准入控制器未收到准入审计事件

准入控制器未收到准入审计事件

2942
Created On 07/16/24 00:08 AM - Last Modified 02/20/25 01:31 AM


Symptom


使用文档配置 webhook.yaml 后,不会生成针对 Admission 审计的事件。

  1. EKS 上的 API 云监视日志中记录错误

Failed calling webhook, failing open validating-webhook.twistlock.com: failed calling webhook "validating-webhook.twistlock.com": failed to call webhook: Post "https://defender.twistlock-system.svc:443/enjkgj1vjak90fu4li2a5og8vk8z?timeout=10s": tls: failed to verify certificate: x509: certificate is valid for defender.twistlock.svc, not defender.twistlock-system.svc

  1. GKE 上的 API 云监视日志中记录的错误

authorization.k8s.io/reason: "RBAC: allowed by ClusterRoleBinding "system:gke-common-webhooks" of ClusterRole "system:gke-common-webhooks" to User "system:gke-common-webhooks""failed-open.validating.webhook.admission.k8s.io/round_0_index_0: "validating-webhook.twistlock.com"

Environment


  • Prisma 云计算自托管
  • Prisma Cloud SaaS

Cause


Webhook配置和部署的防御者的命名空间需要相同。

Resolution


  1. 在 UI 中更新命名空间后重新部署防御者。
  2. 这可以通过转到管理>Defenders>手动部署>高级设置>输入 Defender Daemon Set 的命名空间来完成。
  3. 部署后,请参阅验证您的设置以进行验证。
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zFbCAI&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language