fix: Don't create namespace on startup unless needed #110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* and then the jspolicy pods will be able to start. NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem.
👷 Deploy request for jspolicy-docs pending review.Visit the deploys page to approve it
|
FabianKramm
approved these changes
Dec 12, 2023
|
@arsenetar thanks for the PR! LGTM! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* pointing to jspolicy and then the jspolicy pods will be able to start.
NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem.