Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Merge pull request #566 from viccuad/feat-webhooks-reconciled" #569

Merged
merged 1 commit into from
Nov 2, 2023
Merged

Revert "Merge pull request #566 from viccuad/feat-webhooks-reconciled" #569

merged 1 commit into from
Nov 2, 2023

Conversation

jvanz
Copy link
Member

@jvanz jvanz commented Nov 1, 2023

Description

I've opened this PR to revert the change adding owner reference the webhooks. This is necessary because the version v1.9.0-rc2 containing this feature is not able to set the admission policy as active. This is the error from the controller logs:

2023-11-01T14:05:06Z    ERROR   Reconciler error        {"controller": "admissionpolicy", "controllerGroup": "policies.kubewarden.io", "controllerKind": "AdmissionPolicy", "AdmissionPolicy": {"name":"pod-privileged","namespace":"kubewarden"}, "namespace": "kubewarden", "name": "pod-privileged", "reconcileID": "cf067c30-e596-4eaa-ae89-91dc683a659e", "error": "error reconciling validating webhook\ncannot set OwnerReference on WebhookConfiguration: cluster-scoped resource must not have a namespace-scoped owner, owner's namespace kubewarden"}

As far as I can see, the issue is that we are using a namespace scoped resource (AdmissionPolicy) as the owner of a cluster scoped resource (ValidatiningWebHook). This is not allowed:

Cross-namespace owner references are disallowed by design. Namespaced dependents can specify cluster-scoped or namespaced owners. A namespaced owner must exist in the same namespace as the dependent. If it does not, the owner reference is treated as absent, and the dependent is subject to deletion once all owners are verified absent.

Cluster-scoped dependents can only specify cluster-scoped owners. In v1.20+, if a cluster-scoped dependent specifies a namespaced kind as an owner, it is treated as having an unresolvable owner reference, and is not able to be garbage collected.

In v1.20+, if the garbage collector detects an invalid cross-namespace ownerReference, or a cluster-scoped dependent with an ownerReference referencing a namespaced kind, a warning Event with a reason of OwnerRefInvalidNamespace and an involvedObject of the invalid dependent is reported. You can check for that kind of Event by running kubectl get events -A --field-selector=reason=OwnerRefInvalidNamespace.

@jvanz jvanz requested review from viccuad and a team November 1, 2023 21:57
@jvanz jvanz self-assigned this Nov 1, 2023
@flavio
Copy link
Member

flavio commented Nov 2, 2023

I'm fine with the revert, we can figure out the proper solution without blocking the 1.9 release

@jvanz @flavio
Revert "Merge pull request kubewarden#566 from viccuad/feat-webhooks-…
e09bd9b 
…reconciled"

This reverts commit 188def9, reversing
changes made to 581729d.

Signed-off-by: José Guilherme Vanz <[email protected]>
@flavio flavio merged commit 0ee4974 into kubewarden:main Nov 2, 2023
@flavio
Copy link
Member

flavio commented Nov 2, 2023

@kravciak it would be nice to expand the e2e tests to catch this type of regression we've introduced

@viccuad viccuad mentioned this pull request Nov 2, 2023
Closed
@jvanz jvanz deleted the revert-owner-ref branch November 3, 2023 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viccuad viccuad Awaiting requested review from viccuad

Assignees

@jvanz jvanz

Labels
area/policy kind/bug
Projects
Kubewarden
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jvanz @flavio