kubernetes-retired/hierarchical-namespaces

Resource deletion can occur with AllowPropagate

Opened this issue · 2 comments

afine commented

We have noticed resources of kinds that are configured as AllowPropagate being deleted during our infrastructure provisioning process (even if the resources are not configured to propagate with HNC) if they share the name of a resource of the same kind in the parent namespace.

We were able to reproduce the issue reliably with a build of HNC from the master branch with this small patch that inserts a sleep to make sure the race condition can be reliably hit.

diff --git a/internal/objects/reconciler.go b/internal/objects/reconciler.go
index 81c0d785..9b44ac38 100644
--- a/internal/objects/reconciler.go
+++ b/internal/objects/reconciler.go
@@ -19,6 +19,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 
@@ -585,8 +586,10 @@ func (r *Reconciler) operate(ctx context.Context, log logr.Logger, act syncActio
 }
 
 func (r *Reconciler) deleteObject(ctx context.Context, log logr.Logger, inst *unstructured.Unstructured) error {
-
 	stats.WriteObject(r.GVK)
+	log.V(1).Info("SLEEPING")
+	time.Sleep(100 * time.Second)
+	log.V(1).Info("DONE SLEEPING")
 	err := r.Delete(ctx, inst)
 	if errors.IsNotFound(err) {
 		log.V(1).Info("The obsolete copy doesn't exist, no more action needed")
diff --git a/internal/webhooks/webhooks.go b/internal/webhooks/webhooks.go
index 32d703d0..951aee27 100644

Steps to Reproduce:

  1. Create an HNCConfiguration configuring configmaps to mode: AllowPropagate.
  2. Create a parent namespace (parentns) and child namespace (childns).
  3. Create a Configmap testmap in parentns (with no labels that would configure it to propagate with HNC)
  4. Apply a HierarchyConfiguration to childns setting parentns as the parent of childns
  5. At this point you should see the SLEEPING log line output from the patch above.
  6. Now create a configmap testmap in childns (with no labels that would configure it to propagate with HNC)
  7. At this point you should see we have two Configmaps
$ k -n parentns get configmap; k -n childns get configmap
NAME                 DATA   AGE
testmap              1      40s
NAME                 DATA   AGE
testmap             1      23s
  1. Wait for the DONE SLEEPING log line.
  2. You should now see one of the configmaps was deleted
$ k -n parentns get configmap; k -n childns get configmap
NAME                 DATA   AGE
testmap              1      40s
NAME                 DATA   AGE
k8s-triage-robot commented

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten