Documentation update regarding AKS Stop operation (with wildcards for webhook) #4729
Labels
feature-request
Requested Features
Comments
|
This change is not only blocking stop operations. It's also blocking an upgrade of the AKS cluster itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unable to stop the AKS cluster due to wildcard validating webhook configuration
-->I understood that there is a recent change for validating webhook configuration to prevent the cluster stop operation
I have a custom validating webhook with wildcard as below and received error while stopping the cluster
apiGroups:
apiVersions:
operations:
CREATE
UPDATE
resources:
scope: '*'
Failed to stop the Kubernetes service 'xyz'. Error: The managed cluster has the following webhooks, that might prevent stop/start cluster operations, Please remove them before the operation. 1. Webhook configuration 'gatekeeper-validating-webhook-configuration': 'debug-validation.gatekeeper.sh' Rule 1 has wildcard in both APIGroups and Resources.
Upon checking internally understood that the document has to be updated with the below content
Stop operation would fail if any of the below webhook conditions is met:
Both APIGroups and Resources have wildcard
If APIGroups has wildcard, and Resources is in the list of Resources ("apiservices", "certificatesigningrequests", "clusterroles", "clusterrolebindings", "leases", "nodes","subjectaccessreviews", "tokenrequests", "tokenreviews")
If Resources has wildcard, and APIGroups is in the list of ApiGroups (according to the list of Resources above, reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#apiservice-v1-apiregistration-k8s-io)
Operation has wildcard or CREATE or UPDATE, with resources and apiGroups pair existing in the list referenced in 2 and 3)
@Kaarthis-zz @kaarthis @henry416
Please help in updating the documentation for the above issue
The text was updated successfully, but these errors were encountered: