resource-reconciler: determined that resources are NOT equal
ilabrovic opened this issue · 5 comments
What are tips/approached how to troubleshoot "resource-reconciler determined that resources are NOT equal" messages?
We have a simple namespaceconfig with only 2 rolebinding creations but are unable to keep the operator log clean of these messages and wondering why the operator thinks the resources are NOT equal.
Tested/ruled out:
Rolebinding subjects are not changing, so that can't be it.
roleRef cannot even be changed in a rolebinding, so that's not it either
metadata, as far as i know, is always considered part of excludedPaths (https://github.com/redhat-cop/namespace-configuration-operator#Excluded-Paths)
and lastly, a rolebinding does not have a status field, so that can't be the problem either.
So i am really wondering why the operator thinks the resources are NOT equal
can you paste the manifest you create? Also do you see it flip flopping?
Unfortunately not due to company policies.
In short, it only has 1 labelSelector on spec: level to filter the correct namespaces, and then 2 objectTemplates each creating a single RoleBinding.
If there are any throubleshooting hints/techniques i could try, that would help
Maybe increasings the verbosity of the operator if that is possible?
Good new for this case!
We created a couple of rolebindings, but did not specify apiGroup: rbac.authorization.k8s.io for each Group and User in the subjects: part.
Kubernetes adds these default fields, and thats why the namespace configuration operator sees an out of sync
Kudos to my community partner GW!
Since release v1.2.5 you can see the diff that caused the reconcile in the logs.
You have to take a close look though. I can be minor things like numbers that are written to a string field and will therefore receive quotation marks which the operator detects as a diff. Mutation Webhooks are also a possible cause of diffs.