search

kubernetes-sigs / hierarchical-namespaces

Home of the Hierarchical Namespace Controller (HNC). Adds hierarchical policies and delegated creation to Kubernetes namespaces for improved in-cluster multitenancy.
Apache License 2.0
598 stars 103 forks source link

Unable to Bind Existing Namespace to Subnamespace Anchor #358

Open omaratdgtl opened 4 months ago

omaratdgtl commented 4 months ago

Description: I'm encountering an issue while attempting to bind an existing namespace to a new subnamespace-anchor resource using the kubectl hns set command in our Kubernetes cluster configured with hierarchical-namespaces.

First attempt

Steps to Reproduce:

  1. Create a new subnamespace-anchor on an already existing root namespace.

Expected Behavior: HNC creates the subnamespace-anchor and binds it to the existing namespace if:

Actual Behavior: Creating the Subnamespace Anchor while the namespace exists results in exceptions. The process produces the following error messages:

{"level":"info","ts":1709888268.4449706,"logger":"anchor.validate","msg":"Denied","ns":"test-parent","nm":"test-child","op":"CREATE","user":"test@test.com","code":409,"reason":"Conflict","message":"Operation cannot be fulfilled on subnamespaceanchors.hnc.x-k8s.io \"test-child\": cannot create a subnamespace using an existing namespace"}
{"level":"info","ts":1709888281.9173489,"logger":"hierarchyconfig.reconcile","msg":"Namespace has changed","rid":281,"ns":"test-child"}
{"level":"info","ts":1709888281.9246855,"logger":"namespace.validate","msg":"Denied","nm":"test-child","op":"UPDATE","user":"system:serviceaccount:test-parent-hnc-system:default","code":403,"reason":"Forbidden","message":"namespaces \"test-child\" is forbidden: cannot set or modify tree label \"test-child.tree.hnc.x-k8s.io/depth\" in namespace \"test-child\"; these can only be managed by HNC"}
{"level":"error","ts":1709888281.9309719,"logger":"hierarchyconfig.reconcile","msg":"while updating apiserver","rid":281,"ns":"test-child","error":"admission webhook \"namespaces.hnc.x-k8s.io\" denied the request: namespaces \"test-child\" is forbidden: cannot set or modify tree label \"test-child.tree.hnc.x-k8s.io/depth\" in namespace \"test-child\"; these can only be managed by HNC"}
{"level":"error","ts":1709888281.9310033,"logger":"controller.hierarchyconfiguration","msg":"Reconciler error","reconciler group":"hnc.x-k8s.io","reconciler kind":"HierarchyConfiguration","name":"hierarchy","namespace":"test-child","error":"admission webhook \"namespaces.hnc.x-k8s.io\" denied the request: namespaces \"test-child\" is forbidden: cannot set or modify tree label \"test-child.tree.hnc.x-k8s.io/depth\" in namespace \"test-child\"; these can only be managed by HNC"}

Second attempt

Steps to Reproduce:

   kubectl hns set child --parent parent

Expected Behavior: The kubectl hns set command should create/update a subnamespace-anchor resource in the SubnamespaceAnchors CRs after updating the tree.

Actual Behavior: The kubectl hns set command doesn't create/update a subnamespace-anchor resource in the SubnamespaceAnchors CRs after updating the tree.

I ended up going with a dirty workaround attempt:

To address this issue, I attempted the following workaround:

Result: While this approach resolves cosmetic problems, issues persist with the finalizers when attempting to delete a subnamespace-anchor created in this way.

Question: How can I bind an existing namespace to a new subnamespace-anchor resource? Is there any possibility that the kubectl hns set command would update the subnamespace-anchors resources or create them if they don't exist?

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

pixxet commented 1 month ago

/remove-lifecycle stale