Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop #239

Open
pmalek opened this issue Apr 30, 2024 · 0 comments
Open

AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop #239

pmalek opened this issue Apr 30, 2024 · 0 comments
Labels
area/azure bug Something isn't working
Milestone
KGO v1.4.x

Comments

@pmalek
Copy link
Member

pmalek commented Apr 30, 2024
edited

Current Behavior

When KGO is running against an AKS cluster, that cluster's Admission Enforcer patches all ValidatingWebhookConfigurations so that it does not check AKS managed resources, which have the kubernetes.azure.com/managedby=aks label set.

This is in conflict with KGO's mechanism to patch the in cluster resource if it's different than the one that's generated.

  []v1.ValidatingWebhook{
  	{
  		... // 3 identical fields
  		FailurePolicy: &"Ignore",
  		MatchPolicy:   &"Equivalent",
  		NamespaceSelector: &v1.LabelSelector{
  			MatchLabels: nil,
- 			MatchExpressions: []v1.LabelSelectorRequirement{
- 				{
- 					Key:      "kubernetes.azure.com/managedby",
- 					Operator: "NotIn",
- 					Values:   []string{"aks"},
- 				},
- 				{Key: "control-plane", Operator: "NotIn", Values: []string{"true"}},
- 			},
+ 			MatchExpressions: nil,
  		},
  		ObjectSelector: &{},
  		SideEffects:    &"None",
  		... // 3 identical fields
  	},
...

Expected Behavior

Reconciliation succeeds.

Proposed solutions

Steps To Reproduce

  1. Run KGO against an AKS cluster (set logs to trace log level using helm's arg: --set env.zap_log_level=2)
  2. Deploy Gateway (e.g. using https://github.com/Kong/gateway-operator/blob/36c58ab4dd9a449627e14381cf1fc63f362b9903/config/samples/gateway-with-gatewayconfiguration.yaml). 2 Gateways make it more apparent, not sure 100% why that's the case.
  3. Observe ControlPlane not getting a Deployment and perpetual reconciliation of ValidatingWebhookConfiguration

Operator Version

1.2.3 and latest main

kubectl version
@pmalek pmalek added bug Something isn't working area/azure labels Apr 30, 2024
@pmalek pmalek changed the title AKS' Admission Enforcer mutates AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop Apr 30, 2024
@pmalek pmalek mentioned this issue Apr 30, 2024
Closed
@lahabana lahabana added this to the KGO v1.4.x milestone May 22, 2024
@lahabana lahabana mentioned this issue May 22, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/azure bug Something isn't working
Projects
None yet
Milestone
KGO v1.4.x
Development

No branches or pull requests
2 participants
@lahabana @pmalek