Describe the bug
Recently, we got user report on the default auto-reconciliation may not work as expected for revoking SG rules. By default, the controller will auto-reconcile every 10hrs, controlled by the flag --sync-period, and should revoke any manual modification users added to the resources, because the controller reconciles based on manifest.
However, we got a claim that, the user added some SG ingress rules manually from console, and expected the controller to revert after 10hr, as set default. But the revert actually happened after 18hrs. But if they explicitly specify the --sync-period to a short value, like 2m, it works as expected. The controller was able to revert after 2min.
Suspect there is some bug/discrepancy on the default mechanism for auto-reconciliation, will need to debug further.
Steps to reproduce
Expected outcome
A concise description of what you expected to happen.
Describe the bug Recently, we got user report on the default auto-reconciliation may not work as expected for revoking SG rules. By default, the controller will auto-reconcile every 10hrs, controlled by the flag
--sync-period, and should revoke any manual modification users added to the resources, because the controller reconciles based on manifest.However, we got a claim that, the user added some SG ingress rules manually from console, and expected the controller to revert after 10hr, as set default. But the revert actually happened after 18hrs. But if they explicitly specify the
--sync-periodto a short value, like 2m, it works as expected. The controller was able to revert after 2min.Suspect there is some bug/discrepancy on the default mechanism for auto-reconciliation, will need to debug further.
Steps to reproduce
Expected outcome A concise description of what you expected to happen.
Environment
Additional Context: