Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jsonpatch operation fails if automountServiceAccountToken is false and no volumes are defined #17

Closed
FaHeymann opened this issue Nov 8, 2019 · 1 comment · Fixed by #18
Closed

Jsonpatch operation fails if automountServiceAccountToken is false and no volumes are defined #17

FaHeymann opened this issue Nov 8, 2019 · 1 comment · Fixed by #18
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@FaHeymann
Copy link
Contributor

What happened:

A ServiceAccount with automountServiceAccountToken: false and the EKS IAM Annotation failed to spawn a Pod from a Job definition that did not define Volumes on the Pod with the following Error

Events:
  Type     Reason        Age                From            Message
  ----     ------        ----               ----            -------
  Warning  FailedCreate  16s (x2 over 26s)  job-controller  Error creating: Internal error occurred: Internal error occurred: jsonpatch add operation does not apply: doc is missing path: "/spec/volumes/0"

https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/pkg/handler/handler.go#L158-L177 probably needs to check if /spec/volumes already exists. If automountServiceAccountToken on the ServiceAccount is true, there is always a volume present on the Pod, if set to false this is no longer the case though.

How to reproduce it (as minimally and precisely as possible):

apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  name: test
  namespace: test
  annotations:
    eks.amazonaws.com/role-arn: <redacted>
---
apiVersion: batch/v1
kind: Job
metadata:
  name: test
  namespace: test
spec:
  template:
    spec:
      restartPolicy: "Never"
      containers:
      - image: nginx
        name: my-container
      securityContext:
        fsGroup: 1000
      serviceAccountName: test

Anything else we need to know?:

Environment:

  • AWS Region: eu-central-1
  • EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.1
  • Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.14
  • Webhook Version:
@nckturner nckturner added bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed labels Nov 11, 2019
@FaHeymann FaHeymann mentioned this issue Nov 30, 2019
Merged
@tarvitz
Copy link

tarvitz commented Nov 15, 2023

Sorry, for breaching in, my message is related to Error creating: Internal error occurred: Internal error occurred: jsonpatch add operation does not apply: doc is missing path error message, whenever it appears. Googling the source of the problem leads to this issue 😉 .

The "root" problem is that json-patch message can not be applied to the resource (i.e. it's malformed). So basically, any who develops mutating webhook might get such the confusing error. So if you have it => try to observe the object you try to json-patch, this will lead you to the source of the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix jsonpatch operation if no volumes are present
3 participants
@tarvitz @nckturner @FaHeymann