New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ReplicaSet explosion caused by conflicting mutations #2963
Comments
Recreate ScenarioInstall Open Policy Agent (OPA) Gatekeeper
Create Test Deployments
Verify Test Deployments BEFORE OPA Gatekeeper MutationRestart Deployments
Scale Deployments
Create OPA Gatekeeper Mutator
Verify Test Deployments AFTER OPA Gatekeeper MutationRestart a Deployment - No Problems
Delete ReplicaSet for a Deployment - Some Problems
Delete Pods for a Deployment - No Problems
Scale a Deployment - Big Problems
Fix Test Deployments
Restart Cluster
|
I can think of a workaround: Do not match both RS and deployment. Check RS.meta.ownerReference to be null for unmanaged RS and skip other RS. |
Thanks for raising this @rtheis! Is there a reason you cannot match and apply to Pod and change the location? e.g.: apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: mutator
spec:
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
location: "spec.containers[name:*].securityContext.allowPrivilegeEscalation"
... Another example similar to this: |
You could use expansion templates if you want to target both Deployments and Pods (and other templates implementing pod template). Not required, but it's just an option in case you weren't aware of the feature. https://open-policy-agent.github.io/gatekeeper/website/docs/expansion |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Ping |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Ping |
What steps did you take and what happened:
[A clear and concise description of what the bug is.]
Using the OPA gatekeeper to mutate a replicaset owned by a deployment may result in significant cluster stability problems due to replicaset explosion cause by conflicting mutations. See the issue description for recreate instructions.
What did you expect to happen:
We recommend that the OPA documentation and/or code warn against mutation of replicasets owned by a deployment.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
kubernetes/kubernetes#57167
https://docs.google.com/document/d/10LFy30JTfTD3qgCsBZ2S8ZpuWao9mqT_xqkcbvPzVf4/
Environment:
IBM Cloud Kubernetes Service
kubectl version
): 1.28The text was updated successfully, but these errors were encountered: