gatekeeper: Fail FailurePolicy in Validationwebhook causes failure to create namespaces
What steps did you take and what happened:
[A clear and concise description of what the bug is.]
After we enabled the anthos managed gatekeeper(policy controller) in a cluster, and try to create a namespace
kubectl create ns test
Got this error
Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": Post https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=5s: context deadline exceeded
What did you expect to happen:
The namespace should be created without any issues.
[Miscellaneous information that will assist in solving the issue.]
We did an investigation, this seems caused by the failurePolicy been set to Fail for check-ignore-label.gatekeeper.sh, after we manually change it to ignore, no errors occurred anymore.
Anything else you would like to add:
Environment: GKE
- Gatekeeper version: gatekeeper-v3.1.0-beta.9.tgz
- Kubernetes version: (use
kubectl version):
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (7 by maintainers)
The information for that section of the README now lives here:
https://open-policy-agent.github.io/gatekeeper/website/docs/vendor-specific
@srb97 I am sorry but that was ages ago 😕
Best what you could do is to try get that site in hte link back… You could try to roll back the https://github.com/open-policy-agent/gatekeeper repo to 2020 at around 28th of Aug and you should see the list in the README.md under the running-on-private-gke-cluster-nodes link.
I’m wondering if there is a network partition between the API server and the Gatekeeper pod?
Do you need to open up a firewall rule similar to https://github.com/open-policy-agent/gatekeeper#running-on-private-gke-cluster-nodes ?