Ingress-nginx: apply ingress rule error after install ingress-nginx: x509 certificate is not valid ingress-nginx-controller-admission.ingress-nginx.svc

Created on 3 Aug 2020  ยท  11Comments  ยท  Source: kubernetes/ingress-nginx 
k8s cluster install by binary  ๏ผˆi  also try v1.18.0๏ผ‰
[root@m-etc-1 ssl-nginx-webhook]# kubectl get no
NAME      STATUS   ROLES    AGE   VERSION
m-etc-1   Ready    <none>   20h   v1.18.6
m-etc-2   Ready    <none>   20h   v1.18.6
m-etc-3   Ready    <none>   20h   v1.18.6
n-1       Ready    <none>   20h   v1.18.6
n-2       Ready    <none>   20h   v1.18.6
n-3       Ready    <none>   20h   v1.18.6
slb-1     Ready    <none>   20h   v1.18.6
slb-2     Ready    <none>   20h   v1.18.6


and calico install is ok
and coredns install is OK
and ingress-nginx install is OK  
ingress-nginx deploy file:
https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider//baremetal/deploy.yaml

[root@m-etc-1 cfg]# kubectl api-versions | grep admissionregistration.k8s.io
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1

AND:  --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PersistentVolumeClaimResize,PodPreset 


[root@m-etc-1 ssl-nginx-webhook]# kubectl get all -n ingress-nginx
NAME                                       READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-v27qd   0/1     Completed   0          20h
pod/ingress-nginx-admission-patch-599bf    0/1     Completed   0          20h
pod/ingress-nginx-controller-dsg2j         1/1     Running     1          14h
pod/ingress-nginx-controller-jwjxk         1/1     Running     1          14h

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/ingress-nginx-controller             ClusterIP   10.244.81.145    <none>        80/TCP,443/TCP   20h
service/ingress-nginx-controller-admission   ClusterIP   10.244.170.231   <none>        443/TCP          20h

NAME                                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/ingress-nginx-controller   2         2         2       2            2           in=ingress      20h

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           5s         20h
job.batch/ingress-nginx-admission-patch    1/1           5s         20h

I try apply ingress rule,but I get error:
[root@m-etc-1 ~]# kubectl apply -f ingress-nginx.yml
Error from server (InternalError): error when creating "ingress-nginx.yml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not ingress-nginx-controller-admission.ingress-nginx.svc

WHY???
kinsupport
Source
picture liminghua999
👍1

Most helpful comment

kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission

picture 21ki on 15 Sep 2020
👎5 👍32

All 11 comments

No one meet this error??
I try the k8s cluster (install by kubeadm)

k8s version: v1.18.6
docker version: 19.03.12 
os: centos 7.6
helm3

apply ingress rule still report same error ;

If I disable webhooks ,then I apply ingress rule,it is OK;

liminghua999 picture liminghua999 on 6 Aug 2020

kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission

21ki picture 21ki on 15 Sep 2020
👎5 👍32

@liminghua999 can you please check if the output of these two commands match?

$ kubectl -n ingress-nginx get validatingwebhookconfigurations ingress-nginx-admission -ojsonpath='{.webhooks[0].clientConfig.caBundle}'

$ kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}'
costela picture costela on 28 Sep 2020

[root@master01 ~]# kubectl -n ingress-nginx get validatingwebhookconfigurations ingress-nginx-admission -ojsonpath='{.webhooks[0].clientConfig.caBundle}'
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJOekNCMzZBREFnRUNBaEVBc1Fib3U4OWlSVmJZazJVT2RPRGh3REFLQmdncWhrak9QUVFEQWpBQU1DQVgKRFRJd01Ea3pNREF5TVRJd01Gb1lEekl4TWpBd09UQTJNREl4TWpBd1dqQUFNRmt3RXdZSEtvWkl6ajBDQVFZSQpLb1pJemowREFRY0RRZ0FFZ3lWQkZGUnN5dFlIb3N1N24xRVVsekJ5aTRJaEtKYmx0WFRieElTYmlDLzJWRk9ZClI0NzJSczBHMnhCS1NkR3NtaGZOK1ZkTG1EREdNeEE2UE55MVVhTTRNRFl3RGdZRFZSMFBBUUgvQkFRREFnSUUKTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0NnWUlLb1pJemowRQpBd0lEUndBd1JBSWdGK1JxUW5oRzgxbVp1TEFKc0RaNUozN3Y1VUI0U2trUXpDb21ya2dYWTgwQ0lGOW4vQ002CjBHV2hFOXRFVVFleFV2MTZTR1NabGVpSEFoMXE5dElEVlh0bwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
[root@master01 ~]# kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}'
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJOekNCMzZBREFnRUNBaEVBc1Fib3U4OWlSVmJZazJVT2RPRGh3REFLQmdncWhrak9QUVFEQWpBQU1DQVgKRFRJd01Ea3pNREF5TVRJd01Gb1lEekl4TWpBd09UQTJNREl4TWpBd1dqQUFNRmt3RXdZSEtvWkl6ajBDQVFZSQpLb1pJemowREFRY0RRZ0FFZ3lWQkZGUnN5dFlIb3N1N24xRVVsekJ5aTRJaEtKYmx0WFRieElTYmlDLzJWRk9ZClI0NzJSczBHMnhCS1NkR3NtaGZOK1ZkTG1EREdNeEE2UE55MVVhTTRNRFl3RGdZRFZSMFBBUUgvQkFRREFnSUUKTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0NnWUlLb1pJemowRQpBd0lEUndBd1JBSWdGK1JxUW5oRzgxbVp1TEFKc0RaNUozN3Y1VUI0U2trUXpDb21ya2dYWTgwQ0lGOW4vQ002CjBHV2hFOXRFVVFleFV2MTZTR1NabGVpSEFoMXE5dElEVlh0bwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

