search

open-policy-agent / kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Apache License 2.0
238 stars 106 forks source link

Breaking change on 6.0.0 or greater #229

Closed BlueSeph28 closed 1 year ago

BlueSeph28 commented 1 year ago

I'm trying to upgrade my OPA and kube-mgmt stack in a k8s cluster. I'm not using a chart, all resources are deployed by separate with terraform.

I was using OPA 0.38.1 and I managed to upgraded it to 0.57.1, it works as it is.

the issue is when I try to upgrade kube-mgmt from 2.0.1 to some version greater than 4.1.1

when I use 4.1.1 everything works and my configmaps with rego policies work as expected, also the annotation openpolicyagent.org/policy-status: {"status":"ok"} is in place.

when I upgrade to 6.0.0 all configmaps are ignored, I'm not sure if there is something that I'm missing, a new annotation or new type of connection, didn't find anything in the docs.

all configmaps are created in the OPA namespace, I'm expecting that all configmaps are discovered and labeled as ok or in error, but didn't get any annotation.

kube-mgmt 6.0.0 logs

│ time="2023-10-25T20:32:35Z" level=warning msg="First line of log stream."                                                                      │
│ time="2023-10-25T20:32:35Z" level=info msg="Syncing v1/services."                                                                              │
│ time="2023-10-25T20:32:35Z" level=info msg="Syncing networking.k8s.io/v1/ingresses."                                                           │
│ time="2023-10-25T20:32:35Z" level=info msg="Syncing v1/namespaces."                                                                            │
│ time="2023-10-25T20:32:35Z" level=info msg="Syncing apps/v1/deployments."                                                                      │
│ time="2023-10-25T20:32:35Z" level=info msg="Listed networking.k8s.io/v1/ingresses and got 0 resources with resourceVersion 2480963. Took 8.909 │
│ time="2023-10-25T20:32:35Z" level=info msg="Loaded networking.k8s.io/v1/ingresses resources into OPA. Took 1.735573ms. Starting watch at resou │
│ time="2023-10-25T20:32:35Z" level=info msg="Listed v1/namespaces and got 41 resources with resourceVersion 2480963. Took 20.58869ms."          │
│ time="2023-10-25T20:32:35Z" level=info msg="Listed v1/services and got 33 resources with resourceVersion 2480963. Took 23.186283ms."           │
│ time="2023-10-25T20:32:35Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 4.019949ms. Starting watch at resourceVersion 248096 │
│ time="2023-10-25T20:32:35Z" level=info msg="Loaded v1/services resources into OPA. Took 6.31844ms. Starting watch at resourceVersion 2480963." │
│ time="2023-10-25T20:32:35Z" level=info msg="Listed apps/v1/deployments and got 35 resources with resourceVersion 2480963. Took 33.361303ms."   │
│ time="2023-10-25T20:32:35Z" level=info msg="Loaded apps/v1/deployments resources into OPA. Took 7.447517ms. Starting watch at resourceVersion

kube-mgmt 4.1.1 logs

time="2023-10-24T20:59:50Z" level=info msg="Policy/data ConfigMap processor connected to K8s: namespaces=[opa]"                                │
│ time="2023-10-24T20:59:50Z" level=info msg="Initial informer sync for v1/services completed, took 100.942908ms"                                │
│ time="2023-10-24T20:59:50Z" level=info msg="Syncing v1/services."                                                                              │
│ time="2023-10-24T20:59:50Z" level=info msg="Initial informer sync for apps/v1/deployments completed, took 100.84714ms"                         │
│ time="2023-10-24T20:59:50Z" level=info msg="Syncing apps/v1/deployments."                                                                      │
│ time="2023-10-24T20:59:50Z" level=info msg="Initial informer sync for v1/namespaces completed, took 100.869596ms"                              │
│ time="2023-10-24T20:59:50Z" level=info msg="Syncing v1/namespaces."                                                                            │
│ time="2023-10-24T20:59:50Z" level=info msg="Initial informer sync for networking.k8s.io/v1/ingresses completed, took 100.909546ms"             │
│ time="2023-10-24T20:59:50Z" level=info msg="Syncing networking.k8s.io/v1/ingresses."                                                           │
│ time="2023-10-24T20:59:50Z" level=info msg="Loaded 0 resources of kind networking.k8s.io/v1/ingresses into OPA. Took 2.225891ms"               │
│ time="2023-10-24T20:59:50Z" level=info msg="Loaded 41 resources of kind v1/namespaces into OPA. Took 7.210582ms"                               │
│ time="2023-10-24T20:59:51Z" level=info msg="Loaded 33 resources of kind v1/services into OPA. Took 8.124719ms"                                 │
│ time="2023-10-24T20:59:51Z" level=info msg="Loaded 35 resources of kind apps/v1/deployments into OPA. Took 14.661098ms"
BlueSeph28 commented 1 year ago

now it's working, I've added the label openpolicyagent.org/policy: rego to the policies and now works!.

Maybe it's worth to add this on the README.md that the labels are necessary now, by reading I thought that was optional... can you confirm if it's right or just coincidence?

I'm using the default namespace opa and just adding the label to the policies make it work. ✨

eshepelyuk commented 1 year ago

Hello

It is already in README, explaining that kube mgmt detect config maps with policies or data, when they contain specific labels.

https://github.com/open-policy-agent/kube-mgmt/blob/master/README.md#policies-and-data-loading

anderseknert commented 1 year ago

It's still interesting why this worked in previous versions though. Did we change something with regards to this?

BlueSeph28 commented 1 year ago

yeah, same thought, thats the reason I didn't closed the issue, it was working without labels until 4.1.1