search

openservicemesh / osm

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
https://openservicemesh.io/
Apache License 2.0
2.59k stars 277 forks source link

OSM-Init Container Limits and Request CPU Mem are not applied #5287

Closed vimorra closed 1 year ago

vimorra commented 1 year ago

Bug description: Also if the sidecar resources is defined in the service mesh, than the osm-initi s not configured with this config and this doesn't enable to deploy in a K8S with an OPA policy in limits and request for each POD Affected area (please mark with X where applicable):

Expected behavior: expected behavior is that the limits and request need to apply also to the osm-init and not only to the envoj sidecar. Steps to reproduce the bug (as precisely as possible): Name: poc-app-bbc5645f6.17445f9b5fc40600

Namespace: cis

Labels:

Annotations:

API Version: v1

Count: 7

Event Time:

First Timestamp: 2023-02-16T17:54:42Z

Involved Object:

API Version: apps/v1

Kind: ReplicaSet

Name: poc-app-bbc5645f6

Namespace: cis

Resource Version: 7883160

UID: 54c23b6c-39c7-4395-9ef6-9c013bd994d5

Kind: Event

Last Timestamp: 2023-02-16T17:57:26Z

Message: (combined from similar events): Error creating: pods "poc-app-bbc5645f6-lzg4j" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu for: osm-init; limits.memory for: osm-init; requests.cpu for: osm-init; requests.memory for: osm-init

Metadata:

Creation Timestamp: 2023-02-16T17:54:42Z

Managed Fields:

API Version: v1

Fields Type:  FieldsV1

fieldsV1:

  f:count:

  f:firstTimestamp:

  f:involvedObject:

  f:lastTimestamp:

  f:message:

  f:reason:

  f:source:

    f:component:

  f:type:

Manager:          kube-controller-manager

Operation:        Update

Time:             2023-02-16T17:57:26Z

Resource Version: 57118

UID: ebc779a6-0eb2-44be-94b5-6ca0ec58f0e8

Reason: FailedCreate

Reporting Component:

Reporting Instance:

Source:

Component: replicaset-controller

Type: Warning

Events:

Name: osm-mesh-config

Namespace: kube-system

Labels:

Annotations:

API Version: config.openservicemesh.io/v1alpha2

Kind: MeshConfig

Metadata:

Creation Timestamp: 2023-02-10T15:47:40Z

Generation: 4

Managed Fields:

API Version:  config.openservicemesh.io/v1alpha2

Fields Type:  FieldsV1

fieldsV1:

  f:metadata:

    f:annotations:

      .:

      f:kubectl.kubernetes.io/last-applied-configuration:

  f:spec:

    .:

    f:certificate:

      .:

      f:certKeyBitSize:

      f:serviceCertValidityDuration:

    f:featureFlags:

      .:

      f:enableAsyncProxyServiceMapping:

      f:enableEgressPolicy:

      f:enableEnvoyActiveHealthChecks:

      f:enableIngressBackendPolicy:

      f:enableRetryPolicy:

      f:enableSnapshotCacheMode:

      f:enableWASMStats:

    f:observability:

      .:

      f:enableDebugServer:

      f:osmLogLevel:

      f:tracing:

        .:

        f:enable:

    f:sidecar:

      .:

      f:configResyncInterval:

      f:enablePrivilegedInitContainer:

      f:localProxyMode:

      f:logLevel:

      f:resources:

      f:tlsMaxProtocolVersion:

      f:tlsMinProtocolVersion:

    f:traffic:

      .:

      f:enableEgress:

      f:enablePermissiveTrafficPolicyMode:

      f:inboundExternalAuthorization:

        .:

        f:enable:

        f:failureModeAllow:

        f:statPrefix:

        f:timeout:

      f:inboundPortExclusionList:

      f:networkInterfaceExclusionList:

      f:outboundIPRangeInclusionList:

      f:outboundPortExclusionList:

Manager:      osm-bootstrap

Operation:    Update

Time:         2023-02-10T15:47:40Z

API Version:  config.openservicemesh.io/v1alpha2

Fields Type:  FieldsV1

fieldsV1:

  f:spec:

    f:sidecar:

      f:resources:

        f:limits:

          .:

          f:cpu:

          f:memory:

        f:requests:

          .:

          f:cpu:

          f:memory:

    f:traffic:

      f:outboundIPRangeExclusionList:

Manager:         kubectl-edit

Operation:       Update

Time:            2023-02-16T17:53:41Z

Resource Version: 7882797

UID: a58bbd3f-9174-4653-865d-ca9fc3689444

Spec:

Certificate:

Cert Key Bit Size:               2048

Service Cert Validity Duration:  24h

Feature Flags:

Enable Async Proxy Service Mapping:  false

Enable Egress Policy:                true

Enable Envoy Active Health Checks:   false

Enable Ingress Backend Policy:       true

Enable Retry Policy:                 false

Enable Snapshot Cache Mode:          false

Enable WASM Stats:                   true

Observability:

Enable Debug Server:  true

Osm Log Level:        info

Tracing:

  Enable:  false

Sidecar:

Config Resync Interval:            0s

Enable Privileged Init Container:  false

Local Proxy Mode:                  Localhost

Log Level:                         error

Resources:

  Limits:

    Cpu:     500m

    Memory:  512Mi

  Requests:

    Cpu:                   200m

    Memory:                256Mi

Tls Max Protocol Version:  TLSv1_3

Tls Min Protocol Version:  TLSv1_2

Traffic:

Enable Egress:                          true

Enable Permissive Traffic Policy Mode:  true

Inbound External Authorization:

  Enable:              false

  Failure Mode Allow:  false

  Stat Prefix:         inboundExtAuthz

  Timeout:             1s

Inbound Port Exclusion List:

Network Interface Exclusion List:

Outbound IP Range Exclusion List:

  172.23.0.0/16

Outbound IP Range Inclusion List:

Outbound Port Exclusion List:

Events:

How was OSM installed?: Azure AKS Addon, OSM Version:1.2.3

Anything else we need to know?:

Bug report archive:

Environment:

keithmattix commented 1 year ago

To make sure I'm understanding you correctly, you're saying that you have an OPA policy blocking OSM sidecar injection because the osm-init initContainer does not have CPU or memory limits?

vimorra commented 1 year ago

we have an Azure Policy Addon with a policy that deny to deploy PODs without limits and requests. From an OSM point of view with the sidecar config in the meshconfig, seems that the config affect only the envoj sidecar and not the osm-init. How is possible to configure the resources also for the osm-init?

github-actions[bot] commented 1 year ago

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

github-actions[bot] commented 1 year ago

Issue closed due to inactivity.