structure of /v1/data/ in opa has changed with kube-mgmt 0.10-rc1

[rtoma]

We sync kubernetes namespace data to OPA.

With kube-mgmt 0.9 the response of GET /v1/data/kubernetes/namespaces is like:

{
  "decision_id": "0330b1eb-2fc8-4f2f-befe-330b7bbe3032",
  "result": {
    "my-namespace": {
      "apiVersion": "v1",
      "kind": "Namespace",
      "metadata": {
...

With kube-mgmt 0.10-rc1 the response changed to:

{
  "result": {
    "": {                                                  # <-----------
      "my-namespace": {
        "apiVersion": "v1",
        "kind": "Namespace",
        "metadata": {
...

Note the empty-string hash key.

[tsandall]

@rtoma can you share the flags you started kube-mgmt with and the version of Kubernetes you're running against? I'm not able to reproduce this against Kubernetes v1.13 or v1.15.

{
  "result": {
    "kubernetes": {
      "namespaces": {
        "default": {
          "apiVersion": "v1",
          "kind": "Namespace",
          "metadata": {
            "creationTimestamp": "2019-10-02T12:44:16Z",
            "name": "default",
            "resourceVersion": "150",
            "selfLink": "/api/v1/namespaces/default",
            "uid": "3ed489d0-0648-4476-be9d-376a5c5298eb"
          },
          "spec": {
            "finalizers": [
              "kubernetes"
            ]
          },
          "status": {
            "phase": "Active"
          }
        },
        "kube-node-lease": {
          "apiVersion": "v1",
          "kind": "Namespace",
          "metadata": {
            "creationTimestamp": "2019-10-02T12:44:12Z",
            "name": "kube-node-lease",
            "resourceVersion": "8",
            "selfLink": "/api/v1/namespaces/kube-node-lease",
            "uid": "28f5d5f2-d739-43c9-8591-e754f925f494"
          },
          "spec": {
            "finalizers": [
              "kubernetes"
            ]
          },
          "status": {
            "phase": "Active"
          }
        },

kube-mgmt args:

      - name: kube-mgmt
        image: openpolicyagent/kube-mgmt:0.10
        args:
        - --replicate-cluster=v1/namespaces

[rtoma]

I have tested openpolicyagent/kube-mgmt:0.10-rc1 (b38f0386cfc1) on v1.13.7-gke.24 with flags:

          - --replicate=v1/namespaces
          - --replicate=v1/pods
          - --replicate=extensions/v1beta1/ingresses

I see you used a different OPA REST endpoint. I used /v1/data/kubernetes/namespaces and not /v1/data.

[tsandall]

Ah, interesting. Your args should be --replicate-cluster=v1/namespaces not --replicate=.... The --replicate-cluster flag tells kube-mgmt the resource is cluster scoped while the --replicate flag tells kube-mgmt the resource is namespace scoped. It seems the new version of kube-mgmt behaves slightly differently here. Nonetheless, you'll want to use --replicate-cluster. See https://github.com/open-policy-agent/kube-mgmt#caching

RE: the OPA REST endpoint, whether you can query at /data or /data/kubernetes/namespaces etc. doesn't matter in this case (the underlying data is the same.)

If you're able to test out v0.10 with the updated flag and let me know that would great (but I understand if you've got other things to do :D)

[rtoma]

Verified with kube-mgmt:0.10 with --replicate-cluster=v1/namespaces and everything is fine. Closing.