HNC: Deleting a subnamespace after creating resources in the parent namespace results in error #1130
Comments
tomersolomon1
changed the title
|
Thanks for the bug report. I'm looking at this now at high priority (I have an idea what the cause is) and hopefully can push out a release with a fix tonight or tomorrow. |
|
Whoops, I missed the fact that you identified exactly what the cause is :) That seems like a good solution, I'll go with that. Thanks! |
|
This doesn't appear to affect full namespaces. The reason seems to be that as the K8s controller deletes all the objects in the namespace, it also deletes the But for subnamespaces, even though the |
|
Reproduced this with a simple e2e test |
|
A short-term workaround is to remove the |
See issue kubernetes-retired#1130. The HNC object validator was preventing the K8s namespace controller from cleaning out a namespace to allow it to be deleted. This change lets HNC understand that when a namespace is being deleted, we should ignore the subnamespaceOf annotation. This allows the HierarchyConfiguration object to be reset to its initial state (like a full namespace would when it's being deleted), orphaning the namespace and allowing all its propagated objects to be removed. Tested: added new tests and ran them multiple times while watching the logs. The subnamespace test failed without this change and passed every time with it, with the logs showing the expected behaviour.
|
I've found a cleaner and more minimal fix for v0.5 (#1139), triggered by the fact that this only affected subnamespaces and full namespaces. Basically, we were preventing subnamespaces from being orphaned as K8s deleted their hierarchical configuration; by allowing them to be orphaned, all objects are removed naturally. With that said, it's generally a good idea not to fight the K8s controllers (it's so annoying when you can't finish deleting a namespace), so I've filed #1140 to address this. |
This is the cherrypick from v0.5 to master. The original commit message is shown below. Tested: new e2e tests pass; made a slight change to make them more robust. --- See issue kubernetes-retired#1130. The HNC object validator was preventing the K8s namespace controller from cleaning out a namespace to allow it to be deleted. This change lets HNC understand that when a namespace is being deleted, we should ignore the subnamespaceOf annotation. This allows the HierarchyConfiguration object to be reset to its initial state (like a full namespace would when it's being deleted), orphaning the namespace and allowing all its propagated objects to be removed. Tested: added new tests and ran them multiple times while watching the logs. The subnamespace test failed without this change and passed every time with it, with the logs showing the expected behaviour.
|
Fixed in v0.5 and master. /close |
|
@adrianludwin: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The following sequence doesn't work:
The subnamespace gets stuck in the middle of deletion, and I see the following log:
By adding some logging to the validator, I got that the username which issued the
AdmissionRequestissystem:serviceaccount:kube-system:namespace-controller. However, this user isn't exempted from the webhook, and onlysystem:serviceaccounts:hnc-systemis exempted. So theAdmissionRequestisn't automatically allowed, and then it is rejected as the resource has the labelhnc.x-k8s.io/inheritedFrom: hnc-try(hnc-try is the name of the parent namespace).I would suggest to exclude the same service accounts as atlasian excludes:
https://github.com/atlassian/voyager/blob/11ade5a733008770a7df4b12aee2399dc2af5d12/pkg/admission/server.go#L61
Environment
Kind version:
Kubernetes version:
Operator version - v0.5.2
The text was updated successfully, but these errors were encountered: