Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ControlPlane's ClusterRole, ClusterRoleBinding and ValidatingWebhookConfiguration incorrectly use namespaced resources as their owners #72

Open
pmalek opened this issue Mar 29, 2024 · 3 comments · May be fixed by #259
Open

ControlPlane's ClusterRole, ClusterRoleBinding and ValidatingWebhookConfiguration incorrectly use namespaced resources as their owners #72

pmalek opened this issue Mar 29, 2024 · 3 comments · May be fixed by #259
Assignees
@mlavacca
Labels
bug Something isn't working
Milestone
KGO v1.3.x

Comments

@pmalek
Copy link
Member

pmalek commented Mar 29, 2024
edited

Current Behavior

Cluster scoped resources like ControlPlane's ClusterRole and ClusterRoleBinding incorrectly use namespaced resources - ControlPlanes - as their owner which create OwnerRefInvalidNamespace events:

apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2024-03-29T12:36:40Z"
involvedObject:
  apiVersion: admissionregistration.k8s.io/v1
  kind: ValidatingWebhookConfiguration
  name: kong-jw255
  uid: 8ee835da-51c1-4e7c-89ab-8ea24087f7b7
kind: Event
lastTimestamp: "2024-03-29T12:36:40Z"
message: 'ownerRef [gateway-operator.konghq.com/v1beta1/ControlPlane, namespace: ,
  name: kong-jw255, uid: 19de2c4c-f926-437b-8423-96efab88b63a] does not exist in namespace
  ""'
metadata:
  creationTimestamp: "2024-03-29T12:36:40Z"
  name: kong-jw255.17c13c739e2797e9
  namespace: default
  resourceVersion: "1295539"
  uid: d91d9ad7-22f4-40e1-9e31-2cd836063835
reason: OwnerRefInvalidNamespace
reportingComponent: garbage-collector-controller
reportingInstance: ""
source:
  component: garbage-collector-controller
type: Warning

apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2024-03-29T12:36:40Z"
involvedObject:
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  name: kong-jw255-rcqfq
  uid: 9c35bcef-fbcd-4dcd-a2f0-7edb69414a6f
kind: Event
lastTimestamp: "2024-03-29T12:36:40Z"
message: 'ownerRef [gateway-operator.konghq.com/v1beta1/ControlPlane, namespace: ,
  name: kong-jw255, uid: 19de2c4c-f926-437b-8423-96efab88b63a] does not exist in namespace
  ""'
metadata:
  creationTimestamp: "2024-03-29T12:36:40Z"
  name: kong-jw255-rcqfq.17c13c739ce28698
  namespace: default
  resourceVersion: "1295524"
  uid: 3feaad08-4c6f-413f-a3fb-4c3b42c98e90
reason: OwnerRefInvalidNamespace
reportingComponent: garbage-collector-controller
reportingInstance: ""
source:
  component: garbage-collector-controller
type: Warning

apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2024-03-29T12:36:40Z"
involvedObject:
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  name: controlplane-kong-jw255-zbx6n
  uid: 79e0727e-56d8-465f-ad5d-605d3002b67b
kind: Event
lastTimestamp: "2024-03-29T12:36:40Z"
message: 'ownerRef [gateway-operator.konghq.com/v1beta1/ControlPlane, namespace: ,
  name: kong-jw255, uid: 19de2c4c-f926-437b-8423-96efab88b63a] does not exist in namespace
  ""'
metadata:
  creationTimestamp: "2024-03-29T12:36:40Z"
  name: controlplane-kong-jw255-zbx6n.17c13c739d0da343
  namespace: default
  resourceVersion: "1295526"
  uid: 0f73bd62-cd16-4b66-b115-865cbf8c1b0e
reason: OwnerRefInvalidNamespace
reportingComponent: garbage-collector-controller
reportingInstance: ""
source:
  component: garbage-collector-controller
type: Warning

Expected Behavior

Cluster scoped resources shouldn't set namespaced resources as their owners.

Steps To Reproduce

  1. Deploy the operator
  2. Deploy one of the manifests that will result in ControlPlane being deployed e.g. https://github.com/Kong/gateway-operator/blob/4e516dbbbc02d86f9601c7aed6182fc865b19cde/config/samples/gateway-with-gatewayconfiguration.yaml
  3. Observe events being created

Operator Version

4e516db

Related materials

https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/
@pmalek pmalek added the bug Something isn't working label Mar 29, 2024
@pmalek pmalek added this to the KGO v1.3.x milestone Mar 29, 2024
@mlavacca
Copy link
Member

mlavacca commented Apr 2, 2024

Unfortunately, we need to have a controlplane reference on the controlplane-owned cluster-wide resources, and the ownerRef is the easiest one. If we want to remove it, we'll need to think about a different mechanism, such as an annotation on the cluster-wide resource that points to the controlplane.

@pmalek
Copy link
Member Author

pmalek commented Apr 10, 2024

If we want to remove it, we'll need to think about a different mechanism, such as an annotation on the cluster-wide resource that points to the controlplane.

... or even a label which would make listing more efficient.

While owner ref does represent the actual relationship it's disallowed hence my proposal would be to use the labels for this.

@pmalek
Copy link
Member Author

pmalek commented Apr 29, 2024
edited

There's even a tool that helps find those references: https://github.com/kubernetes-sigs/kubectl-check-ownerreferences

kubectl-check-ownerreferences

GROUP                          RESOURCE                          NAMESPACE   NAME         OWNER_UID                              LEVEL   MESSAGE
admissionregistration.k8s.io   validatingwebhookconfigurations               kong-pp645   422f5aba-5d85-4db3-ba11-f9ceccb1ab3e   Error   cannot reference namespaced type as owner (apiVersion=gateway-operator.konghq.com/v1beta1,kind=ControlPlane)
rbac.authorization.k8s.io      clusterrolebindings                           controlplane-kong-pp645-lc6pw   422f5aba-5d85-4db3-ba11-f9ceccb1ab3e   Error   cannot reference namespaced type as owner (apiVersion=gateway-operator.konghq.com/v1beta1,kind=ControlPlane)
rbac.authorization.k8s.io      clusterroles                                  kong-pp645-c888d                422f5aba-5d85-4db3-ba11-f9ceccb1ab3e   Error   cannot reference namespaced type as owner (apiVersion=gateway-operator.konghq.com/v1beta1,kind=ControlPlane)
3 errors, 0 warnings

@pmalek pmalek mentioned this issue Apr 30, 2024
Closed
@mlavacca mlavacca self-assigned this May 14, 2024
@mlavacca mlavacca linked a pull request May 14, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mlavacca mlavacca

Labels
bug Something isn't working
Projects
None yet
Milestone
KGO v1.3.x
Development

Successfully merging a pull request may close this issue.

fix: cluster-wide resources do not use ownerRefs Kong/gateway-operator
2 participants
@pmalek @mlavacca