Problems reconciling PodSecurityPolicies

[neuromantik33]

Expected behavior

I'm unable to apply a kustomize/kpt package with a reconciliation-timeout which contains PodSecurityPolicy resources.

Actual behavior

$ kustomize build metallb/ | kpt live apply --reconcile-timeout 30s
namespace/metallb-system failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
serviceaccount/controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
serviceaccount/speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
podsecuritypolicy.policy/controller configured
podsecuritypolicy.policy/speaker configured
role.rbac.authorization.k8s.io/config-watcher failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
role.rbac.authorization.k8s.io/pod-lister failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
clusterrole.rbac.authorization.k8s.io/metallb-system:controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
rolebinding.rbac.authorization.k8s.io/config-watcher failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
rolebinding.rbac.authorization.k8s.io/pod-lister failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
configmap/config failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
secret/memberlist failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
deployment.apps/controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
daemonset.apps/speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
17 resource(s) applied. 0 created, 15 unchanged, 2 configured, 0 failed
namespace/metallb-system is Current: Resource is current
role.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
secret/memberlist is Current: Resource is always ready
serviceaccount/controller is Current: Resource is current
serviceaccount/speaker is Current: Resource is current
role.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
clusterrole.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
rolebinding.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
daemonset.apps/speaker is Current: All replicas scheduled as expected. Replicas: 1
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
configmap/config is Current: Resource is always ready
rolebinding.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
deployment.apps/controller is Current: Deployment is available. Replicas: 1
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
Timeout after 30 seconds waiting for 2 out of 17 resources to reach condition AllCurrent:
PodSecurityPolicy/controller Unknown 
PodSecurityPolicy/speaker Unknown

$ kubectl get podsecuritypolicies.policy 
NAME         PRIV    CAPS                          SELINUX    RUNASUSER   FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
controller   false                                 RunAsAny   MustRunAs   MustRunAs   MustRunAs   true             configMap,secret,emptyDir
speaker      true    NET_ADMIN,NET_RAW,SYS_ADMIN   RunAsAny   RunAsAny    RunAsAny    RunAsAny    true             configMap,secret,emptyDir

Information

kpt version: 0.39.1
kustomize package: https://github.com/metallb/metallb/tree/main/manifests (fetched with kpt pkg get)

Steps to reproduce the behavior

Validate that PodSecurityPolicies are correctly handled. I can provide a kpt package if necessary.

[mikebz]

@seans3 can you please take a look here?

[seans3]

Hello Nicolas, NOTE: PodSecurityPolicy was recently deprecated in Kubernetes version 1.21 (released today). It does *NOT* affect this issue, but you will eventually want to move beyond the PSP (probably to a custom admission webhook). The error which stands out to me is: failed: can't adopt an object without the annotation config.k8s.io/owning-inventory <http://config.k8s.io/owning-inventorysecret/memberlist> This means there are two different grouping inventory objects, and one grouping is trying to adopt objects in the other. This means the inventory-id of the ConfigMap already in the cluster is different from the inventory-id for the ConfigMap created from the kustomize build command. Are you trying to create two separate groupings of objects? The " config.k8s.io/owning-inventory" can specify the inventory-id of the grouping that should own the object. To Debug: 1) Print out the inventory-id of the inventory ConfigMap already in the cluster. The inventory ConfigMap name starts with "inventory-" and is suffixed with an 8-digit (I believe) random integer: kubectl get cm -> <lists all the ConfigMaps in the default namespace> kubectl get cm/inventory-<INVENTORY-RANDOM-NUMBER> -o yaml -> <prints out all the information in the inventory object> 2) Print out the inventory-id of the inventory ConfigMap from kustomize build: kustomize build metallb/ | grep "inventory-" Please report back here these values. Thanks, Sean Sullivan

…

On Thu, Apr 8, 2021 at 2:42 PM Nicolas Estrada ***@***.***> wrote: Expected behavior I'm unable to apply a kustomize/kpt package with a reconciliation-timeout which contains PodSecurityPolicy resources. Actual behavior $ kustomize build metallb/ | kpt live apply --reconcile-timeout 30s namespace/metallb-system failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryserviceaccount/controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory serviceaccount/speaker <http://config.k8s.io/owning-inventoryserviceaccount/speaker> failed: can't adopt an object without the annotation config.k8s.io/owning-inventorypodsecuritypolicy.policy/controller configuredpodsecuritypolicy.policy/speaker configuredrole.rbac.authorization.k8s.io/config-watcher failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryrole.rbac.authorization.k8s.io/pod-lister failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryclusterrole.rbac.authorization.k8s.io/metallb-system:controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryclusterrole.rbac.authorization.k8s.io/metallb-system:speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryrolebinding.rbac.authorization.k8s.io/config-watcher failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryrolebinding.rbac.authorization.k8s.io/pod-lister failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryclusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryclusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventoryconfigmap/config failed: can't adopt an object without the annotation config.k8s.io/owning-inventory secret/memberlist <http://config.k8s.io/owning-inventorysecret/memberlist> failed: can't adopt an object without the annotation config.k8s.io/owning-inventorydeployment.apps/controller failed: can't adopt an object without the annotation config.k8s.io/owning-inventory daemonset.apps/speaker failed: can't adopt an object without the annotation config.k8s.io/owning-inventory17 resource(s) applied. 0 created, 15 unchanged, 2 configured, 0 failednamespace/metallb-system is Current: Resource is currentrole.rbac.authorization.k8s.io/pod-lister is Current: Resource is currentsecret/memberlist is Current: Resource is always readyserviceaccount/controller is Current: Resource is currentserviceaccount/speaker is Current: Resource is currentrole.rbac.authorization.k8s.io/config-watcher is Current: Resource is currentclusterrole.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is currentrolebinding.rbac.authorization.k8s.io/pod-lister is Current: Resource is currentdaemonset.apps/speaker is Current: All replicas scheduled as expected. Replicas: 1podsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentclusterrole.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is currentclusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is currentconfigmap/config is Current: Resource is always readyrolebinding.rbac.authorization.k8s.io/config-watcher is Current: Resource is currentclusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is currentdeployment.apps/controller is Current: Deployment is available. Replicas: 1podsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentpodsecuritypolicy.policy/controller is Current: Resource is currentpodsecuritypolicy.policy/speaker is Current: Resource is currentTimeout after 30 seconds waiting for 2 out of 17 resources to reach condition AllCurrent:PodSecurityPolicy/controller Unknown PodSecurityPolicy/speaker Unknown$ kubectl get podsecuritypolicies.policy NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMEScontroller false RunAsAny MustRunAs MustRunAs MustRunAs true configMap,secret,emptyDirspeaker true NET_ADMIN,NET_RAW,SYS_ADMIN RunAsAny RunAsAny RunAsAny RunAsAny true configMap,secret,emptyDir Information kpt version: 0.39.1 kustomize package: https://github.com/metallb/metallb/tree/main/manifests (fetched with kpt pkg get) Steps to reproduce the behavior Validate that PodSecurityPolicies are correctly handled. I can provide a kpt package if necessary. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1724>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLQGVYBIGJOTA6WI7ERA3THYPOBANCNFSM42TX3MFQ> .

[neuromantik33]

Ok so I deleted everything and started over (namespace included).
I decided to redeploy:

$ kustomize build metallb/ | kpt live apply --reconcile-timeout 2m
namespace/metallb-system unchanged
serviceaccount/controller created
serviceaccount/speaker created
podsecuritypolicy.policy/controller created
podsecuritypolicy.policy/speaker created
role.rbac.authorization.k8s.io/config-watcher created
role.rbac.authorization.k8s.io/pod-lister created
clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
rolebinding.rbac.authorization.k8s.io/config-watcher created
rolebinding.rbac.authorization.k8s.io/pod-lister created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
configmap/config created
secret/memberlist created
deployment.apps/controller created
daemonset.apps/speaker created
17 resource(s) applied. 16 created, 1 unchanged, 0 configured, 0 failed
deployment.apps/controller is NotFound: Resource not found
podsecuritypolicy.policy/controller is Current: Resource is current
role.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
rolebinding.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
role.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
rolebinding.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
podsecuritypolicy.policy/controller is NotFound: Resource not found
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
secret/memberlist is NotFound: Resource not found
serviceaccount/controller is Current: Resource is current
serviceaccount/speaker is Current: Resource is current
clusterrole.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
configmap/config is Current: Resource is always ready
daemonset.apps/speaker is NotFound: Resource not found
podsecuritypolicy.policy/speaker is Current: Resource is current
namespace/metallb-system is Current: Resource is current
podsecuritypolicy.policy/speaker is NotFound: Resource not found
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
secret/memberlist is Current: Resource is always ready
deployment.apps/controller is InProgress: Available: 0/1
daemonset.apps/speaker is InProgress: Available: 0/1
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
deployment.apps/controller is InProgress: Available: 0/1
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
deployment.apps/controller is Current: Deployment is available. Replicas: 1
daemonset.apps/speaker is Current: All replicas scheduled as expected. Replicas: 1
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
...
^C

Trying again in order to make sure no inventory warning messages show up:

$ kustomize build metallb/ | kpt live apply --reconcile-timeout 10s
namespace/metallb-system unchanged
serviceaccount/controller unchanged
serviceaccount/speaker unchanged
podsecuritypolicy.policy/controller configured
podsecuritypolicy.policy/speaker configured
role.rbac.authorization.k8s.io/config-watcher unchanged
role.rbac.authorization.k8s.io/pod-lister unchanged
clusterrole.rbac.authorization.k8s.io/metallb-system:controller unchanged
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker unchanged
rolebinding.rbac.authorization.k8s.io/config-watcher unchanged
rolebinding.rbac.authorization.k8s.io/pod-lister unchanged
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller unchanged
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker unchanged
configmap/config unchanged
secret/memberlist unchanged
deployment.apps/controller unchanged
daemonset.apps/speaker unchanged
17 resource(s) applied. 0 created, 15 unchanged, 2 configured, 0 failed
rolebinding.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
role.rbac.authorization.k8s.io/pod-lister is Current: Resource is current
rolebinding.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
role.rbac.authorization.k8s.io/config-watcher is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
deployment.apps/controller is Current: Deployment is available. Replicas: 1
daemonset.apps/speaker is Current: All replicas scheduled as expected. Replicas: 1
serviceaccount/controller is Current: Resource is current
serviceaccount/speaker is Current: Resource is current
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
secret/memberlist is Current: Resource is always ready
clusterrole.rbac.authorization.k8s.io/metallb-system:controller is Current: Resource is current
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker is Current: Resource is current
configmap/config is Current: Resource is always ready
namespace/metallb-system is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
podsecuritypolicy.policy/controller is Current: Resource is current
podsecuritypolicy.policy/speaker is Current: Resource is current
Timeout after 10 seconds waiting for 2 out of 17 resources to reach condition AllCurrent:
PodSecurityPolicy/controller Unknown 
PodSecurityPolicy/speaker Unknown

And for debug purposes

$ k get cm
NAME                 DATA   AGE
config               1      6m33s
inventory-43929552   17     6m46s

$ k get cm inventory-43929552 -o yaml
apiVersion: v1
data:
  _metallb-system__Namespace: ""
  _metallb-system__controller_rbac.authorization.k8s.io_ClusterRole: ""
  _metallb-system__controller_rbac.authorization.k8s.io_ClusterRoleBinding: ""
  _metallb-system__speaker_rbac.authorization.k8s.io_ClusterRole: ""
  _metallb-system__speaker_rbac.authorization.k8s.io_ClusterRoleBinding: ""
  metallb-system_config-watcher_rbac.authorization.k8s.io_Role: ""
  metallb-system_config-watcher_rbac.authorization.k8s.io_RoleBinding: ""
  metallb-system_config__ConfigMap: ""
  metallb-system_controller__ServiceAccount: ""
  metallb-system_controller_apps_Deployment: ""
  metallb-system_controller_policy_PodSecurityPolicy: ""
  metallb-system_memberlist__Secret: ""
  metallb-system_pod-lister_rbac.authorization.k8s.io_Role: ""
  metallb-system_pod-lister_rbac.authorization.k8s.io_RoleBinding: ""
  metallb-system_speaker__ServiceAccount: ""
  metallb-system_speaker_apps_DaemonSet: ""
  metallb-system_speaker_policy_PodSecurityPolicy: ""
kind: ConfigMap
metadata:
  creationTimestamp: "2021-04-09T09:42:50Z"
  labels:
    app.kubernetes.io/instance: metallb-stage
    apps.kubernetes.io/managed-by: kpt
    cli-utils.sigs.k8s.io/inventory-id: 8dc3eb09-a03a-438a-8725-23ecfd327d20
  name: inventory-43929552
  namespace: metallb-system
  resourceVersion: "316969"
  selfLink: /api/v1/namespaces/metallb-system/configmaps/inventory-43929552
  uid: 3b2fb466-d501-44b0-9925-c2336e95196d

Now I understand that PodSecurityPolicies are being deprecated, but for the moment they are part of the metallb manifests, so I can't get around that. It seems as if the status cannot be read properly by kpt.
Let me know if you need any more info.

[nonylene]

I got the same error, failed: can't adopt an object without the annotation config.k8s.io/owning-inventory, while live preview and live apply, after I've upgraded kpt to 0.38.1 (or 0.39.2) from 0.38.0.

The name and cli-utils.sigs.k8s.io/inventory-id of the inventory ConfigMap to be applied has not been changed between upgrades. Additionaly, they are also identical with the ones in the live cluster.

$ ./kpt_0380 version
0.38.0

$ kustomize build k8s | ./kpt_0380  live preview
serviceaccount/**** unchanged (preview)
clusterrole.rbac.authorization.k8s.io/**** unchanged (preview)
...

$ ./kpt_0381 version
0.38.1

$ kustomize build k8s | ./kpt_0381  live preview
serviceaccount/**** failed: can't adopt an object without the annotation config.k8s.io/owning-inventory (preview)
clusterrole.rbac.authorization.k8s.io/**** failed: can't adopt an object without the annotation config.k8s.io/owning-inventory (preview)
...

[nonylene]

Update: Today I found the --inventory-policy flag. $ kpt live apply --inventory-policy adopt works well for me.

[mortent]

So there are two things here.

First, kpt does not by default allow a package to "adopt" resources that already exist in the cluster. This is generally not safe since later deleting the package will remove the resource from the cluster, when presumably it might still be needed. As @nonylene has described, the --inventory-policy flag makes it possible to change the default behavior.

The original issue about PodSecurityPolicies is a duplicate of #1329. PodSecurityPolicy is a cluster-scoped resource, but the example has PSP manifests with the namespace set. kubernetes-sigs/cli-utils#378 in the upstream cli-utils repo makes sure the apply library verifies this and will return an error in these situations. These changes are being pulled into kpt in #2367, so this will be fixed in kpt once that PR is merged.

[obriensystems]

Thank you team

using --inventory-policy adopt via #1724
works well

before

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone
installing inventory ResourceGroup CRD.
namespace/config-control apply failed: can't adopt an object without the annotation config.k8s.io/owning-inventory
namespace/config-control reconcile skipped
configmap/setters unchanged
..
iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer reconcile skipped
0 resource(s) reconciled, 90 skipped, 0 failed to reconcile, 0 timed out
1 resources failed


after
michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone --inventory-policy adopt
installing inventory ResourceGroup CRD.
namespace/config-control configured
namespace/config-control reconcile pending
namespace/config-control reconciled
configmap/setters created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel created
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels created
accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy created
computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet created