community ACK Iam Controller reconcile loop with no apparent differences

trafficstars

Describe the bug Hi all. Im quite new to the ACK stack, and im trying to make a proof of concept creating roles with the iam controller.

Installed the ack-iam-controller and its correctly deployed. It is associated with a service account that targets its role on aws (IRSA).

The role is correctly created in AWS. But, somehow, the iam-controller keeps changing the resourceVersion of the Role manifest and keeps logging the same block (It seems that the LateInitialization does not finish for some reason.):

2023-10-04T20:28:06.143Z DEBUG ackrt > r.Sync {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt >> r.resetConditions {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt << r.resetConditions {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt >> rm.ResolveReferences {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt << rm.ResolveReferences {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt >> rm.EnsureTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt << rm.EnsureTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt >> rm.ReadOne {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.143Z DEBUG ackrt >>> rm.sdkFind {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.183Z DEBUG ackrt >>>> rm.getManagedPolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.201Z DEBUG ackrt <<<< rm.getManagedPolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.201Z DEBUG ackrt >>>> rm.getInlinePolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.218Z DEBUG ackrt <<<< rm.getInlinePolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.218Z DEBUG ackrt >>>> rm.getTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt <<<< rm.getTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt <<< rm.sdkFind {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt << rm.ReadOne {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt >> r.updateResource {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt << r.updateResource {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt >> r.lateInitializeResource {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt >>> rm.LateInitialize {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.236Z DEBUG ackrt >>>> rm.sdkFind {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.260Z DEBUG ackrt >>>>> rm.getManagedPolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.278Z DEBUG ackrt <<<<< rm.getManagedPolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.278Z DEBUG ackrt >>>>> rm.getInlinePolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.307Z DEBUG ackrt <<<<< rm.getInlinePolicies {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.307Z DEBUG ackrt >>>>> rm.getTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt <<<<< rm.getTags {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt <<<< rm.sdkFind {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt <<< rm.LateInitialize {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "error": ""} 2023-10-04T20:28:06.333Z DEBUG ackrt >>> r.patchResourceMetadataAndSpec {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt no difference found between metadata and spec for desired and latest object. {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt <<< r.patchResourceMetadataAndSpec {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt << r.lateInitializeResource {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "error": ""} 2023-10-04T20:28:06.333Z DEBUG ackrt >> r.ensureConditions {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt << r.ensureConditions {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt < r.Sync {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "error": ""} 2023-10-04T20:28:06.333Z DEBUG ackrt > r.patchResourceStatus {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.333Z DEBUG ackrt >> kc.Patch (status) {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.343Z DEBUG ackrt patched resource status {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "json": "{"metadata":{"resourceVersion":"206038856"},"status":{"conditions":[{"lastTransitionTime":"2023-10-04T20:28:06Z","message":"Late initialization did not complete, requeuing with delay of 5 seconds","reason":"Delayed Late Initialization","status":"False","type":"ACK.LateInitialized"},{"lastTransitionTime":"2023-10-04T20:28:06Z","status":"False","type":"ACK.ResourceSynced"}]}}"} 2023-10-04T20:28:06.343Z DEBUG ackrt << kc.Patch (status) {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.343Z DEBUG ackrt < r.patchResourceStatus {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3} 2023-10-04T20:28:06.343Z DEBUG ackrt requeueing {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "after": "5s"} 2023-10-04T20:28:06.350Z DEBUG exporter.field-export-reconciler error did not need requeue {"error": "the source resource is not synced yet"}

The main parts:

ackrt no difference found between metadata and spec for desired and latest object. {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3}

ackrt patched resource status {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "json": "{"metadata":{"resourceVersion":"206038856"},"status":{"conditions":[{"lastTransitionTime":"2023-10-04T20:28:06Z","message":"Late initialization did not complete, requeuing with delay of 5 seconds","reason":"Delayed Late Initialization","status":"False","type":"ACK.LateInitialized"},{"lastTransitionTime":"2023-10-04T20:28:06Z","status":"False","type":"ACK.ResourceSynced"}]}}"}

ackrt requeueing {"account": "$AWS_ACCOUNT", "role": "", "region": "$REGION", "kind": "Role", "namespace": "default", "name": "test-demo-role", "is_adopted": false, "generation": 3, "after": "5s"}

exporter.field-export-reconciler error did not need requeue {"error": "the source resource is not synced yet"}

The block above will keep repeating, only changing the values of the resourceVersion and updating the transition dates.

I am manually applying this manifest, it isn´t being handled by any CI/CD app.

Steps to reproduce

1 - Install the ack-iam-controller via helm using the ack-chart.

# values.yaml:
ack-chart:
  iam:
    enabled: true
    aws:
      region: "<AWS_REGION>"
    serviceAccount:
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::$AWS_ACCOUNT:role/ack-iam-controller-ROLE
    log:
      enable_development_logging: true
      level: debug
    resourceTags: []

This role is the one with all the access needed with the latest recommended policies. https://github.com/aws-controllers-k8s/iam-controller/blob/main/config/iam/recommended-inline-policy

2 - Apply the Role manifest:

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: test-demo-role
  namespace: default
spec:
  assumeRolePolicyDocument: >-
   <OIDC_JSON>
  name: test-demo-role
  inlinePolicies: {}

Expected outcome No patches being made on the Role resource as it is already created and has no differences with the desired state.

Environment

Kubernetes version: 1.25
Using EKS (yes/no), if so version? Yes, 1.25
iam-chart and app version: 1.2.6

Oct 04 '23 20:10 gustavo-maxmilhas

Did you get the IAM resource in final state? Or is it kept in constant reconcile?

I saw several analogical bugs:

https://github.com/aws-controllers-k8s/community/issues/1844 https://github.com/aws-controllers-k8s/community/issues/1837 https://github.com/aws-controllers-k8s/community/issues/1772

Oct 05 '23 14:10 gecube

Hi gecube!

The IAM role is Ok! it doesn´t change, and the policies work as well. For a moment i thought this reconcile was designed to be like this, as it works as expected on AWS side.

But it seems that only the K8s resource (The Role CRD in this case) keeps updating its resourceVersion and transitionDates. I use ArgoCD but i made this tests with manual apply. (To remove the ArgoCD from the equation) In ArgoCD the manifest keeps blinking because ArgoCD sees it as a manifest update, that is what made me start the troubleshooting.

Going to take a loot at these other issues. Thank you for the response!

Oct 05 '23 14:10 gustavo-maxmilhas

@gustavo-maxmilhas we see exactly the same thing. also tried local helm cli deployment, and even then i keep seeing message: Late initialization did not complete, requeuing with delay of 5 seconds

Oct 31 '23 13:10 FernandoMiguel

I was also facing this issue, but I think I figured it out, I was looking at the open bugs agains the IAM controller, and saw this one over here - https://github.com/aws-controllers-k8s/community/issues/1932 as the issue seemed similar but with policies. Comparing the policy there, with my policies, I noticed the description missing in the policy definition. When I created a policy with the missing description, I got the same infinite loop and resources constantly reconciling. I added a description to my role spec and that fixed the constant reconciliation.

@a-hilaly, maybe the controller could add a default description when not specified or this could be made a required field in the crd?

Dec 19 '23 22:12 alexanderccc

@a-hilaly, maybe the controller could add a default description when not specified or this could be made a required field in the crd?

@alexanderccc This is a very weird behaviour from the IAM API i believe, and yes we could fix it by defaulting a nil description into an empty string pointer. Could you please investigate what's weird about the IAM API response when calling DescribeRole ?

Dec 21 '23 23:12 a-hilaly

@a-hilaly don't see a difference between them, did a quick test with AWS CLI with debug for get-role and create-role with and without description and responses where the same, the get-role obviously had the description added when it existed. This might not be the best way to check this out though.

