priorityClassName is ignored on initial apply of the operator

maxyeg86 commented 1 year ago

What happened:

When running kubectl apply -f operator.yaml while part of the operator.yaml looks like this (default high-priority instead of system-node-critical):

priorityClassName:
  default: high-priority
  description: PriorityClassName if defined, indicates the spod podpriority class.
  type: string

The default priorityClassName is ignored and the spod is created with priorityClassName: system-node-critical

What you expected to happen:

The expected behavior is that the spod will be created with the default priorityClassName as defined in the operator.yaml

How to reproduce it (as minimally and precisely as possible):

kubectl apply -f priority-class.yaml

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.1/cert-manager.yaml
kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/main/deploy/operator.yaml

Files involved:

priority-class.yaml:

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: high-priority
value: 1000
globalDefault: false
description: "This priority class should be used for apparmor service pods only."

operator.yaml (The same exact file as in the git repo except for default: high-priority instead of default: system-node-critical):

priorityClassName:
  default: high-priority
  description: PriorityClassName if defined, indicates the spod podpriority class.
  type: string

Anything else we need to know?:

Probably happens because of a hard coded value here but not sure.

Environment:

Cloud provider or hardware configuration: Google Kubernetes Engine
OS (e.g: cat /etc/os-release): Ubuntu
Kernel (e.g. uname -a): N/A
Others:

saschagrunert commented 1 year ago

Hey @maxyeg86, just to be sure: Did you patch the spod like outlined there: https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#set-a-custom-priority-class-name-for-spod-daemon-pod ?

maxyeg86 commented 1 year ago

Hi @saschagrunert Yes, I did patch the spod and it indeed works but the goal is to be able to install it using helm in one go and without patching. I wanted to do it by changing the default priorityClassName but it doesn't seems to work

k8s-triage-robot commented 9 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen
Mark this issue as fresh with /remove-lifecycle rotten
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 7 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/security-profiles-operator/issues/1838#issuecomment-2021901158): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

kubernetes-sigs / security-profiles-operator