resource-reconciler: determined that resources are NOT equal

[ilabrovic]

What are tips/approached how to troubleshoot "resource-reconciler determined that resources are NOT equal" messages? We have a simple namespaceconfig with only 2 rolebinding creations but are unable to keep the operator log clean of these messages and wondering why the operator thinks the resources are NOT equal.

[ilabrovic]

Tested/ruled out: Rolebinding subjects are not changing, so that can't be it. roleRef cannot even be changed in a rolebinding, so that's not it either metadata, as far as i know, is always considered part of excludedPaths (https://github.com/redhat-cop/namespace-configuration-operator#Excluded-Paths) and lastly, a rolebinding does not have a status field, so that can't be the problem either.

So i am really wondering why the operator thinks the resources are NOT equal

[raffaelespazzoli]

can you paste the manifest you create? Also do you see it flip flopping?

[ilabrovic]

Unfortunately not due to company policies. In short, it only has 1 labelSelector on spec: level to filter the correct namespaces, and then 2 objectTemplates each creating a single RoleBinding. If there are any throubleshooting hints/techniques i could try, that would help

Maybe increasings the verbosity of the operator if that is possible?

[ilabrovic]

Good new for this case! We created a couple of rolebindings, but did not specify apiGroup: rbac.authorization.k8s.io for each Group and User in the subjects: part. Kubernetes adds these default fields, and thats why the namespace configuration operator sees an out of sync Kudos to my community partner GW!

[simon-wessel]

Since release v1.2.5 you can see the diff that caused the reconcile in the logs.

You have to take a close look though. I can be minor things like numbers that are written to a string field and will therefore receive quotation marks which the operator detects as a diff. Mutation Webhooks are also a possible cause of diffs.