kubernetes / ingress-nginx

Ingress NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.51k stars 8.26k forks source link

Emit event message for ingresses which include a configuration snippet when snippets are disabled #7893

Open brross opened 3 years ago

brross commented 3 years ago

When snippets are disabled by allow-snippet-annotations: false, ingress-nginx should emit an event message for ingresses which include a configuration snippet annotation.

Perhaps something like $ingress created but ignoring configuration-snippet annotation; snippet-by-annotation is disabled

Currently, with allow-snippet-annotations: false, ingress-nginx creates the requested ingress resource but silently ignores any -snippet annotation creating confusion for end-users.

This is related to the fix for Issue https://github.com/kubernetes/kubernetes/issues/126811 introduced in PRs https://github.com/kubernetes/ingress-nginx/pull/7666 and https://github.com/kubernetes/ingress-nginx/pull/7670

strongjz commented 3 years ago

/triage accepted /priority important-soon /assign @strongjz

strongjz commented 2 years ago

Do you have the admission webhook disabled?

I was testing this with a local cluster and a default install. The admission webhook did not create the ingress object.

pod/foo-app unchanged
service/foo-service unchanged
pod/bar-app unchanged
service/bar-service unchanged
Error from server (BadRequest): error when creating "test.yml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: nginx.ingress.kubernetes.io/configuration-snippet annotation cannot be used. Snippet directives are disabled by the Ingress administrator
apiVersion: v1
metadata:
  name: foo-app
  labels:
    app: foo
spec:
  containers:
  - name: foo-app
    image: hashicorp/http-echo:0.2.3
    args:
    - "-text=foo"
---
kind: Service
apiVersion: v1
metadata:
  name: foo-service
spec:
  selector:
    app: foo
  ports:
  # Default port used by the image
  - port: 5678
---
kind: Pod
apiVersion: v1
metadata:
  name: bar-app
  labels:
    app: bar
spec:
  containers:
  - name: bar-app
    image: hashicorp/http-echo:0.2.3
    args:
    - "-text=bar"
---
kind: Service
apiVersion: v1
metadata:
  name: bar-service
spec:
  selector:
    app: bar
  ports:
  # Default port used by the image
  - port: 5678
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "Request-Id: $req_id";
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: "/foo"
        backend:
          service:
            name: foo-service
            port:
              number: 5678
      - pathType: Prefix
        path: "/bar"
        backend:
          service:
            name: bar-service
            port:
              number: 5678
---
brross commented 2 years ago

I double-checked and, indeed, I do have the validating webhook enabled. I'll have to investigate why it's not doing the proper thing in my test environment.

I do think emitting and event message for this would be useful in any case.

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

strongjz commented 2 years ago

@brross any update?

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

rikatz commented 2 years ago

/lifecycle frozen

k8s-triage-robot commented 1 year ago

This issue is labeled with priority/important-soon but has not been updated in over 90 days, and should be re-triaged. Important-soon issues must be staffed and worked on either currently, or very soon, ideally in time for the next release.

You can:

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

k8s-ci-robot commented 1 year ago

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.