search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
181 stars 30 forks source link

[E2E] Invalid argument "null" for "--revision" flag: strconv.ParseInt: parsing "null": invalid syntax #736

Closed kravciak closed 1 month ago

kravciak commented 1 month ago

Nightly job failed with Invalid argument "null" for "--revision" flag: strconv.ParseInt: parsing "null": invalid syntax https://github.com/kubewarden/kubewarden-controller/actions/runs/9025232028/job/24800634936

I tried to run it locally, I found out that if I use latest controller image I get this error:

~ k get clusteradmissionpolicies privileged-pods -o yaml
    message: The policy webhook has not been created
    reason: PolicyActive
    status: "False"

~ k logs -n kubewarden kubewarden-controller-7b69b8b588-lfcs7
{
  "level": "error",
  "ts": "2024-05-10T08:50:30Z",
  "msg": "Reconciler error",
  "controller": "clusteradmissionpolicy",
  "controllerGroup": "policies.kubewarden.io",
  "controllerKind": "ClusterAdmissionPolicy",
  "ClusterAdmissionPolicy": {
    "name": "privileged-pods"
  },
  "namespace": "",
  "name": "privileged-pods",
  "reconcileID": "91bf247e-32df-4e16-936d-194ca44f3262",
  "error": "error reconciling validating webhook\ncannot reconcile validating webhook: validatingwebhookconfigurations.admissionregistration.k8s.io \"clusterwide-privileged-pods\" is forbidden: User \"system:serviceaccount:kubewarden:kubewarden-controller\" cannot update resource \"validatingwebhookconfigurations\" in API group \"admissionregistration.k8s.io\" at the cluster scope",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.1/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.1/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.1/pkg/internal/controller/controller.go:222"
}

I am not sure if those 2 errors are related or not.

jvanz commented 1 month ago

Reading the error message we can see that controller does not have the permissions to update the webhooks resources. Which makes sense, because if we take a look in the kubebuilder directive, it has permissions to patch the resources only. That's explains why we are seeing this error. Because in a recent change to use the controller-runtime helper functions we start to use CreateOrUpdate to update the resources. We should use CreateOrPatch. I'll update the code to use the later helper function.

flavio commented 1 month ago

The fix is merged in main. We will soon tag RC1 including this fix

flavio commented 1 month ago

reopening, @jvanz saw it again, but @kravciak might have fixed it in the meantime.

kravciak commented 1 month ago

Closing in favor of https://github.com/kubewarden/kubewarden-controller/issues/745