Tap APIService causes shortname conflict warnings with kubectl 1.29 #11784

siggy · 2023-12-18T18:43:54Z

What is the issue?

When running with Kubectl 1.29 with a cluster with linkerd-viz, I get these warnings when running kubectl commands:

Warning: short name "deploy" could also match lower priority resource deployments.tap.linkerd.io

The TAP APIService uses shortnames that collide with other Kubernetes resources (e.g. deploy, po, etc):

linkerd2/viz/tap/api/handlers.go

Lines 56 to 72 in 913e118

    
           	resources = []struct { 
        
           		name       string 
        
           		shortname  string 
        
           		namespaced bool 
        
           	}{ 
        
           		{"namespaces", "ns", false}, 
        
           		{"pods", "po", true}, 
        
           		{"replicationcontrollers", "rc", true}, 
        
           		{"services", "svc", true}, 
        
           		{"daemonsets", "ds", true}, 
        
           		{"deployments", "deploy", true}, 
        
           		{"replicasets", "rs", true}, 
        
           		{"statefulsets", "sts", true}, 
        
           		{"jobs", "", true}, 
        
           		{"cronjobs", "cj", true}, 
        
           	} 
        
           )

How can it be reproduced?

With kubectl 1.29+ on a cluster with linkerd-viz installed, run kubectl get deploy.

Logs, error output, etc

$ kubectl version
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3

$ kubectl get deploy
Warning: short name "deploy" could also match lower priority resource deployments.tap.linkerd.io
NAME      READY   UP-TO-DATE   AVAILABLE   AGE
hello     3/3     3            3           650d
traffic   1/1     1            1           640d

output of `linkerd check -o short`

$ linkerd check -o short
linkerd-identity
----------------
‼ issuer cert is valid for at least 60 days
    issuer certificate will expire on 2024-01-08T00:00:24Z
    see https://linkerd.io/2/checks/#l5d-identity-issuer-cert-not-expiring-soon for hints

Status check results are √

Environment

Kubernetes Version: v1.28.3
Cluster Environment: AKS
Host OS: Ubuntu
Linkerd version: edge-23.12.2

Possible solution

Remove or modify the shortnames in the Tap APIService:

linkerd2/viz/tap/api/handlers.go

Lines 56 to 72 in 913e118

    
           	resources = []struct { 
        
           		name       string 
        
           		shortname  string 
        
           		namespaced bool 
        
           	}{ 
        
           		{"namespaces", "ns", false}, 
        
           		{"pods", "po", true}, 
        
           		{"replicationcontrollers", "rc", true}, 
        
           		{"services", "svc", true}, 
        
           		{"daemonsets", "ds", true}, 
        
           		{"deployments", "deploy", true}, 
        
           		{"replicasets", "rs", true}, 
        
           		{"statefulsets", "sts", true}, 
        
           		{"jobs", "", true}, 
        
           		{"cronjobs", "cj", true}, 
        
           	} 
        
           )

Additional context

Relates to kubernetes/kubernetes#108573

Would you like to work on fixing this bug?

yes

The text was updated successfully, but these errors were encountered:

The Tap API resource shortnames were colliding with existing Kubernetes resources (e.g. `po`, `deploy`, etc), causing warnings from kubectl v1.29.0+. Remove the shortnames from the Tap APIService handlers. Fixes #11784 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

The Tap API resource shortnames were colliding with existing Kubernetes resources (e.g. `po`, `deploy`, etc), causing warnings from kubectl v1.29.0+. Remove the shortnames from the Tap APIService handlers. To validate: ```bash bin/k3d cluster create curl https://run.linkerd.io/install-edge | sh linkerd install --crds | kubectl apply -f - linkerd install | kubectl apply -f - linkerd check linkerd viz install | kubectl apply -f - linkerd check kubectl api-resources --api-group=tap.linkerd.io kubectl get po TAP_IMAGE=$(bin/docker-build-tap) bin/k3d image load $TAP_IMAGE kubectl -n linkerd-viz set image deploy/tap tap=$TAP_IMAGE kubectl api-resources --api-group=tap.linkerd.io kubectl get po ``` Fixes #11784 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

The Tap API resource shortnames were colliding with existing Kubernetes resources (e.g. `po`, `deploy`, etc), causing warnings from kubectl v1.29.0+. Remove the shortnames from the Tap APIService handlers. To validate: ```bash bin/k3d cluster create # install latest edge curl https://run.linkerd.io/install-edge | sh linkerd install --crds | kubectl apply -f - linkerd install | kubectl apply -f - linkerd check linkerd viz install | kubectl apply -f - linkerd check # show shortnames kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe "Warning: short name..." kubectl get po # replace tap image TAP_IMAGE=$(bin/docker-build-tap) bin/k3d image load $TAP_IMAGE kubectl -n linkerd-viz set image deploy/tap tap=$TAP_IMAGE # verify shortnames are no longer present kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe no warning kubectl get po ``` Fixes #11784 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

The Tap API resource shortnames were colliding with existing Kubernetes resources (e.g. `po`, `deploy`, etc), causing warnings from kubectl v1.29.0+. Remove the shortnames from the Tap APIService handlers. To validate: ```bash bin/k3d cluster create # install latest edge curl https://run.linkerd.io/install-edge | sh linkerd install --crds | kubectl apply -f - linkerd install | kubectl apply -f - linkerd check linkerd viz install | kubectl apply -f - linkerd check # observe shortnames kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe "Warning: short name..." kubectl get po # replace tap image TAP_IMAGE=$(bin/docker-build-tap) bin/k3d image load $TAP_IMAGE kubectl -n linkerd-viz set image deploy/tap tap=$TAP_IMAGE # verify shortnames are no longer present kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe no warning kubectl get po ``` Fixes #11784 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

This edge release introduces a number of different fixes and improvements. More notably, it introduces a new `cni-repair-controller` binary to the CNI plugin image. The controller will automatically restart pods that have not received their iptables configuration. * Removed shortnames from Tap API resources to avoid colliding with existing Kubernetes resources ([#11816]; fixes [#11784]) * Introduced a new ExternalWorkload CRD to support upcoming mesh expansion feature ([#11805]) * Changed `MeshTLSAuthentication` resource validation to allow SPIFFE URI identities ([#11882]) * Introduced a new `cni-repair-controller` to the `linkerd-cni` DaemonSet to automatically restart misconfigured pods that are missing iptables rules ([#11699]; fixes [#11073]) * Fixed a `"duplicate metrics"` warning in the multicluster service-mirror component ([#11875]; fixes [#11839]) * Added metric labels and weights to `linkerd diagnostics endpoints` json output ([#11889]) * Changed how `Server` updates are handled in the destination service. The change will ensure that during a cluster resync, consumers won't be overloaded by redundant updates ([#11907]) * Changed `linkerd install` error output to add a newline when a Kubernetes client cannot be successfully initialised [#11816]: #11816 [#11784]: #11784 [#11805]: #11805 [#11882]: #11882 [#11699]: #11699 [#11073]: #11073 [#11875]: #11875 [#11839]: #11839 [#11889]: #11889 [#11907]: #11907 [#11917]: #11917 Signed-off-by: Matei David <matei@buoyant.io>

This edge release introduces a number of different fixes and improvements. More notably, it introduces a new `cni-repair-controller` binary to the CNI plugin image. The controller will automatically restart pods that have not received their iptables configuration. * Removed shortnames from Tap API resources to avoid colliding with existing Kubernetes resources ([#11816]; fixes [#11784]) * Introduced a new ExternalWorkload CRD to support upcoming mesh expansion feature ([#11805]) * Changed `MeshTLSAuthentication` resource validation to allow SPIFFE URI identities ([#11882]) * Introduced a new `cni-repair-controller` to the `linkerd-cni` DaemonSet to automatically restart misconfigured pods that are missing iptables rules ([#11699]; fixes [#11073]) * Fixed a `"duplicate metrics"` warning in the multicluster service-mirror component ([#11875]; fixes [#11839]) * Added metric labels and weights to `linkerd diagnostics endpoints` json output ([#11889]) * Changed how `Server` updates are handled in the destination service. The change will ensure that during a cluster resync, consumers won't be overloaded by redundant updates ([#11907]) * Changed `linkerd install` error output to add a newline when a Kubernetes client cannot be successfully initialised ([#11917]) [#11816]: #11816 [#11784]: #11784 [#11805]: #11805 [#11882]: #11882 [#11699]: #11699 [#11073]: #11073 [#11875]: #11875 [#11839]: #11839 [#11889]: #11889 [#11907]: #11907 [#11917]: #11917 Signed-off-by: Matei David <matei@buoyant.io>

The Tap API resource shortnames were colliding with existing Kubernetes resources (e.g. `po`, `deploy`, etc), causing warnings from kubectl v1.29.0+. Remove the shortnames from the Tap APIService handlers. To validate: ```bash bin/k3d cluster create # install latest edge curl https://run.linkerd.io/install-edge | sh linkerd install --crds | kubectl apply -f - linkerd install | kubectl apply -f - linkerd check linkerd viz install | kubectl apply -f - linkerd check # observe shortnames kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe "Warning: short name..." kubectl get po # replace tap image TAP_IMAGE=$(bin/docker-build-tap) bin/k3d image load $TAP_IMAGE kubectl -n linkerd-viz set image deploy/tap tap=$TAP_IMAGE # verify shortnames are no longer present kubectl api-resources --api-group=tap.linkerd.io # with kubectl v1.29.0+, observe no warning kubectl get po ``` Fixes #11784 Signed-off-by: Andrew Seigner <siggy@buoyant.io>

siggy added the bug label Dec 18, 2023

olix0r assigned siggy Dec 21, 2023

siggy mentioned this issue Dec 22, 2023

Remove shortnames from Tap API resources #11816

Merged

alpeb closed this as completed in #11816 Jan 4, 2024

alpeb closed this as completed in ff25a71 Jan 4, 2024

mateiidavid mentioned this issue Jan 12, 2024

edge-24.1.1 #11922

Merged

github-actions bot locked as resolved and limited conversation to collaborators Feb 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tap APIService causes shortname conflict warnings with kubectl 1.29 #11784

Tap APIService causes shortname conflict warnings with kubectl 1.29 #11784

siggy commented Dec 18, 2023

Tap APIService causes shortname conflict warnings with kubectl 1.29 #11784

Tap APIService causes shortname conflict warnings with kubectl 1.29 #11784

Comments

siggy commented Dec 18, 2023

What is the issue?

How can it be reproduced?

Logs, error output, etc

output of linkerd check -o short

Environment

Possible solution

Additional context

Would you like to work on fixing this bug?

output of `linkerd check -o short`