Question CKS Lab Mock Exam 3

Subsandrew · January 11, 2024, 4:24pm

url to exam is here. I’m unable to pose the url apparently because as a new user I can’t post two urls in a message. The exam is lab-mock-exam-3-3/
Question # 5.
For my understanding I’m trying to understand how when I attempt to create a pod I get this expected error

"root@controlplane ~ ➜ k create -f beta-pod.yaml
Error from server: error when creating “beta-pod.yaml”: admission webhook “validating-webhook.openpolicyagent.org” denied the request: image ‘Google Cloud console’ comes from untrusted registry

How is the admission webhook getting activated? Where is that configured? I looked in the api-server manifest file but don’t see anything that impliess… I’m aware of the configmap, but still not sure how the admission webhook is getting activated to reject the request.
thanks and please advise,
Thanks!

rob_kodekloud · January 11, 2024, 6:40pm

The opa system creates a resource that makes it available to the ValidatingAdmissionWebhook, which is enabled by default by the apiserver:

root@controlplane ~ ➜  k get validatingwebhookconfigurations.admissionregistration.k8s.io 
NAME                     WEBHOOKS   AGE
opa-validating-webhook   1          8m

By creating this resource, the webhook is invoked via the opa service in namespace opa, which watches all namespaces except the opa namespace. This is how opa knows You Are Up To No Good in beta-pod.yaml.

Subsandrew · January 11, 2024, 10:20pm

@rob_kodekloud thank you soooo much!. I was scratching my head furiously