search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.69k stars 757 forks source link

Panic in ModifySet reconciler #2574

Closed anlandu closed 1 year ago

anlandu commented 1 year ago

What steps did you take and what happened: [A clear and concise description of what the bug is.] Applying the following broken modifyset

apiVersion: mutations.gatekeeper.sh/v1
kind: ModifySet
metadata:
  name: remove-err-logging
spec:

Both gatekeeper-controller-manager and gatekeeper-audit pods panic with the following error:

2023-02-08T03:02:42.350596081Z {"level":"info","ts":1675825362.3505301,"msg":"Observed a panic in reconciler: runtime error: index out of range [-1]","controller":"modifyset-controller","object":{"name":"azurepolicy-remove-err-logging-de999f76c1408514b655"},"namespace":"","name":"azurepolicy-remove-err-logging-de999f76c1408514b655","reconcileID":"6dbe3f17-f488-48cd-a2c4-24a6b2857770"}
2023-02-08T03:02:42.353730562Z panic: runtime error: index out of range [-1] [recovered]
2023-02-08T03:02:42.353746313Z  panic: runtime error: index out of range [-1]
2023-02-08T03:02:42.353748829Z 
2023-02-08T03:02:42.353751679Z goroutine 703 [running]:
2023-02-08T03:02:42.353754593Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
2023-02-08T03:02:42.353757235Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118 +0x1f4
2023-02-08T03:02:42.353759904Z panic({0x20b2180, 0xc00046c660})
2023-02-08T03:02:42.353761974Z  /usr/local/go/src/runtime/panic.go:884 +0x212
2023-02-08T03:02:42.353764402Z github.com/open-policy-agent/gatekeeper/pkg/mutation/mutators/modifyset.MutatorForModifySet(0xc000ce6d80)
2023-02-08T03:02:42.353766810Z  /go/src/github.com/open-policy-agent/gatekeeper/pkg/mutation/mutators/modifyset/modify_set_mutator.go:154 +0x7e5
2023-02-08T03:02:42.353768919Z github.com/open-policy-agent/gatekeeper/pkg/mutation/mutators.MutatorForModifySet(...)
2023-02-08T03:02:42.353771136Z  /go/src/github.com/open-policy-agent/gatekeeper/pkg/mutation/mutators/conversion.go:23
2023-02-08T03:02:42.353773342Z github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/instances.(*Adder).Add.func4({0x272d2b0?, 0xc000ce6900})
2023-02-08T03:02:42.353775577Z  /go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/instances/mutator_controllers.go:80 +0x96
2023-02-08T03:02:42.353787062Z github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/core.(*Reconciler).reconcileUpsert(0xc0004e2a50, {0x270a528, 0xc00067f920}, {{0xc000514480, 0x17}, {0x1cf2ec4, 0x9}, {0x0, 0x0}, {0xc000dcb800, ...}}, ...)
2023-02-08T03:02:42.353789863Z  /go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/core/reconciler.go:164 +0x69
2023-02-08T03:02:42.353792693Z github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/core.(*Reconciler).Reconcile(0xc0004e2a50, {0x270a528, 0xc00067f920}, {{{0x0?, 0x10?}, {0xc000dcb800?, 0x40dc27?}}})
2023-02-08T03:02:42.353803892Z  /go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/core/reconciler.go:134 +0x587
2023-02-08T03:02:42.353806560Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x270a480?, {0x270a528?, 0xc00067f920?}, {{{0x0?, 0x2100aa0?}, {0xc000dcb800?, 0x404554?}}})
2023-02-08T03:02:42.353808827Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121 +0xc8
2023-02-08T03:02:42.353811363Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000765e00, {0x270a480, 0xc00081c9c0}, {0x1f96600?, 0xc000467640?})
2023-02-08T03:02:42.353813642Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320 +0x33c
2023-02-08T03:02:42.353815884Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000765e00, {0x270a480, 0xc00081c9c0})
2023-02-08T03:02:42.353818175Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273 +0x1d9
2023-02-08T03:02:42.353820071Z sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
2023-02-08T03:02:42.353821992Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234 +0x85
2023-02-08T03:02:42.353825701Z created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2
2023-02-08T03:02:42.353828327Z  /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:230 +0x333

What did you expect to happen: The file validation fails: invalid request (or accepts and then error status)

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.] Let me know if any other questions!

Environment:

maxsmythe commented 1 year ago

Good find!

Code should definitely be able to handle the zero-case.