Ratify - assign mutators query

[pankajmt]

What happened in your environment?

We saw a spike of mutations for replicasets when ratify was being installed to a cluster. Also a Deployment had 2000 replicasets which we do not fully understand yet.

What did you expect to happen?

No response

What version of Kubernetes are you running?

1.27

What version of Ratify are you running?

1.2.0

Anything else you would like to add?

https://github.com/ratify-project/ratify/blob/ae4385b5bd343708f28f4739958ba2ed6c38e6af/charts/ratify/templates/assign.yaml#L33

So this installs the mutator for all possible workload resources, although there is one for pods too. Any specific reason it was done this way?

Are you willing to submit PRs to contribute to this bug fix?

• [ ] Yes, I am willing to implement it.

[emalprokt]

https://github.com/open-policy-agent/gatekeeper/issues/2963

This is an issue caused by conflicting mutations and seems to already have been raised in Gatekeeper.

[pankajmt]

good find. the recreation is pretty detailed, nice. looks like "Fix Test Deployments" would do the trick, but we can always tickle the deployment.

On Fri, Jun 28, 2024 at 9:06 AM Sushant Adhikari @.***> wrote:

open-policy-agent/gatekeeper#2963 https://github.com/open-policy-agent/gatekeeper/issues/2963

This is an issue caused by conflicting mutations and seems to already have been raised in Gatekeeper.

— Reply to this email directly, view it on GitHub https://github.com/ratify-project/ratify/issues/1593#issuecomment-2195806134, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHVJHSXCLLET3VIEN6T6AHLZJSLJFAVCNFSM6AAAAABJ5FIR2SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJVHAYDMMJTGQ . You are receiving this because you authored the thread.Message ID: @.***>

[binbin-li]

Thanks for finding the issue! @akashsinghal @susanshi looking into the GK issue, probably we can also consider expansion template for mutation.