Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdmissionWebhook isn't scoped by Ingress Class #7759

Closed
rblaine95 opened this issue Oct 6, 2021 · 4 comments
Closed

AdmissionWebhook isn't scoped by Ingress Class #7759

rblaine95 opened this issue Oct 6, 2021 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@rblaine95
Copy link

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.): v1.0.2

Kubernetes version (use kubectl version):

» k version --short
Client Version: v1.19.15
Server Version: v1.19.13-eks-8df270

Environment:

  • Cloud provider or hardware configuration: AWS EKS 1.19

  • OS (e.g. from /etc/os-release): AmazonLinux2

  • Kernel (e.g. uname -a): unsure

  • Install tools:

    • Please mention how/where was clsuter created like kubeadm/kops/minikube/kind etc.
    • Terraform/AWS EKS

  • Basic cluster related info:

    • kubectl version: v1.19.15
    • helm version: version.BuildInfo{Version:"v3.7.0", GitCommit:"eeac83883cb4014fe60267ec6373570374ce770b", GitTreeState:"clean", GoVersion:"go1.17"}

  • How was the ingress-nginx-controller installed:

    • If helm was used then please show output of helm ls -A
» helm ls -n kube-system
NAME                             	NAMESPACE  	REVISION	UPDATED                                 	STATUS  	CHART                              	APP VERSION
nginx-external-ingress-controller	kube-system	16      	2021-10-04 10:30:20.564817 +0200 SAST   	deployed	ingress-nginx-4.0.3                	1.0.2
nginx-internal-ingress-controller	kube-system	15      	2021-10-03 14:51:16.102705 +0200 SAST   	deployed	ingress-nginx-4.0.3                	1.0.2
  • If helm was used then please show output of helm -n <ingresscontrollernamepspace> get values <helmreleasename>
### » helm -n kube-system get values nginx-internal-ingress-controller
USER-SUPPLIED VALUES:
controller:
  admissionWebhooks:
    port: 9443
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app.kubernetes.io/name
            operator: In
            values:
            - ingress-nginx
          - key: app.kubernetes.io/instance
            operator: In
            values:
            - nginx-internal-ingress-controller
          - key: app.kubernetes.io/component
            operator: In
            values:
            - controller
        topologyKey: kubernetes.io/hostname
  config:
    proxy-body-size: 5120m
    use-forwarded-headers: "true"
  containerPort:
    http: 8080
    https: 8443
  extraArgs:
    http-port: 8080
    https-port: 8443
    ingress-class: nginx-internal
  image:
    allowPrivilegeEscalation: false
  ingressClassResource:
    controllerValue: k8s.io/nginx-internal
    default: true
    enabled: true
    name: nginx-internal
  lifecycle:
    preStop:
      exec:
        command:
        - /bin/sh
        - -c
        - sleep 5;
        - /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep
          -x nginx; do echo "waiting for nginx to gracefully shutdown"; sleep 1; done
  metrics:
    enabled: true
  replicaCount: 2
  service:
    ports:
      http: 80
      https: 443
    targetPorts:
      http: 8080
      https: 8443
    type: ClusterIP
  terminationGracePeriodSeconds: 600
defaultBackend:
  enabled: false
fullnameOverride: nginx-internal-ingress
### » helm -n kube-system get values nginx-external-ingress-controller
USER-SUPPLIED VALUES:
controller:
  admissionWebhooks:
    port: 9443
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app.kubernetes.io/name
            operator: In
            values:
            - ingress-nginx
          - key: app.kubernetes.io/instance
            operator: In
            values:
            - nginx-external-ingress-controller
          - key: app.kubernetes.io/component
            operator: In
            values:
            - controller
        topologyKey: kubernetes.io/hostname
  config:
    proxy-body-size: 128m
    use-forwarded-headers: "true"
  containerPort:
    http: 8080
    https: 8443
  extraArgs:
    http-port: 8080
    https-port: 8443
    ingress-class: nginx-external
  image:
    allowPrivilegeEscalation: false
  ingressClassResource:
    controllerValue: k8s.io/nginx-external
    default: false
    enabled: true
    name: nginx-external
  lifecycle:
    preStop:
      exec:
        command:
        - /bin/sh
        - -c
        - sleep 5;
        - /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep
          -x nginx; do echo "waiting for nginx to gracefully shutdown"; sleep 1; done
  metrics:
    enabled: true
  replicaCount: 2
  service:
    ports:
      http: 80
      https: 443
    targetPorts:
      http: 8080
      https: 8443
    type: ClusterIP
  terminationGracePeriodSeconds: 600
defaultBackend:
  enabled: false
fullnameOverride: nginx-external-ingress
  • Current State of the controller:
    • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
» k describe pods --selector=app.kubernetes.io/name=ingress-nginx
Name:         nginx-external-ingress-controller-85f89864f4-thrqt
Namespace:    kube-system
Priority:     0
Node:         ip-10-99-113-124.eu-west-1.compute.internal/10.99.113.124
Start Time:   Wed, 06 Oct 2021 14:26:12 +0200
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=nginx-external-ingress-controller
              app.kubernetes.io/name=ingress-nginx
              pod-template-hash=85f89864f4
Annotations:  kubectl.kubernetes.io/restartedAt: 2021-10-06T14:25:55+02:00
              kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.99.126.20
IPs:
  IP:           10.99.126.20
Controlled By:  ReplicaSet/nginx-external-ingress-controller-85f89864f4
Containers:
  controller:
    Container ID:  docker://68fdb495327f4c1cf7bf6bf20a98814080a5c132da79bb73f1023c594ac1fcf6
    Image:         k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Image ID:      docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Ports:         8080/TCP, 8443/TCP, 10254/TCP, 9443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-external-ingress-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/nginx-external
      --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller
      --validating-webhook=:9443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443
      --ingress-class=nginx-external
    State:          Running
      Started:      Wed, 06 Oct 2021 14:26:13 +0200
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       nginx-external-ingress-controller-85f89864f4-thrqt (v1:metadata.name)
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from nginx-external-ingress-token-72hfl (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-external-ingress-admission
    Optional:    false
  nginx-external-ingress-token-72hfl:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-external-ingress-token-72hfl
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age                From                      Message
  ----    ------     ----               ----                      -------
  Normal  Scheduled  37m                default-scheduler         Successfully assigned kube-system/nginx-external-ingress-controller-85f89864f4-thrqt to ip-10-99-113-124.eu-west-1.compute.internal
  Normal  Pulled     37m                kubelet                   Container image "k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049" already present on machine
  Normal  Created    37m                kubelet                   Created container controller
  Normal  Started    37m                kubelet                   Started container controller
  Normal  RELOAD     27m (x2 over 37m)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration


Name:         nginx-external-ingress-controller-85f89864f4-x8dmt
Namespace:    kube-system
Priority:     0
Node:         ip-10-99-123-4.eu-west-1.compute.internal/10.99.123.4
Start Time:   Wed, 06 Oct 2021 14:25:56 +0200
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=nginx-external-ingress-controller
              app.kubernetes.io/name=ingress-nginx
              pod-template-hash=85f89864f4
Annotations:  kubectl.kubernetes.io/restartedAt: 2021-10-06T14:25:55+02:00
              kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.99.119.67
IPs:
  IP:           10.99.119.67
Controlled By:  ReplicaSet/nginx-external-ingress-controller-85f89864f4
Containers:
  controller:
    Container ID:  docker://1145f6cca8782db3c98c6724d47ebb942b9c5bf2c8cd1005015c5c162a760436
    Image:         k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Image ID:      docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Ports:         8080/TCP, 8443/TCP, 10254/TCP, 9443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-external-ingress-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/nginx-external
      --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller
      --validating-webhook=:9443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443
      --ingress-class=nginx-external
    State:          Running
      Started:      Wed, 06 Oct 2021 14:25:57 +0200
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       nginx-external-ingress-controller-85f89864f4-x8dmt (v1:metadata.name)
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from nginx-external-ingress-token-72hfl (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-external-ingress-admission
    Optional:    false
  nginx-external-ingress-token-72hfl:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-external-ingress-token-72hfl
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age                From                      Message
  ----    ------     ----               ----                      -------
  Normal  Scheduled  38m                default-scheduler         Successfully assigned kube-system/nginx-external-ingress-controller-85f89864f4-x8dmt to ip-10-99-123-4.eu-west-1.compute.internal
  Normal  Pulled     38m                kubelet                   Container image "k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049" already present on machine
  Normal  Created    38m                kubelet                   Created container controller
  Normal  Started    38m                kubelet                   Started container controller
  Normal  RELOAD     27m (x2 over 37m)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration


