redhat-cop/namespace-configuration-operator

Networkpolicy defined in namespaceconfig not working

praveenlnx opened this issue · 7 comments

As per the example, created the networkpolicy for multitenant in namespaceconfig & it's not working. Got the below error.
When created the namespaceconfig got the below response initially:

status:
conditions:

  • lastTransitionTime: "2020-12-23T20:43:02Z"
    message: Awaiting next reconciliation
    reason: Successful
    status: "True"
    type: ReconcileSuccess

But after sometime, we got the error like below:

status:
conditions:

  • lastTransitionTime: "2020-12-23T20:45:52Z"
    message: "2 errors occurred:\n\t* ValidationError(NetworkPolicy.spec): missing
    required field "podSelector" in io.k8s.api.networking.v1.NetworkPolicySpec\n\t*
    ValidationError(NetworkPolicy.spec): missing required field "podSelector"
    in io.k8s.api.networking.v1.NetworkPolicySpec\n\n"
    reason: Failed
    status: "True"
    type: ReconcileError

please attach the namespace config object that is not working and the namespace that is supposed to trigger it. This way I can try to reproduce the issue.

Attached the namespace config object, please review it.

@praveenlnx a few questions to narrow this down a bit,

What k8s platform are you using?
Which version of namespace configuration operator?
What other operators are you running?

We're using Openshift (4.4.31) & k8s (v1.17.1).
namespace-configuration-operator:v0.2.5
Other required operators like dynatrace, egress IPAM, elasticsearch, Openshiftservice mesh, clusterlogging, etc.,

I was able to make this work by having all podSelector: entries be podSelector: {} and making sure that policyTypes: was present where needed. I'm not sure why the blank podSelector isn't working through, as that has worked in previous iterations and shown in our examples. Going to leave this open to investigate further, but here is what I did to at least get your example working.
multitenant-nsc.txt

[edit: I have the why now, the operator itself has validation against all resources before applying to the api, this is a fringe case where an empty value is accepted. I'll make note of this for future iterations, but since the empty object works I recommend that and will update the documentation to reflect]

Closing this out since an empty quote or empty object should cover these validation cases. I'll update the documentation to reflect this change.