search

IBM / cert-manager-webhook-ibmcis

Cert-manager.io webhook to use IBM Cloud Internet Service (ibmcis)
Apache License 2.0
2 stars 7 forks source link

Failed to list/watch v1beta2 resource #5

Closed jowko closed 1 year ago

jowko commented 1 year ago

I have multiple clusters and in one of them I had cert-manager v1.1.0 in one cluster and cert-manager v1.5.3 in other cluster. I also used unofficial version of this plugin: https://github.com/jb-dk/cert-manager-webhook-ibmcis

I removed old plugin, updated cert-manager to v1.7.3 and installed this plugin in all clusters. It looks that issuing new certificates works correctly but in cert-manager-webhook-ibmcis container there are such logs printed regularly:

1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource

The same occurs on cert-manager v1.9.1. I do not know if this causes any issues in certificate generation, but I found such thing in cert-manager docs for v1.6 version:

Following their deprecation in version 1.4, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 are no longer served.

See: https://cert-manager.io/docs/installation/upgrading/upgrading-1.5-1.6 This does not mention v1beta2 but maybe this was removed too or this was not present in cert-manager in the first place? I could not find mention of v1beta2 in official docs.

I think that this should be investigated and removed in this is not needed.

hughhuangzh commented 1 year ago

@jowko the error message is caused by RABC rule: https://github.com/IBM/cert-manager-webhook-ibmcis/blob/d0aad3120d150c07e82a0f56bf12e67572b429b1/deploy/cert-manager-webhook-ibmcis/templates/rbac.yaml#L106

hughhuangzh commented 1 year ago

what's your k8s version, API Priority and Fairness is enabled by default in Kubernetes 1.20: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/

jowko commented 1 year ago

I installed this on IBM Cloud Kubernetes cluster in version 1.21. I Don't recall that we changed kube settings there, since this cluster is provided by IBM. We just upgraded clusters to kubernetes 1.24 and there logs disappeared.