Help understanding webhook client certificates #139
Description
Hello,
I'm trying to set up a NRI based on the quick-start, and I get a TLS error when I try to create a Pod:
Error from server (InternalError): error when creating "/tmp/testpod.yaml": Internal error occurred: failed calling webhook "network-resources-injector-mutating-config.k8s.cni.cncf.io": failed to call webhook: Post "https://network-resources-injector-service.kube-system.svc:443/mutate?timeout=10s": remote error: tls: bad certificate
In the NRI logs, a corresponding message saying the client didn't provide a cert:
2023/06/23 01:33:07 http: TLS handshake error from 10.244.0.1:38392: tls: client didn't provide a certificate
If I run with --insecure, it works.
I see that the NRI server loads the service account client cert on startup, and without --insecure, expects it to be sent by the apiserver with each request. But from my understanding of the relevant Kubernetes docs, getting the apiserver to send a client cert involves starting the API server with --admission-control-config-file, populating a kubeConfig file somewhere, none of which is mentioned in the NRI readme. So I feel like I'm missing something. Is it possible to use NRI with client cert auth, without touching config files on the node?
Sidebar question - does NRI have side-effects? If not --insecure seems OK in that I'm not too worried who the client is if all the controller does is return a patch response.
Many thanks for this handy tool!