search

cybozu-go / accurate

Kubernetes controller for multi-tenancy. It propagates resources between namespaces accurately and allows tenant users to create/delete sub-namespaces.
https://cybozu-go.github.io/accurate/
Apache License 2.0
38 stars 5 forks source link

chore: enable DisablePropagateGenerated feature gate by default #99

Closed erikgb closed 11 months ago

erikgb commented 11 months ago

As agreed in https://github.com/cybozu-go/accurate/issues/87#issuecomment-1760038161, this graduates the `DisablePropagateGenerated ``to Beta and enables it by default. This does not fix https://github.com/cybozu-go/accurate/issues/87, but I still think we can close the issue as "not a problem" - since the problematic feature is no longer enabled by default.

Should probably be merged/released after https://github.com/cybozu-go/accurate/pull/95. This PR is quite easy to rebase, so it can just stay open until we are ready for these changes.

Close https://github.com/cybozu-go/accurate/issues/87

PS: The structure/wording of the new feature gates doc paragraph is almost a copy of https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/. Kudos to Kubernetes documentation contributors/maintainers. 🙏

erikgb commented 11 months ago

I also think this should wait for https://github.com/cybozu-go/accurate/pull/100.

erikgb commented 11 months ago

This PR should be ready for review now and eventual merge. I have updated the Helm values file after https://github.com/cybozu-go/accurate/pull/100 and the failing test in CI seems like a flake.

ymmt2005 commented 11 months ago

The failed test log:

Namespace webhook should deny moving a sub-namespace under non-root/non-sub namespace
/home/runner/work/accurate/accurate/hooks/namespace_test.go:379
  [FAILED] in [It] - /home/runner/work/accurate/accurate/hooks/namespace_test.go:390 @ 10/17/23 09:34:15.064
• [FAILED] [0.008 seconds]
Namespace webhook [It] should deny moving a sub-namespace under non-root/non-sub namespace
/home/runner/work/accurate/accurate/hooks/namespace_test.go:379

  [FAILED] Unexpected error:
      <*errors.StatusError | 0xc0004b2e60>: 
      admission webhook "namespace.accurate.cybozu.io" denied the request: namespace does not exist: move-root
      {
          ErrStatus: {
              TypeMeta: {Kind: "", APIVersion: ""},
              ListMeta: {
                  SelfLink: "",
                  ResourceVersion: "",
                  Continue: "",
                  RemainingItemCount: nil,
              },
              Status: "Failure",
              Message: "admission webhook \"namespace.accurate.cybozu.io\" denied the request: namespace does not exist: move-root",
              Reason: "Forbidden",
              Details: nil,
              Code: 403,
          },
      }
  occurred
  In [It] at: /home/runner/work/accurate/accurate/hooks/namespace_test.go:390 @ 10/17/23 09:34:15.064

This was caused because the webhook uses a caching client: https://github.com/cybozu-go/accurate/blob/9bbac9fc7695fbf8109e04b2e5f9edccb33d012a/hooks/namespace.go#L203

IIRC, I used the caching client as I was a bit concerned about performance.