Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop #239

Open
pmalek opened this issue Apr 30, 2024 · 3 comments
Open

AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop #239

pmalek opened this issue Apr 30, 2024 · 3 comments
Assignees
@tao12345666333
Labels
area/azure bug Something isn't working
Milestone
KGO v1.5.x

Comments

@pmalek
Copy link
Member

pmalek commented Apr 30, 2024
edited
Loading

Current Behavior

When KGO is running against an AKS cluster, that cluster's Admission Enforcer patches all ValidatingWebhookConfigurations so that it does not check AKS managed resources, which have the kubernetes.azure.com/managedby=aks label set.

This is in conflict with KGO's mechanism to patch the in cluster resource if it's different than the one that's generated.

  []v1.ValidatingWebhook{
  	{
  		... // 3 identical fields
  		FailurePolicy: &"Ignore",
  		MatchPolicy:   &"Equivalent",
  		NamespaceSelector: &v1.LabelSelector{
  			MatchLabels: nil,
- 			MatchExpressions: []v1.LabelSelectorRequirement{
- 				{
- 					Key:      "kubernetes.azure.com/managedby",
- 					Operator: "NotIn",
- 					Values:   []string{"aks"},
- 				},
- 				{Key: "control-plane", Operator: "NotIn", Values: []string{"true"}},
- 			},
+ 			MatchExpressions: nil,
  		},
  		ObjectSelector: &{},
  		SideEffects:    &"None",
  		... // 3 identical fields
  	},
...

Expected Behavior

Reconciliation succeeds.

Proposed solutions

Steps To Reproduce

  1. Run KGO against an AKS cluster (set logs to trace log level using helm's arg: --set env.zap_log_level=2)
  2. Deploy Gateway (e.g. using https://github.com/Kong/gateway-operator/blob/36c58ab4dd9a449627e14381cf1fc63f362b9903/config/samples/gateway-with-gatewayconfiguration.yaml). 2 Gateways make it more apparent, not sure 100% why that's the case.
  3. Observe ControlPlane not getting a Deployment and perpetual reconciliation of ValidatingWebhookConfiguration

Operator Version

1.2.3 and latest main

kubectl version
@pmalek pmalek added bug Something isn't working area/azure labels Apr 30, 2024
@pmalek pmalek changed the title AKS' Admission Enforcer mutates AKS' Admission Enforcer mutates ControlPlane's ValidatingWebhookConfiguration which causes a perpetual reconciliation loop Apr 30, 2024
@pmalek pmalek mentioned this issue Apr 30, 2024
Closed
@lahabana lahabana added this to the KGO v1.4.x milestone May 22, 2024
@lahabana lahabana mentioned this issue May 22, 2024
Open
2 tasks
@pmalek pmalek mentioned this issue May 31, 2024
Closed
@pmalek pmalek mentioned this issue Aug 16, 2024
Open
1 task
@lahabana lahabana modified the milestones: KGO v1.4.x, KGO v1.5.x Sep 11, 2024
@tao12345666333
Copy link
Member

I can handle this task.

@tao12345666333 tao12345666333 self-assigned this Jan 20, 2025
@pmalek
Copy link
Member Author

pmalek commented Jan 20, 2025

I believe the way forward for this is to solve #500 rather than handle this on its own ( I intend to write a short design doc to show how that could work).

I'm happy to hear your proposal(s) for this one (#239) one if you have anything specific in mind.

@tao12345666333
Copy link
Member

tao12345666333 commented Jan 20, 2025
edited
Loading

Thank you! Let me take a look at #500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tao12345666333 tao12345666333

Labels
area/azure bug Something isn't working
Projects
None yet
Milestone
KGO v1.5.x
Development

No branches or pull requests
3 participants
@lahabana @pmalek @tao12345666333