Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

volumeMounted configmap does not trigger bundle watch events #2588

Closed
drewwells opened this issue Jul 30, 2020 · 2 comments · Fixed by #2668
Closed

volumeMounted configmap does not trigger bundle watch events #2588

drewwells opened this issue Jul 30, 2020 · 2 comments · Fixed by #2668
Labels
investigating Issues being actively investigated

Comments

@drewwells
Copy link
Contributor

Expected Behavior

A volume mounted configmap would trigger a filewatch event in opa.

Actual Behavior

The configmap symlink points to an updated file, but no event is registered in OPA.

Steps to Reproduce the Problem

Create a pod with opa in it. Create a configmap with a bundle tarball
Start opa with opa run -s -b -w /volumePath/bundle.tar.gz
Update the configmap somehow
Check the opa logs for file watch events

We use 0.18.0, but 0.22.0 showed the same issues

Additional Info

I've seen other projects that claim support for mounted configmap file watch events. linkerd/linkerd2#1061 It should be possible to watch the symlink and see file events for symlink changes.
@ashutosh-narkar ashutosh-narkar added the investigating Issues being actively investigated label Jul 30, 2020
@ashutosh-narkar
Copy link
Member

@drewwells Are you updating the a file(s) in bundle.tar.gz under the volumePath dir, then updating the tarball and not seeing any events in the OPA log ? Is that the scenario or are you doing something else ?

drewwells added a commit to drewwells/opa that referenced this issue Jul 30, 2020
@drewwells
fixes open-policy-agent#2588 watch directories
d996b48 
Watching files only works in situations where standard files are in
use. In k8s, configmaps are mounted via a set of symlinks. In those
situations, you will only get file events when watching the directory
containing the symlink. Since by default, configmaps are mounted as
directories, I don't expect many people to find regressions when using this.

Signed-off-by: Drew Wells <drew.wells00@gmail.com>
@drewwells
Copy link
Contributor Author

@drewwells Are you updating the a file(s) in bundle.tar.gz under the volumePath dir, then updating the tarball and not seeing any events in the OPA log ? Is that the scenario or are you doing something else ?

@ashutosh-narkar That's right. Kubelet uses symlinks to point to the most recent version of a volume mount. As a result, it does not necessarily trigger the file events that fsnotify expects. I have updated the file watcher to instead watch the directories. We use this internally and it has been working well.

My PR fixing this is here #2589 I'm not able to re-open the PR, but the tests are now working.

@drewwells drewwells mentioned this issue Aug 28, 2020
Merged
drewwells added a commit to drewwells/opa that referenced this issue Aug 28, 2020
@drewwells
file watching only watches parent directory
a1e06ad 
Watching files only works in situations where standard files are in
use. In k8s, configmaps are mounted via a set of symlinks. In those
situations, you will only get file events when watching the directory
containing the symlink.

Fixes open-policy-agent#2588

Signed-off-by: Drew Wells <drew.wells00@gmail.com>
patrick-east pushed a commit that referenced this issue Sep 2, 2020
@drewwells @patrick-east
file watching only watches parent directory
7262717 
Watching files only works in situations where standard files are in
use. In k8s, configmaps are mounted via a set of symlinks. In those
situations, you will only get file events when watching the directory
containing the symlink.

Fixes #2588

Signed-off-by: Drew Wells <drew.wells00@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigating Issues being actively investigated
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/file events drewwells/opa
2 participants
@drewwells @ashutosh-narkar