Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Generated resource gets updated endlessly #1783

Closed
realshuting opened this issue Apr 8, 2021 · 0 comments · Fixed by #1804
Closed

[BUG] Generated resource gets updated endlessly #1783

realshuting opened this issue Apr 8, 2021 · 0 comments · Fixed by #1804
Assignees
@NoSkillGirl
Labels
bug Something isn't working
Milestone
Kyverno Release 1...

Comments

@realshuting
Copy link
Member

realshuting commented Apr 8, 2021
edited

Software version numbers
State the version numbers of applications involved in the bug.

  • Kyverno version: v1.3.5-rc3

Describe the bug
With a generate policy that has synchronize enabled, the generated resource is updated again and again. The following log keeps printing out:

I0408 18:58:21.194090       1 generate_controller.go:327] GenerateController "msg"="started sync"  "key"="kyverno/gr-p6pkx" "startTime"="2021-04-08T18:58:21.194060721Z"
I0408 18:58:21.309360       1 request.go:591] Throttling request took 114.510467ms, request: GET:https://10.96.0.1:443/api/v1/namespaces/test1
I0408 18:58:21.317626       1 generate.go:76] GenerateController "msg"="applying generate policy rule" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions"
I0408 18:58:21.326728       1 vars.go:202] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "path"="/data/subjects/0/name" "value"="test1" "variable"="{{request.object.metadata.name}}"
I0408 18:58:21.326945       1 vars.go:202] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "path"="/namespace" "value"="test1" "variable"="{{request.object.metadata.name}}"
I0408 18:58:21.509820       1 request.go:591] Throttling request took 180.317298ms, request: GET:https://10.96.0.1:443/apis/rbac.authorization.k8s.io/v1/namespaces/test1/rolebindings/auto-minimal-api
I0408 18:58:21.522007       1 generate.go:442] GenerateController "msg"="found target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "resource"={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"creationTimestamp":"2021-04-08T18:38:04Z","labels":{"app.kubernetes.io/managed-by":"kyverno","kyverno.io/generated-by-kind":"Namespace","kyverno.io/generated-by-name":"test1","kyverno.io/generated-by-namespace":"","policy.kyverno.io/gr-name":"gr-p6pkx","policy.kyverno.io/policy-name":"default-permissions","policy.kyverno.io/synchronize":"enable"},"managedFields":[{"apiVersion":"rbac.authorization.k8s.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app.kubernetes.io/managed-by":{},"f:kyverno.io/generated-by-kind":{},"f:kyverno.io/generated-by-name":{},"f:kyverno.io/generated-by-namespace":{},"f:policy.kyverno.io/gr-name":{},"f:policy.kyverno.io/policy-name":{},"f:policy.kyverno.io/synchronize":{}}},"f:roleRef":{"f:apiGroup":{},"f:kind":{},"f:name":{}},"f:subjects":{}},"manager":"kyverno","operation":"Update","time":"2021-04-08T18:38:04Z"}],"name":"auto-minimal-api","namespace":"test1","resourceVersion":"378254","uid":"b114fdb6-c4d4-4e7e-a917-6a70d3657431"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"minimal-api"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:test1"}]}
I0408 18:58:21.522072       1 generate.go:365] GenerateController "msg"="applying generate rule" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "mode"="UPDATE"
I0408 18:58:21.522198       1 generate.go:417] GenerateController "msg"="updating existing resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions"
I0408 18:58:21.709451       1 request.go:591] Throttling request took 185.922179ms, request: PUT:https://10.96.0.1:443/apis/rbac.authorization.k8s.io/v1/namespaces/test1/rolebindings/auto-minimal-api
I0408 18:58:21.726737       1 server.go:278] WebhookServer/handlerFunc "msg"="admission review request processed" "kind"={"group":"rbac.authorization.k8s.io","version":"v1","kind":"RoleBinding"} "name"="auto-minimal-api" "namespace"="test1" "operation"="UPDATE" "uid"="2f75696f-9984-4597-b13b-d3f110866624" "time"="4.05629ms"
I0408 18:58:21.727224       1 generation.go:34] WebhookServer "msg"="incoming request" "action"="generation" "kind"={"group":"rbac.authorization.k8s.io","version":"v1","kind":"RoleBinding"} "name"="auto-minimal-api" "namespace"="test1" "operation"="UPDATE" "uid"="2f75696f-9984-4597-b13b-d3f110866624"
I0408 18:58:21.760192       1 validate_audit.go:98] ValidateAuditHandler "msg"="admission request added"  "kind"="RoleBinding" "name"="auto-minimal-api" "namespace"="test1" "operation"="UPDATE" "uid"="00e3f814-9e9c-42f3-8df8-edac8d4c1010"
I0408 18:58:21.763310       1 server.go:407] WebhookServer/Validate "msg"="no enforce validation policies; returning AdmissionResponse.Allowed: true" "kind"="RoleBinding" "name"="auto-minimal-api" "namespace"="test1" "operation"="UPDATE" "uid"="00e3f814-9e9c-42f3-8df8-edac8d4c1010"
I0408 18:58:21.766786       1 server.go:278] WebhookServer/handlerFunc "msg"="admission review request processed" "kind"={"group":"rbac.authorization.k8s.io","version":"v1","kind":"RoleBinding"} "name"="auto-minimal-api" "namespace"="test1" "operation"="UPDATE" "uid"="00e3f814-9e9c-42f3-8df8-edac8d4c1010" "time"="7.705913ms"
I0408 18:58:21.778439       1 generate.go:424] GenerateController "msg"="updated target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions"
I0408 18:58:21.802361       1 status.go:53]  "msg"="updated generate request status"  "name"="gr-p6pkx" "status"="Completed"
I0408 18:58:21.802441       1 generate_controller.go:329] GenerateController "msg"="completed sync generate request"  "key"="kyverno/gr-p6pkx" "processingTime"="608.348653ms"
I0408 18:58:21.803064       1 generate_controller.go:327] GenerateController "msg"="started sync"  "key"="kyverno/gr-p6pkx" "startTime"="2021-04-08T18:58:21.802504325Z"
I0408 18:58:21.909206       1 request.go:591] Throttling request took 101.998331ms, request: GET:https://10.96.0.1:443/api/v1/namespaces/test1
I0408 18:58:21.915073       1 generate.go:76] GenerateController "msg"="applying generate policy rule" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions"
I0408 18:58:21.916973       1 vars.go:202] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "path"="/data/subjects/0/name" "value"="test1" "variable"="{{request.object.metadata.name}}"
I0408 18:58:21.917176       1 vars.go:202] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "path"="/namespace" "value"="test1" "variable"="{{request.object.metadata.name}}"
I0408 18:58:22.109241       1 request.go:591] Throttling request took 191.430191ms, request: GET:https://10.96.0.1:443/apis/rbac.authorization.k8s.io/v1/namespaces/test1/rolebindings/auto-minimal-api
I0408 18:58:22.117260       1 generate.go:442] GenerateController "msg"="found target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "resource"={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"creationTimestamp":"2021-04-08T18:38:04Z","labels":{"app.kubernetes.io/managed-by":"kyverno","kyverno.io/generated-by-kind":"Namespace","kyverno.io/generated-by-name":"test1","kyverno.io/generated-by-namespace":"","policy.kyverno.io/gr-name":"gr-p6pkx","policy.kyverno.io/policy-name":"default-permissions","policy.kyverno.io/synchronize":"enable"},"managedFields":[{"apiVersion":"rbac.authorization.k8s.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:app.kubernetes.io/managed-by":{},"f:kyverno.io/generated-by-kind":{},"f:kyverno.io/generated-by-name":{},"f:kyverno.io/generated-by-namespace":{},"f:policy.kyverno.io/gr-name":{},"f:policy.kyverno.io/policy-name":{},"f:policy.kyverno.io/synchronize":{}}},"f:roleRef":{"f:apiGroup":{},"f:kind":{},"f:name":{}},"f:subjects":{}},"manager":"kyverno","operation":"Update","time":"2021-04-08T18:38:04Z"}],"name":"auto-minimal-api","namespace":"test1","resourceVersion":"378254","uid":"b114fdb6-c4d4-4e7e-a917-6a70d3657431"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"minimal-api"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:test1"}]}
I0408 18:58:22.117526       1 generate.go:365] GenerateController "msg"="applying generate rule" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions" "mode"="UPDATE"
I0408 18:58:22.117605       1 generate.go:417] GenerateController "msg"="updating existing resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="RoleBinding" "genName"="auto-minimal-api" "genNamespace"="test1" "kind"="Namespace" "name"="test1" "namespace"="" "policy"="default-permissions"
...

To Reproduce
Here's the policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: default-permissions
spec:
  rules:
  - name: minimal-api
    match:
      resources:
        kinds:
        - Namespace
        selector:
          matchLabels:
            policy-enabled: "true"
    generate:
      synchronize: true
      kind: RoleBinding
      name: auto-minimal-api
      namespace: "{{request.object.metadata.name}}"
      data:  
        subjects:
        - kind: Group
          name: "system:serviceaccounts:{{request.object.metadata.name}}"
          apiGroup: rbac.authorization.k8s.io
        roleRef:
          kind: ClusterRole
          name: minimal-api
          apiGroup: rbac.authorization.k8s.io

Namespace:

apiVersion: v1
kind: Namespace
metadata:
  labels:
    policy-enabled: "true"
  name: test1

Added after: when I set synchronize to false, this behavior stopped.
@realshuting realshuting added the bug Something isn't working label Apr 8, 2021
@realshuting realshuting added this to the Kyverno Release 1.3.6 milestone Apr 8, 2021
@NoSkillGirl NoSkillGirl mentioned this issue Apr 15, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NoSkillGirl NoSkillGirl

Labels
bug Something isn't working
Projects
None yet
Milestone
Kyverno Release 1.3.6
Development

Successfully merging a pull request may close this issue.

Bug fix/1783 generate endlessly NoSkillGirl/kyverno
2 participants
@realshuting @NoSkillGirl