Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to get owner of resource object does not deploy sidecar to deployable Kind specified #244

Closed
spstarr opened this issue Mar 2, 2023 · 2 comments · Fixed by #245 or #226
Closed

Unable to get owner of resource object does not deploy sidecar to deployable Kind specified #244

spstarr opened this issue Mar 2, 2023 · 2 comments · Fixed by #245 or #226
Assignees
@hessjcg
Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@spstarr
Copy link

spstarr commented Mar 2, 2023
edited
Loading

Expected Behavior

Operator attaches sidecar to deployable Kind in namespace.

Actual Behavior

2023-03-02T20:14:20Z    INFO    could not get owner     {"owner": "&OwnerReference{Kind:MyCustomResource,Name:custom-resource-thing,UID:66dea891-a7c7-482c-9346-a73822381ede,APIVersion:my.example.com/v1alpha1,Controller:*true,BlockOwnerDeletion:nil,}", "err": "Timeout: failed waiting for *v1.PartialObjectMetadata Informer to sync"}
2023-03-02T20:14:20Z    DEBUG   controller-runtime.webhook.webhooks     wrote response  {"webhook": "/mutate-pods", "code": 500, "reason": "", "UID": "be75e6a4-7d54-4d93-ad3f-6e38a72f807a", "allowed": false}

Steps to Reproduce the Problem

Using this AuthProxyWorkload CR, I am using Config Connector but that shouldn't matter here:

{{- range $.Values.cloudSQLInstances }}
apiVersion: cloudsql.cloud.google.com/v1alpha1
kind: AuthProxyWorkload
metadata:
  name: {{ template "my-operator.fullname" $ }}
  namespace: mynamespace
  annotations:
    cnrm.cloud.google.com/project-id: {{ $.Values.projectId }}
    cnrm.cloud.google.com/deletion-policy: abandon
  labels:
    {{- include "my-operator.labels" $ | nindent 4 }}
spec:
  workloadSelector:
    kind: "StatefulSet"
    name: "my-deployment"
  instances:
  - connectionString: "{{ $.Values.projectId }}:{{ $.Values.region }}:{{ .instance }}"
    port: 5432
    privateIP: true
{{- end }}

Specifications

023-03-02T19:47:57Z    INFO    Starting Cloud SQL Proxy Operator
2023-03-02T19:47:57Z    INFO    Version: 0.3.0 Build: 53b97905ee71b2902fcff985a7a5d414164e7323
2023-03-02T19:47:57Z    INFO    Runtime: go1.20.1 linux/amd64
@hessjcg hessjcg added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Mar 2, 2023
@hessjcg
Copy link
Collaborator

hessjcg commented Mar 2, 2023
edited
Loading

Thanks @spstarr!

It appears that the pod admission webhook is failing improperly while looking for the parents of a pod. This can happen when owner of a pod is a Custom Resources. The operator may not have the permissions to read that custom resource.

I'll update the implementation of the webhook so that it looks only for parents that are one of the workloads it is allowed to access: Pod, Deployment, ReplicaSet, DaemonSet, StatefulSet, Job, CronJob

@spstarr
Copy link
Author

spstarr commented Mar 2, 2023

Makes sense, yes, I am using a custom resource here, it spins up StatefulSets

@hessjcg hessjcg mentioned this issue Mar 2, 2023
Merged
hessjcg added a commit that referenced this issue Mar 8, 2023
@hessjcg
fix: Only process owner references for known kinds of owners. (#245)
12be1dc 
Pods can be owned by multiple owners. We only want the operator to traverse the owners where it knows
the kind of workload: ReplicaSet, Deployment, etc. We don't want the operator to try to travers other
kinds of owner resources that it does not understand, because the operator was not granted privileges
to access those resources.

Fixes #244
@release-please release-please bot mentioned this issue Mar 8, 2023
Merged
@hessjcg hessjcg mentioned this issue Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hessjcg hessjcg

Labels
priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
2 participants
@spstarr @hessjcg