21ki picture 21ki on 30 Sep 2020

I am seeing this problem also:

Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission.kube-system.svc:443/extensions/v1beta1/ingresses?timeout=30s": x509: certificate signed by unknown authority

This is in minikube with Ingress-nginx installed using minikube addons enable ingress

I can 'resolve' it using kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission but this does not seem like a solution, its just a hack to get it working.

md-waldron picture md-waldron on 31 Oct 2020
👍1

I'm running into the same issue, did anyone solve this?

ghfalcon7 picture ghfalcon7 on 12 Nov 2020

I'm running into the same issue, did anyone solve this?

Me too, is it new ?

marvinnitz18 picture marvinnitz18 on 23 Nov 2020

I am seeing this problem also:

Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission.kube-system.svc:443/extensions/v1beta1/ingresses?timeout=30s": x509: certificate signed by unknown authority

This is in minikube with Ingress-nginx installed using minikube addons enable ingress

I can 'resolve' it using kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission but this does not seem like a solution, its just a hack to get it working.

Hi , I am also facing this same issue, did you find any resolution for this other than deleting the Webhook configuration?

KaivalyaDabhadkar picture KaivalyaDabhadkar on 24 Nov 2020

No, not yet. It's annoyingly, but the work around is not too troublesome,
so we have not spent more time trying to fix it.

On Tue, 24 Nov 2020, 11:45 KaivalyaDabhadkar, notifications@github.com
wrote:

I am seeing this problem also:

Internal error occurred: failed calling webhook "
validate.nginx.ingress.kubernetes.io": Post "
https://ingress-nginx-controller-admission.kube-system.svc:443/extensions/v1beta1/ingresses?timeout=30s":
x509: certificate signed by unknown authority

This is in minikube with Ingress-nginx installed using minikube addons
enable ingress

I can 'resolve' it using kubectl delete -A ValidatingWebhookConfiguration
ingress-nginx-admission but this does not seem like a solution, its just
a hack to get it working.

Hi , I am also facing this same issue, did you find any resolution for
this other than deleting the Webhook configuration?

โ€”
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/ingress-nginx/issues/5968#issuecomment-732891723,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABBOUR5V5CFA2BFTIMLELFLSROMFZANCNFSM4PTALKBA
.

md-waldron picture md-waldron on 24 Nov 2020

@md-waldron What version of minikube, kubernetes and which minikube driver are you using? Can you describe what you are doing to reproduce this issue?

sschne picture sschne on 30 Nov 2020

@sschne I updated my docker and k8s recently and I no longer seem to have the issue. Here is the startup I get when starting minikube, seems all the version info you wanted is reported in that:

๐Ÿ˜„ minikube v1.14.0 on Darwin 11.0.1
โœจ Using the virtualbox driver based on existing profile
๐Ÿ‘ Starting control plane node minikube in cluster minikube
๐Ÿ”„ Restarting existing virtualbox VM for "minikube" ...
๐Ÿณ Preparing Kubernetes v1.19.2 on Docker 19.03.12 ...
๐Ÿ”Ž Verifying Kubernetes components...
๐Ÿ”Ž Verifying ingress addon...
๐ŸŒŸ Enabled addons: storage-provisioner, default-storageclass, dashboard, ingress
๐Ÿ„ Done! kubectl is now configured to use "minikube" by default

md-waldron picture md-waldron on 30 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vdavidoff picture vdavidoff  ยท  3Comments
silasbw picture silasbw  ยท  3Comments
cxj110 picture cxj110  ยท  3Comments
natemurthy picture natemurthy  ยท  3Comments
cabrinoob picture cabrinoob  ยท  3Comments