Name:         nginx-internal-ingress-controller-5857cf8b5b-lq2cq
Namespace:    kube-system
Priority:     0
Node:         ip-10-99-113-124.eu-west-1.compute.internal/10.99.113.124
Start Time:   Wed, 06 Oct 2021 14:26:03 +0200
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=nginx-internal-ingress-controller
              app.kubernetes.io/name=ingress-nginx
              pod-template-hash=5857cf8b5b
Annotations:  kubectl.kubernetes.io/restartedAt: 2021-10-06T14:25:46+02:00
              kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.99.106.46
IPs:
  IP:           10.99.106.46
Controlled By:  ReplicaSet/nginx-internal-ingress-controller-5857cf8b5b
Containers:
  controller:
    Container ID:  docker://0c5f0ebef65c0228a27409bdc437b22622ab7eae2112500e7212278423f5d7bb
    Image:         k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Image ID:      docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Ports:         8080/TCP, 8443/TCP, 10254/TCP, 9443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-internal-ingress-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/nginx-internal
      --configmap=$(POD_NAMESPACE)/nginx-internal-ingress-controller
      --validating-webhook=:9443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443
      --ingress-class=nginx-internal
    State:          Running
      Started:      Wed, 06 Oct 2021 14:26:05 +0200
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       nginx-internal-ingress-controller-5857cf8b5b-lq2cq (v1:metadata.name)
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from nginx-internal-ingress-token-flgfk (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-internal-ingress-admission
    Optional:    false
  nginx-internal-ingress-token-flgfk:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-internal-ingress-token-flgfk
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age                   From                      Message
  ----    ------     ----                  ----                      -------
  Normal  Scheduled  37m                   default-scheduler         Successfully assigned kube-system/nginx-internal-ingress-controller-5857cf8b5b-lq2cq to ip-10-99-113-124.eu-west-1.compute.internal
  Normal  Pulled     37m                   kubelet                   Container image "k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049" already present on machine
  Normal  Created    37m                   kubelet                   Created container controller
  Normal  Started    37m                   kubelet                   Started container controller
  Normal  RELOAD     7m45s (x10 over 37m)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration


Name:         nginx-internal-ingress-controller-5857cf8b5b-wg7qj
Namespace:    kube-system
Priority:     0
Node:         ip-10-99-111-3.eu-west-1.compute.internal/10.99.111.3
Start Time:   Wed, 06 Oct 2021 14:25:46 +0200
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=nginx-internal-ingress-controller
              app.kubernetes.io/name=ingress-nginx
              pod-template-hash=5857cf8b5b
Annotations:  kubectl.kubernetes.io/restartedAt: 2021-10-06T14:25:46+02:00
              kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.99.112.131
IPs:
  IP:           10.99.112.131
Controlled By:  ReplicaSet/nginx-internal-ingress-controller-5857cf8b5b
Containers:
  controller:
    Container ID:  docker://83f5e073c68abdbf3b70ce7cecb1f0fa9d726f0536a7993ff93bd1902fc7e2ef
    Image:         k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Image ID:      docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049
    Ports:         8080/TCP, 8443/TCP, 10254/TCP, 9443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/nginx-internal-ingress-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/nginx-internal
      --configmap=$(POD_NAMESPACE)/nginx-internal-ingress-controller
      --validating-webhook=:9443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
      --http-port=8080
      --https-port=8443
      --ingress-class=nginx-internal
    State:          Running
      Started:      Wed, 06 Oct 2021 14:25:48 +0200
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:       nginx-internal-ingress-controller-5857cf8b5b-wg7qj (v1:metadata.name)
      POD_NAMESPACE:  kube-system (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from nginx-internal-ingress-token-flgfk (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-internal-ingress-admission
    Optional:    false
  nginx-internal-ingress-token-flgfk:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  nginx-internal-ingress-token-flgfk
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  kubernetes.io/os=linux
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age                   From                      Message
  ----    ------     ----                  ----                      -------
  Normal  Scheduled  38m                   default-scheduler         Successfully assigned kube-system/nginx-internal-ingress-controller-5857cf8b5b-wg7qj to ip-10-99-111-3.eu-west-1.compute.internal
  Normal  Pulled     38m                   kubelet                   Container image "k8s.gcr.io/ingress-nginx/controller:v1.0.2@sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049" already present on machine
  Normal  Created    38m                   kubelet                   Created container controller
  Normal  Started    38m                   kubelet                   Started container controller
  Normal  RELOAD     7m46s (x11 over 38m)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration
  • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
» k -n kube-system describe svc --selector=app.kubernetes.io/name=ingress-nginx
Name:              nginx-external-ingress-controller
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-external-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-external-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-external-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.72.252
IPs:               <none>
Port:              http  80/TCP
TargetPort:        8080/TCP
Endpoints:         10.99.119.67:8080,10.99.126.20:8080
Port:              https  443/TCP
TargetPort:        8443/TCP
Endpoints:         10.99.119.67:8443,10.99.126.20:8443
Session Affinity:  None
Events:            <none>


Name:              nginx-external-ingress-controller-admission
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-external-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-external-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-external-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.242.37
IPs:               <none>
Port:              https-webhook  443/TCP
TargetPort:        webhook/TCP
Endpoints:         10.99.119.67:9443,10.99.126.20:9443
Session Affinity:  None
Events:            <none>


Name:              nginx-external-ingress-controller-metrics
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-external-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-external-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-external-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.209.104
IPs:               <none>
Port:              metrics  10254/TCP
TargetPort:        metrics/TCP
Endpoints:         10.99.119.67:10254,10.99.126.20:10254
Session Affinity:  None
Events:            <none>


Name:              nginx-internal-ingress-controller
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-internal-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-internal-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-internal-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.152.81
IPs:               <none>
Port:              http  80/TCP
TargetPort:        8080/TCP
Endpoints:         10.99.106.46:8080,10.99.112.131:8080
Port:              https  443/TCP
TargetPort:        8443/TCP
Endpoints:         10.99.106.46:8443,10.99.112.131:8443
Session Affinity:  None
Events:            <none>


Name:              nginx-internal-ingress-controller-admission
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-internal-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-internal-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-internal-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.68.131
IPs:               <none>
Port:              https-webhook  443/TCP
TargetPort:        webhook/TCP
Endpoints:         10.99.106.46:9443,10.99.112.131:9443
Session Affinity:  None
Events:            <none>


Name:              nginx-internal-ingress-controller-metrics
Namespace:         kube-system
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=nginx-internal-ingress-controller
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/version=1.0.2
                   helm.sh/chart=ingress-nginx-4.0.3
Annotations:       meta.helm.sh/release-name: nginx-internal-ingress-controller
                   meta.helm.sh/release-namespace: kube-system
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-internal-ingress-controller,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Families:       <none>
IP:                172.20.117.51
IPs:               <none>
Port:              metrics  10254/TCP
TargetPort:        metrics/TCP
Endpoints:         10.99.106.46:10254,10.99.112.131:10254
Session Affinity:  None
Events:            <none>

What happened:

When creating 2 ingresses with the same Host and Path values, but with different ingress classes, the admission webhook returns an error.

ingress.networking.k8s.io/nginx-internal unchanged
Error from server (BadRequest): error when creating "STDIN": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: host "nginx.example.com" and path "/" is already defined in ingress default/nginx-internal

What you expected to happen:
The admission webhooks should be scoped to their respective ingress class.

How to reproduce it:

» k apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-internal
  namespace: default
spec:
  ingressClassName: nginx-internal
  rules:
  - host: nginx.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-external
  namespace: default
spec:
  ingressClassName: nginx-external
  rules:
  - host: nginx.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF

Anything else we need to know:

/kind bug
@rblaine95 rblaine95 added the kind/bug Categorizes issue or PR as related to a bug. label Oct 6, 2021
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 6, 2021
@k8s-ci-robot
Copy link
Contributor

@rblaine95: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rblaine95
Copy link
Author

rblaine95 commented Oct 6, 2021
edited
Loading

Tested upgrading to the newest helm chart (4.0.5) with the same config as above.

» k -n kube-system \
  exec -ti nginx-internal-ingress-controller-7dcfd64fdb-rt4rn \
  -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.0.3
  Build:         6e125826ad3968709392f2056023d4d7474ed4f5
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.9

-------------------------------------------------------------------------------

Still having the issue.

@mkreidenweis-schulmngr
Copy link

Sounds like a duplicate of #7546. Right?

@rblaine95
Copy link
Author

That it is @mkreidenweis-schulmngr

Closing as duplicate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rblaine95 @k8s-ci-robot @mkreidenweis-schulmngr