Open cparadal opened 4 months ago
/kind bug
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
Describe the bug The AWS Load Balancer Controller admission webhook seems to be blocking deletion of any Ingress resource that is associated with an Ingress Class that has already been deleted.
We have a series of ArgoCD applications on which we perform selective resource deletion, based on a number of requirements. During this resource deletion, ingress classes can get removed before the actual ingress resources referencing them. The removed ingress classes are not related to the AWS Load Balancer Controller.
This wasn't an issue with versions < 2.6.0, as the behaviour of this webhook seems to have changed with this commit
kube-controller-manager-ip-xxxxxxx kube-controller-manager E0509 14:16:52.686392 1 garbagecollector.go:392] error syncing item &garbagecollector.node{identity:garbagecollector.objectReference{OwnerReference:v1.OwnerReference{APIVersion:"networking.k8s.io/v1", Kind:"Ingress", Name:"xxxxxx", UID:"xxxxxxxx", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}, Namespace:"xxxxxxxxx"}, dependentsLock:sync.RWMutex{w:sync.Mutex{state:0, sema:0x0}, writerSem:0x0, readerSem:0x0, readerCount:atomic.Int32{_:atomic.noCopy{}, v:1}, readerWait:atomic.Int32{_:atomic.noCopy{}, v:0}}, dependents:map[*garbagecollector.node]struct {}{}, deletingDependents:true, deletingDependentsLock:sync.RWMutex{w:sync.Mutex{state:0, sema:0x0}, writerSem:0x0, readerSem:0x0, readerCount:atomic.Int32{_:atomic.noCopy{}, v:0}, readerWait:atomic.Int32{_:atomic.noCopy{}, v:0}}, beingDeleted:true, beingDeletedLock:sync.RWMutex{w:sync.Mutex{state:0, sema:0x0}, writerSem:0x0, readerSem:0x0, readerCount:atomic.Int32{_:atomic.noCopy{}, v:0}, readerWait:atomic.Int32{_:atomic.noCopy{}, v:0}}, virtual:false, virtualLock:sync.RWMutex{w:sync.Mutex{state:0, sema:0x0}, writerSem:0x0, readerSem:0x0, readerCount:atomic.Int32{_:atomic.noCopy{}, v:0}, readerWait:atomic.Int32{_:atomic.noCopy{}, v:0}}, owners:[]v1.OwnerReference(nil)}: admission webhook "vingress.elbv2.k8s.aws" denied the request: invalid ingress class: IngressClass.networking.k8s.io "xxxxxxxx" not found
Steps to reproduce From ArgoCD, deploy an application which contains an ingress class and an ingress resource referencing it. Trigger a deletion of both IngressClass and Ingress, making sure that the Ingress Class is removed first. This could potentially be reproduced without ArgoCD.
Expected outcome The AWS Load Balancer Controller webhook doesn't randomly block ingress resource deletion within the cluster.
Environment
AWS Load Balancer controller version v2.7.2 (but bug occurs on >= v2.6.0)
Kubernetes version v1.28.9
Using EKS (yes/no), if so version? No - kubeadm based cluster running on AWS
Additional Context: