Closed spkane closed 1 year ago
I think the extra wrinkle might be that it's an Azure controller that is adding the control-plane
matchExpression, not the jspolicy controller. Seems like this issue on cert-manager is more or less about the same problem: https://github.com/cert-manager/cert-manager/issues/4114
The fix here might simply be to clearly document that this is a known issue on Azure and provide people with the workaround of adding the Azure namespaceSelector
in addition to any others that they may want to be defined.
This was a tough one...and appears to be a significant bug.
For context, I am deploying jspolicy via ArgoCD (using kustomize's Helm support), and there was some troubleshooting for this issue in the loft.sh Slack.
The conversation can be found here:
We are using the newest v0.2.2 helm chart.
The Issue
Adding a
namespaceSelector
to akind: JsPolicy
object causes an infinite create/destroy loop for the resultingvalidatingwebhookconfiguration
.Reproduction Use Case
Create a
kind: JsPolicy
manifest that includes anamespaceSelector
, like so:This should create a loop where running something like
kubectl get validatingwebhookconfiguration --watch
will result in an endless scroll like this:The Workaround
After much investigation, the current workaround is to add an item to the
matchExpressions
map.So, the whole
kind: JsPolicy
manifest looks like this:Summary
It appears like the controller (jspolicy pod) is fighting with the
kind: JsPolicy
object. The jspolicy object defines a singlenamespaceSelector
, yet, the controller wants to add an additional one, which appears to create this infinite loop, unless thekind: JsPolicy
object also defines the additionalnamespaceSelector
that the operator is expecting.