-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use the mutation webhook method with kubernetes 1.21.5 and admissionregistration.k8s.io/v1 on GKE #177
Comments
ping! No auto close please :-) |
Also interested in the response here, I have never worked on kubernetes things before but we would like to upgrade our cluster to 1.22 (currently on 1.21) and the MutatingWebhookConfiguration beta api "will no longer be served". Happy users of Berglas, but not sure how to make this fix ourselves. |
Some k8s tools upgraded to go 1.17 without a regard for backwards compat, which is making this impossible to deploy to Cloud Functions right now, since the latest available version there is 1.16.
#180 is the update PR. You can put it in a container and run it on Cloud Run, but there's no way to run it on Cloud Functions right now. |
@sethvargo thank you for the explanation, and for having already fixed this and gotten it ready to go in your PR! I see that you are a member of Google Cloud Platform and work at Google -- is there anything I can do to help request that Cloud Functions add a go1.17/go1.18 runtime? I don't know if you're directly involved, but maybe there's a better place to ask than here? Thank you again for your time and for maintaining Berglas, it's been a wonderfully simple solution that's let us use the Google Cloud Secrets Manager for everything both inside k8s and outside. |
I don't have any control over that, sorry. |
No problem. We'll just deploy the Cloud Run container instead. Thank you again for your support. |
if I understand correctly, the changes in #180 can be used with Cloud Run, as the Dockerfile/build can use the latest go (1.17) version? |
Correct - you can use Cloud Run. I didn't want to switch to Cloud Run because it introduces complexity that folks who aren't familiar with Docker or containers might not want to take on. |
After looking at the gcloud run samples, my current solution for "typical" kubernetes deployments without using the kubernetes webhook approach:
The remaining thing is to make it work for helm charts, which do not have the /bin/berglas binary. Many helms allow to pass a |
Right - you can do this without the webhook. The webhook just automates the steps you described above (although it uses a sidecar instead). |
This issue is stale because it has been open for 14 days with no |
Hi everyone,
We have been using the following way to use berglas with mutation webhook https://github.com/GoogleCloudPlatform/berglas/tree/main/examples/kubernetes with admissionregistration.k8s.io/v1beta1 mutation webhook with success. One important note is that
admissionregistration.k8s.io/v1beta1
will get deprecated in Kubernetes 1.22 in favor ofadmissionregistration.k8s.io/v1
.As soon as we try to use
admissionregistration.k8s.io/v1
we are no more able to have it work using the go function here https://github.com/GoogleCloudPlatform/berglas/tree/main/examples/kubernetesFrom the gcloud function everything looks working, as we see logs such as:
However the POD does not start and I can see the following POD status error:
The webhook file I am using:
I also tried to update 2 packages (berglas and kubewebhook) in go.mod but I am getting the same behavior:
Any ideas what should be changed to make it work with
admissionregistration.k8s.io/v1
?Thanks!
The text was updated successfully, but these errors were encountered: