Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CRDs cause errors (both for RBAC and SUPPORTED_API_VERSIONS)
See original GitHub issueThe connaisseur webhook seems to intercept any CREATE/UPDATE operations, even those to CRDs. However, the clusterolebinding doesn’t have access to “get” these resources, and this creates errors like this:
[2022-03-17 04:47:13,564] ERROR: Traceback (most recent call last):
File "/app/connaisseur/flask_application.py", line 71, in mutate
response = asyncio.run(__admit(admission_request))
File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/local/lib/python3.10/asyncio/base_events.py", line 641, in run_until_complete
return future.result()
File "/app/connaisseur/flask_application.py", line 139, in __admit
await patches
File "/app/connaisseur/flask_application.py", line 165, in __validate_image
image in admission_request.wl_object.parent_containers.values()
File "/app/connaisseur/workload_object.py", line 68, in parent_containers
parent = k_api.request_kube_api(
File "/app/connaisseur/kube_api.py", line 22, in request_kube_api
response.raise_for_status()
File "/usr/local/lib/python3.10/site-packages/requests/models.py", line 960, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://10.96.0.1:443/apis/vault.banzaicloud.com/v1alpha1/namespaces/preview-notifications-pr-7/vaults/vault
Expected behavior
Since we already have a preset list of objects we allow connaisseur to watch, connaisseur should only respond to these objects, not all objects.
Optional: To reproduce
- Deploy connaisseur
- Add any service which uses CRDs to specify images (the above example uses banzaicloud’s bank-vaults)
- Watch connaisseur logs
- Deploy a CR for the service, and observe the error
Optional: Versions (please complete the following information as relevant):
- Connaisseur: 2.5.1
Optional: Additional context
As a test, I manually edited the clusterrole to permit get to all the CRDs we use. In the example below, minio-operator’s Tenant CR was used. Although connaisseur was able to get the object, it still produced an error:
[2022-03-17 01:57:30,798] ERROR: Traceback (most recent call last):
File "/app/connaisseur/flask_application.py", line 71, in mutate
response = asyncio.run(__admit(admission_request))
File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/local/lib/python3.10/asyncio/base_events.py", line 641, in run_until_complete
return future.result()
File "/app/connaisseur/flask_application.py", line 139, in __admit
await patches
File "/app/connaisseur/flask_application.py", line 165, in __validate_image
image in admission_request.wl_object.parent_containers.values()
File "/app/connaisseur/workload_object.py", line 81, in parent_containers
parent_containers.update(WorkloadObject(parent, self.namespace).containers)
File "/app/connaisseur/workload_object.py", line 40, in __init__
if self.api_version not in SUPPORTED_API_VERSIONS[self.kind]:
KeyError: 'Tenant'
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks heaps, @xopham,
-rc3seems to work as expected 😃Hi @xopham,
Sure, here’s a really minimal reproduction, tested using KinD:
Output is something like this: