Dynamic Admission Webhooks Overview
- Verify dynamic admission webhook prerequisites

Dynamic Admission Webhooks Overview

From Kubernetes mutating and validating webhook mechanisms:

Admission webhooks are HTTP callbacks that receive admission requestsand do something with them. You can define two types of admissionwebhooks, validating admission webhook and mutating admissionwebhook. With validating admission webhooks, you may reject requeststo enforce custom admission policies. With mutating admissionwebhooks, you may change requests to enforce custom defaults.

Istio uses ValidatingAdmissionWebhooks for validating Istioconfiguration and MutatingAdmissionWebhooks for automaticallyinjecting the sidecar proxy into user pods.

The webhook setup guides assuming general familiarity with KubernetesDynamic Admission Webhooks. Consult the Kubernetes API references fordetailed documentation of the mutating and validating webhook configuration.

Verify dynamic admission webhook prerequisites

See the platform setup instructionsfor Kubernetes provider specific setup instructions. Webhooks will notfunction properly if the cluster is misconfigured. You can followthese steps once the cluster has been configured and dynamicwebhooks and dependent features are not functioning properly.

Verify you’re using a supported version (1.13, 1.14, 1.15) ofkubectl and of the Kubernetes server:

$ kubectl version --short
Client Version: v1.10.2
Server Version: v1.10.4-gke.0

admissionregistration.k8s.io/v1beta1 should be enabled

$ kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
admissionregistration.k8s.io/v1beta1

Verify MutatingAdmissionWebhook and ValidatingAdmissionWebhook plugins arelisted in the kube-apiserver —enable-admission-plugins. Accessto this flag is provider specific.
Verify the Kubernetes api-server has network connectivity to thewebhook pod. e.g. incorrect http_proxy settings can interfereapi-server operation (see related issueshereand here for more information).