-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not update the hierarchical configuration - on Openshift #140
Comments
Are you able to add annotations to the RBAC role bindings? If so, you can
use exceptions
<https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#use-limit-propagation>
to disable annotations for them. Otherwise, is there a systematic way to
identify which objects *shouldn't* be propagated, like a name or a label?
If so, we could add all the necessary OpenShift information here
<https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/082779afa4b5bdd6c9231906f3639f41d79a6999/internal/selectors/selectors.go#L161>
for
the next version of HNC.
…On Tue, Feb 1, 2022 at 4:03 AM Artur Obrzut ***@***.***> wrote:
Environment Openshift 4.8
HNC v0.9.0
Hi
I install HNC on Openshift cluster 4.8
And I have such issue:
kubectl create namespace my-parent
namespace/my-parent created
kubectl hns create -n my-parent my-child1
Successfully created "my-child1" subnamespace anchor in "my-parent" namespace
kubectl create namespace my-child2
namespace/my-child2 created
kubectl hns set my-child2 --parent my-parent
Setting the parent of my-child2 to my-parent
Could not update the hierarchical configuration of my-child2.
Reason: admission webhook "hierarchyconfigurations.hnc.x-k8s.io" denied the request: Cannot update hierarchy because it would overwrite the following object(s):
* Namespace "my-child2": system:image-pullers (rbac.authorization.k8s.io/v1, Kind=RoleBinding)
* Namespace "my-child2": system:image-builders (rbac.authorization.k8s.io/v1, Kind=RoleBinding)
* Namespace "my-child2": system:deployers (rbac.authorization.k8s.io/v1, Kind=RoleBinding)
To fix this, please rename or remove the conflicting objects first.
Can we turn off checking some OCP resource in HNC?
—
Reply to this email directly, view it on GitHub
<#140>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZCN63JT7ZT2MOY6YPTUY6OWDANCNFSM5NIRBU4A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@adrianludwin but I want to add PR which exclude this 3 RoleBinding |
What's the criteria you'll use to exclude these? Is it a well-known label?
If so, please include documentation here:
https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/concepts.md#built-in-exceptions
Thanks!
…On Tue, Feb 1, 2022 at 10:39 AM Artur Obrzut ***@***.***> wrote:
@adrianludwin <https://github.com/adrianludwin>
It works when I add annotations in parent namespace resources
but I want to add PR which exclude this 3 RoleBinding
I will prepare it
—
Reply to this email directly, view it on GitHub
<#140 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZDDGSJZEVR5YLZJLODUY75BVANCNFSM5NIRBU4A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Ok I will describe it in doc |
Could it make sense to skip all "system" roles ( |
This might be the right time to turn this into a CLI since this list keeps
getting longer.
e.g.:
--exclude-propagation-by-name="group/version:Kind:nameregex"
--exclude-propagation-by-label="labelkey:labelvalue"
…On Tue, Feb 1, 2022 at 11:19 AM Erik Godding Boye ***@***.***> wrote:
Could it make sense to skip all "system" roles (system:.*) by default? Or
would that be too generic?
—
Reply to this email directly, view it on GitHub
<#140 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZHD27DOHHFNTLXEWULUZABZDANCNFSM5NIRBU4A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
and now maybe exclude by annotations |
As already suggested above, I think it would make more sense to exclude HNC propagation of roles/rolebindings with names that have a |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Environment Openshift 4.8
HNC v0.9.0
Hi
I install HNC on Openshift cluster 4.8
And I have such issue:
Can we turn off checking some OCP resource in HNC?
The text was updated successfully, but these errors were encountered: