Possible bug in propagation matching algorithm
Closed this issue · 3 comments
When investigating another issue I found I can partially work around the constraint which forces RoleBindings to Propagate by dropping group from the resourced object:
spec:
resources:
- resource: rolebindings
mode: AllowPropagate
So I suspect there may be a bit of a bug in the matching algorithm. It only partially works though and causes some other component of the system to revert the change frequently.
{"level":"info","ts":1698313059.863884,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"AllowPropagate","newMode":"Propagate"}
{"level":"info","ts":1698313059.8659315,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"Propagate","newMode":"AllowPropagate"}
There is also this. Albeit, not exactly a problem but does suggest that the matching needs a review. When I set role bindings to Propagate as the value is needs to be, there is still an admission webhook error:
spec:
resources:
- resource: rolebindings
mode: Propagate
admission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: HNCConfiguration.hnc.x-k8s.io "config" is invalid: spec.resources[1]: Invalid value: rolebindings.rbac.authorization.k8s.io: always uses the 'Propagate'
@adrianludwin:
This request has been marked as suitable for new contributors.
Guidelines
Please ensure that the issue body includes answers to the following questions:
- Why are we solving this issue?
- To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
- Does this issue have zero to low barrier of entry?
- How can the assignee reach out to you for help?
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.
In response to this:
Thanks! I won't have time to investigate this in the foreseeable future,
but if you wanted to take a crack at it, I'd appreciate it./good-first-issue
On Mon, Oct 30, 2023 at 5:31 AM Gareth Brown @.***>
wrote:When investigating another issue I found I can partially work around the
constraint which forces RoleBindings to Propagate by dropping group from
the resourced object:spec:
resources:
- resource: rolebindings
mode: AllowPropagateSo I suspect there may be a bit of a bug in the matching algorithm. It
only partially works though and causes some other component of the system
to revert the change frequently.{"level":"info","ts":1698313059.863884,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"AllowPropagate","newMode":"Propagate"}
{"level":"info","ts":1698313059.8659315,"logger":"hncconfig.reconcile","msg":"Changing sync mode of the object reconciler","gvk":"rbac.authorization.k8s.io/v1, Kind=RoleBinding","oldMode":"Propagate","newMode":"AllowPropagate"}There is also this. Albeit, not exactly a problem but does suggest that
the matching needs a review. When I set role bindings to Propagate as the
value is needs to be, there is still an admission webhook error:spec:
resources:
- resource: rolebindings
mode: Propagateadmission webhook "hncconfigurations.hnc.x-k8s.io" denied the request: HNCConfiguration.hnc.x-k8s.io "config" is invalid: spec.resources[1]: Invalid value: rolebindings.rbac.authorization.k8s.io: always uses the 'Propagate'
—
Reply to this email directly, view it on GitHub
#343,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AE43PZGOWA3WKZEE2PIC243YB5XYRAVCNFSM6AAAAAA6VWEQISVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3DOOJQGU4DAMQ
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I’ve faced the same issue when I mistakenly set RoleBinding to AllowPropagate mode.
I’ve already investigated this issue and I can probably fix it. Do you mind if I address this issue?