Post "https://webhook.cosign-system.svc:443/mutations?timeout=10s": context deadline exceeded #1863
Description
Description:
Why is it that my ClusterImagePolicy already matches the “pass” policy to skip signature verification, yet the policy‑controller still tries to access Docker Hub, causing a timeout and preventing the container from being created?
I believe that if a regular expression has already matched an image that does not require signature verification, it should not attempt to contact Docker Hub.
info:
ubuntu@aws-cn:~$ helm list -n cosign-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
policy-controller cosign-system 1 2025-07-16 15:52:00.887691195 +0800 CST deployed policy-controller-0.10.2 0.13.0
error:
policy:
log:
{"level":"info","ts":"2025-07-16T09:28:04.287Z","logger":"policy-controller","caller":"webhook/admission.go:93","msg":"Webhook ServeHTTP request=&http.Request{Method:"POST", URL:(*url.URL)(0xc002ca5c20), Proto:"HTTP/1.1", ProtoMajor:1, ProtoMinor:1, Header:http.Header{"Accept":[]string{"application/json, /"}, "Accept-Encoding":[]string{"gzip"}, "Content-Length":[]string{"3021"}, "Content-Type":[]string{"application/json"}, "User-Agent":[]string{"kube-apiserver-admission"}}, Body:(*http.body)(0xc002cbe080), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3021, TransferEncoding:[]string(nil), Close:false, Host:"webhook.cosign-system.svc:443", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:"10.178.170.124:58444", RequestURI:"/mutations?timeout=10s", TLS:(*tls.ConnectionState)(0xc003358a80), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:"/mutations", ctx:(*context.cancelCtx)(0xc002cb4870), pat:(*http.pattern)(0xc000c9a0c0), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"caf740d-dirty"}
{"level":"info","ts":"2025-07-16T09:28:10.660Z","logger":"policy-controller","caller":"webhook/conversion.go:45","msg":"Webhook ServeHTTP request=&http.Request{Method:"POST", URL:(*url.URL)(0xc002e27680), Proto:"HTTP/1.1", ProtoMajor:1, ProtoMinor:1, Header:http.Header{"Accept":[]string{"application/json, /"}, "Accept-Encoding":[]string{"gzip"}, "Content-Length":[]string{"1817"}, "Content-Type":[]string{"application/json"}, "User-Agent":[]string{"kube-apiserver-admission"}}, Body:(*http.body)(0xc002e71100), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:1817, TransferEncoding:[]string(nil), Close:false, Host:"webhook.cosign-system.svc:443", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:"10.178.170.124:41916", RequestURI:"/resource-conversion?timeout=30s", TLS:(*tls.ConnectionState)(0xc002ec7080), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:"/resource-conversion", ctx:(*context.cancelCtx)(0xc002e8c4b0), pat:(*http.pattern)(0xc000c9a240), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"caf740d-dirty"}
{"level":"info","ts":"2025-07-16T09:28:10.663Z","logger":"policy-controller","caller":"webhook/conversion.go:45","msg":"Webhook ServeHTTP request=&http.Request{Method:"POST", URL:(*url.URL)(0xc002e27cb0), Proto:"HTTP/1.1", ProtoMajor:1, ProtoMinor:1, Header:http.Header{"Accept":[]string{"application/json, /"}, "Accept-Encoding":[]string{"gzip"}, "Content-Length":[]string{"1984"}, "Content-Type":[]string{"application/json"}, "User-Agent":[]string{"kube-apiserver-admission"}}, Body:(*http.body)(0xc002e71780), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:1984, TransferEncoding:[]string(nil), Close:false, Host:"webhook.cosign-system.svc:443", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:"10.178.170.124:41916", RequestURI:"/resource-conversion?timeout=30s", TLS:(*tls.ConnectionState)(0xc002ec7080), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:"/resource-conversion", ctx:(*context.cancelCtx)(0xc002e8c5a0), pat:(*http.pattern)(0xc000c9a240), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"caf740d-dirty"}
{"level":"info","ts":"2025-07-16T09:28:14.288Z","logger":"policy-controller","caller":"defaulting/defaulting.go:158","msg":"Kind: "/v1, Kind=Pod" PatchBytes: null","commit":"caf740d-dirty","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"it-uds-test","knative.dev/name":"usigned-pod1","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"arn:aws-cn:sts::0366706200:assumed-role/eksAdminRole/i-01abb062cf662"}
{"level":"info","ts":"2025-07-16T09:28:14.288Z","logger":"policy-controller","caller":"webhook/admission.go:151","msg":"remote admission controller audit annotations=map[string]string(nil)","commit":"caf740d-dirty","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"it-uds-test","knative.dev/name":"usigned-pod1","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"arn:aws-cn:sts::0366706200:assumed-role/eksAdminRole/i-01abb062cf662","admissionreview/uid":"def4cdde-184b-4ffd-8b3e-5f1011c3ae76","admissionreview/allowed":true,"admissionreview/result":"nil"}