Open mfranzil opened 5 days ago
This issue is currently awaiting triage.
If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/sig api-machinery
/sig cli /remove-sig api-machinery
This might be a client-go thing but I think kubectl should triage it first. /transfer kubectl
Did you test the same steps with different resource (e.g. pods, etc.) other than serviceaccounts?. Because there might be an explicitly defined behavior specifically for serviceaccounts. If this happens other resources as well, I think it requires investigation.
What happened?
Every time
kubectl apply
is used, instead of the direct API call,kubectl
automatically evaluates the correct command to be used (e.g., apatch
for an existent object, acreate
for a new one). To do so, usuallykubectl
runs the following commands (assume I am manipulating a ServiceAccount for simplicity)/openapi/v3/
and/openapi/v3/api/{etc..}
/api/v1/namespaces/{namespace}/serviceaccounts/{my_sa}
- here the decision is taken whether to call additional APIs; if so,/api/v1/namespaces/{namespace}/
The problem is, the GET to the namespace object is completely irrelevant to the calls made after: even if the API call reports a 403, or 404 (extreme corner case in which the namespace was deleted in the middle),
kubectl
mindlessly goes forward with the following call. This leads me to think that this GET to the namespace is irrelevant, and could be skipped.What did you expect to happen?
Either the GET call not to be present or to have some sort of role in the
apply
process.How can we reproduce it (as minimally and precisely as possible)?
kubectl apply
, put a non-existent name and an existent namespace:Inspect the API calls, you will find a GET https://[redacted]:6443/api/v1/namespaces/default 403 Forbidden. Yet, the POST goes forward.
Even without a clusterrole, try creating a ServiceAccount on a non-existent namespace:
your-sa
namespaceapply
goes forward:Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)