What happened:
One of our pods should assume a specific AWS role and we are configuring it via service account annotation. After eks cluster upgrade the mutation of the pod stopped working and it had only a default node group role.
I changed the mutatingwebhookconfigurations policy from Ignore to Fail for pod-identity-webhook under the cluster and after that pod failed to start with the error
Error creating: Internal error occurred: failed calling webhook "iam-for-pods.amazonaws.com": received invalid webhook response: expected webhook response of admission.k8s.io/v1, Kind=AdmissionReview, got /, Kind=
After some additional investigation, I found that the problem solved once I change
- admissionReviewVersions:
- v1
to
- admissionReviewVersions:
- v1beta1
IIUC the problem that mutation webhook handler is using deprecated version of admission API v1beta1 when it should use v1
What you expected to happen:
The mutation of the pod should work without any errors.
How to reproduce it (as minimally and precisely as possible):
- Get the EKS cluster
- Try to configure the pod with some role, you can follow up https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
Anything else we need to know?:
Environment:
- AWS Region: us-east-1
- EKS Platform version (if using EKS, run
aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.15
- Kubernetes version (if using EKS, run
aws eks describe-cluster --name <name> --query cluster.version): 1.27
- Webhook Version: Unsure how can I check it
What happened:
One of our pods should assume a specific AWS role and we are configuring it via service account annotation. After eks cluster upgrade the mutation of the pod stopped working and it had only a default node group role.
I changed the
mutatingwebhookconfigurationspolicy from Ignore to Fail forpod-identity-webhookunder the cluster and after that pod failed to start with the errorAfter some additional investigation, I found that the problem solved once I change
to
IIUC the problem that mutation webhook handler is using deprecated version of admission API
v1beta1when it should usev1What you expected to happen:
The mutation of the pod should work without any errors.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
aws eks describe-cluster --name <name> --query cluster.platformVersion):eks.15aws eks describe-cluster --name <name> --query cluster.version): 1.27