search

estahn / k8s-image-swapper

Mirror images into your own registry and swap image references automatically.
https://estahn.github.io/k8s-image-swapper/
MIT License
539 stars 44 forks source link

panic when secretReader is disabled #135

Open zswanson opened 2 years ago

zswanson commented 2 years ago

Hi we're using AWS ECR and not using image pull secrets, just IAM restrictions with IRSA. We have chart 1.0.1 with appVersion 1.1.0 installed and it is frequently dumping panics in the following form. Because we have the secretReader option disabled, its not creating a ClusterRole or ClusterRoleBinding so its not surprising it gets permission denied. It is however surprising that it is trying to access the 'default' serviceAccount in a different namespace when its not configured to do so.

7:35PM ERR error fetching referenced service account, continue without service account imagePullSecrets error="serviceaccounts \"default\" is forbidden: User \"system:serviceaccount:image-swapper:image-swapper\" cannot get resource \"serviceaccounts\" in API group \"\" in the namespace \"myappnamespace\"" Worker exits from a panic: runtime error: invalid memory address or nil pointer dereference Stack trace: goroutine 198 [running]: runtime/debug.Stack() runtime/debug/stack.go:24 +0x65 github.com/alitto/pond.defaultPanicHandler({0x1946000, 0x2c8fa20}) github.com/alitto/pond@v1.5.1/pond.go:19 +0x27 github.com/alitto/pond.(WorkerPool).executeTask.func1() github.com/alitto/pond@v1.5.1/pond.go:364 +0x45 panic({0x1946000, 0x2c8fa20}) runtime/panic.go:1038 +0x215 os.(File).Name(...) os/file.go:57 github.com/estahn/k8s-image-swapper/pkg/webhook.(ImageSwapper).Mutate.func1() github.com/estahn/k8s-image-swapper@v1.1.0/pkg/webhook/image_swapper.go:219 +0x317 github.com/alitto/pond.(WorkerPool).executeTask(0xc00073d3b0, 0x1ebce10) github.com/alitto/pond@v1.5.1/pond.go:371 +0x69 github.com/alitto/pond.worker(0xc000199200, 0x1ea74e8, 0xc00073d3ec, 0x0, 0xc0007e7d80) github.com/alitto/pond@v1.5.1/pond.go:427 +0x79 created by github.com/alitto/pond.(*WorkerPool).maybeStartWorker

estahn commented 2 years ago

@zswanson Thanks for the detailed error description. Will have a look soon.

zswanson commented 2 years ago

Actually we just set secretReader.enabled: true in the values and redeployed (left the secretReader.secretNames: [] as empty) and its still producing this error.