Charles-Edouard Brétéché

@realshuting from what I read in the docs https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls, nothing covers the constraints.

@JimBugwadia I will create an issue in the website repo :+1: The PR removing constraints is here https://github.com/kyverno/kyverno/pull/4389

I'll look at it.

https://github.com/kyverno/kyverno/pull/4745 should fix it. I don't think we need to restart the pods

Yes, it only generates a self signed cert if this flag is enabled.

When does your error happen ? The log you posted is from api server ? kubectl ? something else ?

In your case @ibexmonj it is because the cert authority is unknown, this happens if the webhook configuration does not have the ca bundle correctly set (kyverno is responsible for...

If the pod is down the error message should be different, if the pod is up, it should use what is in the secret for the tls connection. What version...

Even if kyverno is down it should be able to rebirth as we exclude the kyverno namespace from the webhooks configs (depending on your config).

Ah, the `opaque` one is probably causing issues.