Comments (9)
I found this issue when I was searching solution for the same problem, I solved it by adding new clusterRole/Binding to the webhook service account (not the cert-manager service account ) ...like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-hetzner.name" . }}
chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-hetzner.name" . }}
chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
---
from cert-manager-webhook-dnsimple.
Hey, I just saw this error in our clusters an google'd it and then ended here in the ticket of my own project 😅 - this totally got lost in my inbox. Sorry! I think a downgrade is the most viable solution, but I will check what the other webhooks are doing and will report back.
from cert-manager-webhook-dnsimple.
Looking around I noticed that one can add in the rbac yaml file to the ClusterRole :domain-solver
(from https://github.com/gattytto/cert-manager-acme-he-webhook/blob/master/deploy/acme-he-webhook/templates/rbac.yaml)
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
But it seems to still not solve the problem. I get the same issue ebrianne/cert-manager-webhook-duckdns#2
from cert-manager-webhook-dnsimple.
@ebrianne Which Kubernetes version are you seeing this with?
from cert-manager-webhook-dnsimple.
@arnediekmann Any news?
from cert-manager-webhook-dnsimple.
Just to be clear: FlowSchema and PriorityLevelConfiguration were in Alpha in Kubernetes v1.19 (https://v1-19.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#flowschema-v1alpha1-flowcontrol-apiserver-k8s-io and https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#prioritylevelconfiguration-v1alpha1-flowcontrol-apiserver-k8s-io). They don't enter Beta until v1.20. So any client library that tries to list those resources in the Beta namespace will fail on a pre-1.20 cluster.
from cert-manager-webhook-dnsimple.
@parmus I am using a k3s cluster v1.20.4 and thought I could solve the problem finally. Last time I downgraded to 1.19 for the client which solved the problem as indeed the feature was in alpha at that time. It seems at the moment a viable solution.
from cert-manager-webhook-dnsimple.
Whoops, this got auto-closed by my commit. I just release version 0.1.0
. In our clusters (Version 1.19.8
) 11fb703 and the release seem to do the trick. But please do check in your environments and report back. Sorry for taking so long with this and thanks for your patience 😇
from cert-manager-webhook-dnsimple.
@parmus somewhat off-topic but the release also encompasses your PRs. Thanks again for those contributions!
from cert-manager-webhook-dnsimple.
Related Issues (17)
- Staging cluster-issuer doesn't quotes the dnsimple account HOT 1
- Webhook pod having go panics HOT 1
- cert-manager deployment is not in the cert-manager namespace HOT 2
- Deprecation warnings HOT 2
- "Certificate" in version "cert-manager.io/v1alpha2" not available HOT 2
- no published docker image supporting arm (raspberry pi) HOT 4
- Not entirely sure what the groupName does HOT 1
- Container using privileged port 443 HOT 3
- DNS challenge failing on production HOT 5
- Error: servfail - webhook service not doing anything
- Token creation HOT 1
- Working with willcard and dynamic branch
- Feature request: arm64 support HOT 3
- Add repository to helm hub HOT 2
- Helm Repository does not contain helm chart anymore HOT 1
- Log error 'missing content for CA bundle' HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager-webhook-dnsimple.