": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://k8s.io/api?go-get=1": Get http://k8s.io/api?go-get=1: EOF

您好，想请教一下API Server调用webhook扩展时报文是JSON的还是protobuf的，因为我们的技术栈是以Java为主，对Go不是很了解，所以想尝试看看Java能不能实现类似的功能，目前就是对报文的形式不是很了解，我看Go的参数声明中既有JSON的又有protouf的，想跟您咨询一下API Server调用webhook扩展时报文的形式，是JSON还是protobuf，还是可以配置的，非常感谢！

Hi Morvenco,

I was refering your repo & unable to get volumount config, may I know what I am missing here or any workaround it.

Hello, I'm following your fantastic article about mutating webhook and I'm trying to understand what happens underground, unfortunately I'm struggling to understand what add Container func does.
Can you please explain to me what you are doing in this block

first := len(target) == 0
for _, add := range added {
		value = add
		path := basePath
		if first {
			first = false
			value = []corev1.Container{add}
		} else {
			path = path + "/-"
		}

original function:

func addContainer(target, added []corev1.Container, basePath string) (patch []patchOperation) {
	first := len(target) == 0
	var value interface{}
	for _, add := range added {
		value = add
		path := basePath
		if first {
			first = false
			value = []corev1.Container{add}
		} else {
			path = path + "/-"
		}
		patch = append(patch, patchOperation{
			Op:    "add",
			Path:  path,
			Value: value,
		})
	}
	return patch
}

Thanks for your help!

Hello, I have followed the tutorial and managed to deploy and run an injected pod.
However, when I run the same deployment definition in a different namespace, it is unable to start the pod.
I have labeled the new namespace as instructed.

Are there any additional steps needed in order to inject pods in another namespace?

Hello,

As im using the newest kubernetes Version 1.22.0 i have to use the apiVersion certificates.k8s.io/v1 instead of certificates.k8s.io/v1beta1. After deployment of webhook-create-signed-cert.sh I got this failure:

error: error validating "STDIN": error validating data: ValidationError(CertificateSigningRequest.spec): missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec; if you choose to ignore these errors, turn validation off with --validate=false

Can someone tell me which signerName has to be set?

Greetings

Daniel

hello,
According to your method, find the following problem in the sidecar-injector-webhook-deployment-57cb9d9954-qqqlt
pod log

remote error: tls: bad certificate

api-server

W0611 14:21:25.798710 1 dispatcher.go:168] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://sidecar-injector.istio-system.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority

When I try to compile kube-mutating-webhook-tutorial/webhook.go I get an error that
_ = v1.AddToScheme(runtimeScheme)

does not exist

./webhook.go:70:20: cannot use runtimeScheme (type *"k8s.io/apimachinery/pkg/runtime".Scheme) as type *"k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime".Scheme in argument to "k8s.io/kubernetes/pkg/apis/core/v1".AddToScheme

When I comment out this line it seems to compile.

Hi!

I have been trying to replicate your code in Python and have reached a point where I managed to :

1. create the certificates and a private key
2. create the webhookconfiguration in the cluster

The problem I have is that the certificate is not recognized:

failed to call webhook: Post "...svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority

Looking at your code, I cannot find how the self-signed certificate is made recognizable to kubernetes. I can see that :

There are 2 CA configs in the script and 2 certificates made. The first is passed to the webhook configuration and the second is used in the webserver together with the private key. I do not quite understand why this is enough for kubernetes to recognize the certificate signer. Isn't there supposed to be a Certificate Signing Request made?

I run the webhook-patch-ca-bundle.sh script to replace ${CA_BUNDLE}. On running kubectl create for mutatingwebhook-ca-bundle.yaml, I get the following error :

error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

When I manually replaced the ${CA_BUNDLE} with the output of (kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'), it seems to be fine.

Positive result : The injector pod is mapped to mutatingwebhookconfiguration.admissionregistration.k8s.io/sidecar-injector-webhook

however when I increase the replicas to 2, then the mutatingwebhook maps to ONLY one of the pod instance. As a result of this, any sidecar injection using other pod will fail. Is this known issue? Do you have any suggestion?

I am trying to make build-image on ARM instance and I get

# make build-image
Building the tcp-health binary for Docker (linux) aarch64 ...
cmd/go: unsupported GOOS/GOARCH pair linux/aarch64
make: *** [build-linux] Error 2

Golang is installed so I am not sure what else is needed.

# go version
go version go1.15.14 linux/arm64