Closed sfudeus closed 2 weeks ago
@sfudeus Thanks for reporting the issue. The initialisation logic is here: https://github.com/projectcalico/calico/blob/07ad564f962be48c14c38abfaa159319770bda6b/libcalico-go/lib/clientv3/client.go#L236 The method is supposed to be best effort, and is called from multiple places. As such, if a cluster is already initialised, the subsequent calls must not lead to error. It seems not giving Typha the create permission to create tiers, causes it to not to startup, which is a bug.
I believe your 3rd suggestion, is the best approach. This will be fixed in the next patch release.
This PR should fix the issue: https://github.com/projectcalico/calico/pull/9446
Closing since the fix and its back port is now merged. The issue should be fixed in v3.29.1 patch release.
3.29.0 introduced the new policy tiers. According to the docs, the default tier and the AdminNetworkPolicy tier are supposed to be auto-created. calico-kube-controllers even has the permissions to do so and seemingly has created these.
I'm aware that using https://github.com/projectcalico/calico/tree/master/charts/calico is not a supported means for installing and maintaining Calico, but it causes incomplete manifests even just for documentation.
Expected Behavior
The new tiers are auto-created by a component which has the permissions to do so, the others just consume them.
Current Behavior
Seemingly calico-kube-controllers does create the new tier objects. But typha as well tries to, and fails with permission issues. This seems to be caused by the fact the existence is checked by creation and reaction to an
ErrorResourceAlreadyExists
error (see client.go#408 and 429). This causes typha to fail as long as it hasn't create permissions.In charts/calico, Typha is set up running with
serviceAccountName: calico-node
. calico-node is only set up with read,list,watch permissions for tiers. (https://github.com/projectcalico/calico/blob/master/charts/calico/templates/calico-node-rbac.yaml#L113). Likely this makes sense, to not allow calico-node to manipulate/create tiers in normal operations, but if they do have logic to recreate them on demand/on migration, they need the permissions to do so - or the logic to migrate must be adapted to cope with not having permission.Possible Solution
Either
Steps to Reproduce
Your Environment