search

TykTechnologies / tyk-operator

Tyk Operator for Kubernetes
https://tyk.io
Other
198 stars 40 forks source link

Security Policy "configured" even without changes #250

Closed sedkis closed 3 years ago

sedkis commented 3 years ago

Applying a SecurityPolicy resource, even without changes, results in a reconcile loop each time.

Version Operator :v0.4.1

➜  tyk-operator git:(f54cfb5) ✗ k apply -f ./config/samples/httpbin_protected.yaml
apidefinition.tyk.tyk.io/httpbin created
➜  tyk-operator git:(f54cfb5) ✗ k apply -f ./config/samples/httpbin_protected_policy.yaml
securitypolicy.tyk.tyk.io/httpbin created
➜  tyk-operator git:(f54cfb5) ✗ k apply -f ./config/samples/httpbin_protected.yaml
apidefinition.tyk.tyk.io/httpbin unchanged
➜  tyk-operator git:(f54cfb5) ✗ k apply -f ./config/samples/httpbin_protected_policy.yaml
securitypolicy.tyk.tyk.io/httpbin configured
➜  tyk-operator git:(f54cfb5) ✗ k apply -f ./config/samples/httpbin_protected_policy.yaml
securitypolicy.tyk.tyk.io/httpbin configured

Tyk Operator logs each time the apply happens:

{"level":"info","ts":1612198820.8060765,"logger":"securitypolicy-resource","msg":"default","name":"httpbin"}
{"level":"info","ts":1612198820.811275,"logger":"securitypolicy-resource","msg":"validate update","name":"httpbin"}
{"level":"info","ts":1612198820.8208332,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"default/httpbin"}
{"level":"info","ts":1612198820.8208778,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1612198820.9665265,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"GET","URL":"http://a87905fcebea.ngrok.io/api/apis","Status":200}
{"level":"info","ts":1612198820.9675589,"logger":"controllers.SecurityPolicy","msg":"All api's","Count":1}
{"level":"info","ts":1612198820.967609,"logger":"controllers.SecurityPolicy","msg":"Updating  policy"}
{"level":"info","ts":1612198821.0645616,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"PUT","URL":"http://a87905fcebea.ngrok.io/api/portal/policies/60183333c8dcad0001f8b52f","Status":200}
{"level":"info","ts":1612198821.064659,"logger":"controllers.SecurityPolicy","msg":"Successfully updated Policy"}
{"level":"info","ts":1612198821.071407,"logger":"securitypolicy-resource","msg":"default","name":"httpbin"}
{"level":"info","ts":1612198821.0737884,"logger":"securitypolicy-resource","msg":"validate update","name":"httpbin"}
{"level":"info","ts":1612198821.0856066,"logger":"controllers.SecurityPolicy","msg":"Done reconcile","Op":"updated"}
{"level":"info","ts":1612198821.0857725,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"default/httpbin"}
{"level":"info","ts":1612198821.0858583,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1612198821.1808848,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"GET","URL":"http://a87905fcebea.ngrok.io/api/apis","Status":200}
{"level":"info","ts":1612198821.181176,"logger":"controllers.SecurityPolicy","msg":"All api's","Count":1}
{"level":"info","ts":1612198821.181188,"logger":"controllers.SecurityPolicy","msg":"Updating  policy"}
{"level":"info","ts":1612198821.2743676,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"PUT","URL":"http://a87905fcebea.ngrok.io/api/portal/policies/60183333c8dcad0001f8b52f","Status":200}
{"level":"info","ts":1612198821.2744665,"logger":"controllers.SecurityPolicy","msg":"Successfully updated Policy"}
{"level":"info","ts":1612198821.274689,"logger":"controllers.SecurityPolicy","msg":"Done reconcile","Op":"unchanged"}
gernest commented 3 years ago

This is a bit tricky, I tried to investigate but eventually gave up. I verified there was no change on generated SecurityPolicy yet still k8s thought otherwise.

asoorm commented 3 years ago

I'm closing this issue - as we don't know why it's broken - and it doesn't have any negative impact. Feel free to open it again if it becomes a problem for any reason

asoorm commented 3 years ago

I'm re-opening this issue - and bumping urgency. as it will likely be very heavy on the dashboard api - especially if we have lots of security policies.

{"level":"info","ts":1619350866.970371,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"default/httpbin.oauth2"}
{"level":"info","ts":1619350866.970464,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1619350867.261389,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"GET","URL":"http://9e0c0ef3c32d.ngrok.io/api/apis","Status":200}
{"level":"info","ts":1619350867.262351,"logger":"controllers.SecurityPolicy","msg":"All api's","Count":2}
{"level":"info","ts":1619350867.262423,"logger":"controllers.SecurityPolicy","msg":"Updating  policy"}
{"level":"info","ts":1619350867.630778,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"PUT","URL":"http://9e0c0ef3c32d.ngrok.io/api/portal/policies/608554f4d3626e17eb90badc","Status":200}
{"level":"info","ts":1619350867.630892,"logger":"controllers.SecurityPolicy","msg":"Updating linked api definitions"}
{"level":"info","ts":1619350867.66221,"logger":"controllers.SecurityPolicy","msg":"Successfully updated Policy"}
{"level":"info","ts":1619350867.69104,"logger":"controllers.SecurityPolicy","msg":"Completed reconciling SecurityPolicy instance"}
{"level":"info","ts":1619350867.691286,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"default/httpbin.oauth2"}
{"level":"info","ts":1619350867.691336,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1619350867.939923,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"GET","URL":"http://9e0c0ef3c32d.ngrok.io/api/apis","Status":200}
{"level":"info","ts":1619350867.941484,"logger":"controllers.SecurityPolicy","msg":"All api's","Count":2}
{"level":"info","ts":1619350867.9415522,"logger":"controllers.SecurityPolicy","msg":"Updating  policy"}
{"level":"info","ts":1619350868.319173,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"PUT","URL":"http://9e0c0ef3c32d.ngrok.io/api/portal/policies/608554f4d3626e17eb90badc","Status":200}
{"level":"info","ts":1619350868.319276,"logger":"controllers.SecurityPolicy","msg":"Updating linked api definitions"}
{"level":"info","ts":1619350868.3595679,"logger":"controllers.SecurityPolicy","msg":"Successfully updated Policy"}
{"level":"info","ts":1619350868.359769,"logger":"controllers.SecurityPolicy","msg":"Completed reconciling SecurityPolicy instance"}