Skip to content

webhook unknown conversion error after OPA upgrade. #7422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
saranyareddy24 opened this issue Mar 6, 2025 · 5 comments
Open

webhook unknown conversion error after OPA upgrade. #7422

saranyareddy24 opened this issue Mar 6, 2025 · 5 comments

Comments

@saranyareddy24
Copy link

saranyareddy24 commented Mar 6, 2025
edited
Loading

we were on OPA 0.68.0 earlier and now planning to upgrade to 1.2.0. We have made changes to rego so that it is compatible with v1 version of rego. OPA pods came up fine. But noticed that any other operation on cluster is not happening after OPA was upgraded like deletion of pods, deletion of helm chart etc.,

we are seeing below errors in the events

9s Warning FailedCreate replicaset/urm-6556468b66 Error creating: Internal error occurred: failed calling webhook "captureagent.openpolicyagent.org": failed to call webhook: converting (v1.AdmissionReview) to (v1beta1.AdmissionReview): unknown conversion

Can OPA provide some solution to address this webhook conversion error.

Mutatingwebhook that we have:

- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    caBundle: <cert>
    service:
      name: opa
      namespace: fed-opa
      path: /v0/data/captureagent/main
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: captureagent.openpolicyagent.org
  namespaceSelector:
    matchLabels:
      capture-agent: enabled
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
@anderseknert
Copy link
Member

anderseknert commented Mar 6, 2025
edited
Loading

Sounds like the API server is sending an AdmissionReview of version v1, and getting back a v1beta1 response? OPA knows nothing of these things. Perhaps something else changed in your policy with the rewrite?

The logs in the OPA pod might help you (on log level debug if nothing else)

@anderseknert anderseknert removed the bug label Mar 6, 2025
@stale Stale
Copy link

stale bot commented Apr 5, 2025

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

@stale stale bot added the inactive label Apr 5, 2025
@anderseknert
Copy link
Member

@saranyareddy24 did you figure out what caused this?

@saranyareddy24
Copy link
Author

I have changed admissionreview version supported to only v1 instead of v1beta1 and v1. Now I am facing some issues because of the rego policies. Still looking into it.

@stale stale bot removed the inactive label Apr 8, 2025
@anderseknert
Copy link
Member

👍 Let us know if we can help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderseknert @saranyareddy24