netlify[bot]
commented
9 months ago Deploy request for jspolicy-docs pending review.
Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | 55ac4d16fa3cc456aed271a817a7a1f2207001b4 |
Closed arsenetar closed 9 months ago
netlify[bot]
commented
9 months ago Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | 55ac4d16fa3cc456aed271a817a7a1f2207001b4 |
FabianKramm
commented
9 months ago @arsenetar thanks for the PR! LGTM!
This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* pointing to jspolicy and then the jspolicy pods will be able to start.
NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem.