search

redradrat / aws-iam-operator

AWS IAM Operator for Kubernetes
Apache License 2.0
32 stars 7 forks source link

Error while updating the policy if its attached to role #13

Closed SnehaMore20 closed 4 years ago

SnehaMore20 commented 4 years ago

If policy is already attached to role, and if we try to update the policy it gives error: ERROR controller-runtime.controller Reconciler error {"controller": "policy", "request": "<namespace>/<policy-name>", "error": "cannot delete policy due to existing PolicyAttachment '<policyattachment>/<namespace>'"}

SnehaMore20 commented 4 years ago

Now able to update the policy even if its attached to role but this leads to another issues

  1. after updating the policy it creates one more version of policy and now we are not able to delete the policy 2020-06-15T09:47:53.417Z ERROR controllers.Policy unable to delete Policy {"policy": "kube-system/aws-cluster-autoscaler", "error": "DeleteConflict: This policy has more than one version. Before you delete a policy, you must delete the policy's versions. The default version is deleted with the policy.\n\tstatus code: 409, request id: 65d19350-d400-49e2-bfea-db3c65e5cacd"}

  2. Not able to delete the policy even if policy has only default version

    2020-06-17T07:55:25.767Z    ERROR   controllers.Policy  unable to delete Policy {"policy": 
"kube-system/aws-cluster-autoscaler", "error": "DeleteConflict: Cannot delete the default version 
of a policy.\n\tstatus code: 409, request id: 1c600a4b-6b76-4375-a3bf-4eceb80afeb8"}
github.com/go-logr/zapr.(*zapLogger).Error
/go/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128
github.com/redradrat/aws-iam-operator/controllers.(*PolicyReconciler).Reconcile
/workspace/controllers/policy_controller.go:111
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.5.0/pkg/internal/controller/controller.go:256
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.5.0/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.5.0/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
/go/pkg/mod/k8s.io/apimachinery@v0.17.2/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
/go/pkg/mod/k8s.io/apimachinery@v0.17.2/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
/go/pkg/mod/k8s.io/apimachinery@v0.17.2/pkg/util/wait/wait.go:88
redradrat commented 4 years ago

@SnehaMore20 I pushed the latest update to master to prevent deleteion of the default policy version. Can you please check?

redradrat commented 4 years ago

This should be fixed now in master.