-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CARM ack-role-account-map ConfigMap updates are not propagated to ACK controllers #2088
Comments
@itaiatu thank you for opening this issue. I was able to reproduce the problem. It appears that the code we generate to operate "ResourceManagers" uses caching to avoid re-initializing the SDK client at every reconciliation loop - the cache uses /cc @adriananeci @mumlawski @mattzesh @victorvarza |
We see this problem fixed now in IAM controller v1.3.10. |
I tested again with EC2 (v1.2.17) and IAM (v1.3.10) and the problem is still there. |
Is there an update on this solution please? |
Tested it now with the EC2 controller, version |
I am going to keep this issue opened for a while to see if the problem is solved for all controllers, but I assume everything should be ok, because the change was done in the |
@itaiatu Indeed the fix made it to the core runtime and all of the controllers have been patched. |
Hi @a-hilaly @itaiatu I tested for IAM Controller using version 1.3.12. I have updated the configmap to a different role than the one originally which is required for cross account mapping but controller is still running with the previous role only. I don't see anhy reconcilation happening in the controller end I see that logs being updated for s3 Controller but i don't see the same for IAM/CLOUDWATCHLOGS/LAMBDA CONTROLLERS
|
@swapnachagam Updating the role in CARM, doesn't necessarily trigger a reconciliation. You'll have to manually trigger the reconciliation of wait for the periodic reconcile. |
Thank you.. It is working by triggering a reconciliation |
Is there a way instead of us manually triggering a reconcilation, can ack-controllers have a second watch for these configmap updates and reconcile itself in a low priority queue? |
@swapnachagam I'm not sure whether we need to implement this, I imagine controllers managing a lot of resource would reconcile everything even for a simple CARM configMap modification. But i'm not opposed to it. Can you please open a Github issue describing this feature? we'll discuss it in our next community meeting https://github.com/aws-controllers-k8s/community/?tab=readme-ov-file#community-meeting For now i'll close this as it's resolved |
Thank you. I will raise a separate requst for this. |
Describe the bug
CARM
ack-role-account-map
ConfigMap updates are not propagated to ACK controllers.Maybe related to #2011.
Steps to reproduce
I performed the following scenario:
ack-role-account-map
ConfigMap11111111111
in thedata
field in the toAfter changing the value of "11111111111" AWS subscription id to a dummy value (adding the
2
at the end of the value), I still managed to create a Role and a Policy in thens-ack-test
namespace (see below the Namespace spec). This is not the desired behaviour, since that role doesn't exist (with the2
character at the end of the string).After I restarted the IAM controller's pod, got 403s, the expected behaviour, since that role is not a valid one
Vice-versa, if I start with a CARM wrong configuration (wrong assumedrole names), I get 403s as expected, and after I fix the role name in
ack-role-account-map
to match the correct assumedrole, I still receive 403s when trying to create resources.This makes me think that although the log messages say that the runtime cache is updated, the change is not propagated to ACK controllers.
Expected outcome
When
ack-role-account-map
is edited, ACK controllers will use the updated values from thedata
field.Environment
Tested with the latest version of IAM controller (
v1.3.8
that contains the updatedv0.34.0
runtime version, which also integrated this PR Resolve race condition between CARM ConfigMap and reconciler for annotated namespaces runtime#138)The namespace where I tried to create a Role and a Policy with the IAM controller
The text was updated successfully, but these errors were encountered: