search

kubernetes-sigs / hierarchical-namespaces

Home of the Hierarchical Namespace Controller (HNC). Adds hierarchical policies and delegated creation to Kubernetes namespaces for improved in-cluster multitenancy.
Apache License 2.0
607 stars 105 forks source link

Possible bug in propagation matching algorithm #343

Closed gbmeuk closed 5 months ago

gbmeuk commented 10 months ago

When investigating another issue I found I can partially work around the constraint which forces RoleBindings to Propagate by dropping group from the resourced object:

spec:
  resources:
    - resource: rolebindings
      mode: AllowPropagate

So I suspect there may be a bit of a bug in the matching algorithm. It only partially works though and causes some other component of the system to revert the change frequently.

{"level":"info","ts":1698313059.863884,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"AllowPropagate","newMode":"Propagate"}
{"level":"info","ts":1698313059.8659315,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"Propagate","newMode":"AllowPropagate"}

There is also this. Albeit, not exactly a problem but does suggest that the matching needs a review. When I set role bindings to Propagate as the value is needs to be, there is still an admission webhook error:

spec:
  resources:
    - resource: rolebindings
      mode: Propagate
admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: HNCConfiguration.hnc.x-k8s.io "config" is invalid: spec.resources[1]: Invalid value: rolebindings.rbac.authorization.k8s.io: always uses the 'Propagate'
adrianludwin commented 10 months ago

Thanks! I won't have time to investigate this in the foreseeable future, but if you wanted to take a crack at it, I'd appreciate it.

/good-first-issue

On Mon, Oct 30, 2023 at 5:31 AM Gareth Brown @.***> wrote:

When investigating another issue I found I can partially work around the constraint which forces RoleBindings to Propagate by dropping group from the resourced object:

spec: resources:

  • resource: rolebindings mode: AllowPropagate

So I suspect there may be a bit of a bug in the matching algorithm. It only partially works though and causes some other component of the system to revert the change frequently.

{"level":"info","ts":1698313059.863884,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"AllowPropagate","newMode":"Propagate"} {"level":"info","ts":1698313059.8659315,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"Propagate","newMode":"AllowPropagate"}

There is also this. Albeit, not exactly a problem but does suggest that the matching needs a review. When I set role bindings to Propagate as the value is needs to be, there is still an admission webhook error:

spec: resources:

  • resource: rolebindings mode: Propagate

admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: HNCConfiguration.hnc.x-k8s.io "config" is invalid: spec.resources[1]: Invalid value: rolebindings.rbac.authorization.k8s.io: always uses the 'Propagate'

— Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/343, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE43PZGOWA3WKZEE2PIC243YB5XYRAVCNFSM6AAAAAA6VWEQISVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3DOOJQGU4DAMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

k8s-ci-robot commented 10 months ago

@adrianludwin: This request has been marked as suitable for new contributors.

Guidelines

Please ensure that the issue body includes answers to the following questions:

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to [this](https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/343): >Thanks! I won't have time to investigate this in the foreseeable future, >but if you wanted to take a crack at it, I'd appreciate it. > >/good-first-issue > >On Mon, Oct 30, 2023 at 5:31 AM Gareth Brown ***@***.***> >wrote: > >> When investigating another issue I found I can partially work around the >> constraint which forces RoleBindings to Propagate by dropping group from >> the resourced object: >> >> spec: >> resources: >> - resource: rolebindings >> mode: AllowPropagate >> >> So I suspect there may be a bit of a bug in the matching algorithm. It >> only partially works though and causes some other component of the system >> to revert the change frequently. >> >> {"level":"info","ts":1698313059.863884,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"AllowPropagate","newMode":"Propagate"} >> {"level":"info","ts":1698313059.8659315,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"Propagate","newMode":"AllowPropagate"} >> >> There is also this. Albeit, not exactly a problem but does suggest that >> the matching needs a review. When I set role bindings to Propagate as the >> value is needs to be, there is still an admission webhook error: >> >> spec: >> resources: >> - resource: rolebindings >> mode: Propagate >> >> admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: HNCConfiguration.hnc.x-k8s.io "config" is invalid: spec.resources[1]: Invalid value: rolebindings.rbac.authorization.k8s.io: always uses the 'Propagate' >> >> — >> Reply to this email directly, view it on GitHub >> , >> or unsubscribe >> >> . >> You are receiving this because you are subscribed to this thread.Message >> ID: ***@***.***> >> > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
hrk091 commented 10 months ago

I’ve faced the same issue when I mistakenly set RoleBinding to AllowPropagate mode. I’ve already investigated this issue and I can probably fix it. Do you mind if I address this issue?