Taking a closer look at the controller logs I noticed an empty error field being added when not having a description, not sure if this helps though.

w description

{"level":"debug","logger":"ackrt","msg":"patched resource metadata + spec","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-w-description","is_adopted":false,"generation":1,"json":"{\"spec\":{\"description\":null,\"maxSessionDuration\":null},\"status\":{\"ackResourceMetadata\":{\"arn\":\"arn:aws:iam::<account>:role/test/testing/test-role-w-description\",\"ownerAccountID\":\"<account>\",\"region\":\"<region>\"},\"conditions\":[{\"lastTransitionTime\":\"2023-12-22T15:28:22Z\",\"status\":\"True\",\"type\":\"ACK.ReferencesResolved\"},{\"lastTransitionTime\":\"2023-12-22T15:28:22Z\",\"status\":\"False\",\"type\":\"ACK.ResourceSynced\"}],\"createDate\":\"2023-12-22T15:28:22Z\",\"roleID\":\"<roleid>\",\"roleLastUsed\":{}}}"}
.....
{"level":"debug","logger":"ackrt","msg":"<<< rm.LateInitialize","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-w-description","is_adopted":false,"generation":1}

w/o description

{"level":"debug","logger":"ackrt","msg":"patched resource metadata + spec","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1,"json":"{\"spec\":{\"maxSessionDuration\":null},\"status\":{\"ackResourceMetadata\":{\"arn\":\"arn:aws:iam::<account>:role/test/testing/test-role-wo-description\",\"ownerAccountID\":\"<account>\",\"region\":\"<region>\"},\"conditions\":[{\"lastTransitionTime\":\"2023-12-22T15:31:20Z\",\"status\":\"True\",\"type\":\"ACK.ReferencesResolved\"},{\"lastTransitionTime\":\"2023-12-22T15:31:20Z\",\"status\":\"False\",\"type\":\"ACK.ResourceSynced\"}],\"createDate\":\"2023-12-22T15:31:20Z\",\"roleID\":\"<roleid>>\",\"roleLastUsed\":{}}}"}
...
{"level":"debug","logger":"ackrt","msg":"<<< rm.LateInitialize","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1,"error":""}

Section of the log when role created w/o description

{"level":"debug","logger":"ackrt","msg":"patched resource metadata + spec","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1,"json":"{\"spec\":{\"maxSessionDuration\":null},\"status\":{\"ackResourceMetadata\":{\"arn\":\"arn:aws:iam::<account>:role/test/testing/test-role-wo-description\",\"ownerAccountID\":\"<account>\",\"region\":\"<region>\"},\"conditions\":[{\"lastTransitionTime\":\"2023-12-22T15:31:20Z\",\"status\":\"True\",\"type\":\"ACK.ReferencesResolved\"},{\"lastTransitionTime\":\"2023-12-22T15:31:20Z\",\"status\":\"False\",\"type\":\"ACK.ResourceSynced\"}],\"createDate\":\"2023-12-22T15:31:20Z\",\"roleID\":\"<roleid>>\",\"roleLastUsed\":{}}}"}
{"level":"debug","logger":"ackrt","msg":"<<<< kc.Patch (metadata + spec)","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<< r.patchResourceMetadataAndSpec","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"info","logger":"ackrt","msg":"created new resource","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<< r.createResource","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":">> r.lateInitializeResource","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":">>> rm.LateInitialize","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":">>>> rm.sdkFind","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"exporter.field-export-reconciler","msg":"error did not need requeue","error":"the source resource is not synced yet"}
{"level":"debug","logger":"ackrt","msg":">>>>> rm.getManagedPolicies","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<<<< rm.getManagedPolicies","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":">>>>> rm.getInlinePolicies","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<<<< rm.getInlinePolicies","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":">>>>> rm.getTags","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<<<< rm.getTags","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<<< rm.sdkFind","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1}
{"level":"debug","logger":"ackrt","msg":"<<< rm.LateInitialize","account":"<account>","role":"","region":"<region>","kind":"Role","namespace":"test-iam","name":"test-role-wo-description","is_adopted":false,"generation":1,"error":""}

Will try to do a bit more debugging later, but hope this helps

Dec 22 '23 16:12 alexanderccc

This is now fixed in iam-controller v1.3.6 - the controller now correctly handles the Description field for Roles and Policies, preventing an infinite requeue caused by missing Description field in Create calls. cc @gustavo-maxmilhas @gecube @alexanderccc @FernandoMiguel

Mar 12 '24 21:03 a-hilaly

Thank you @a-hilaly I could tell that the CPU usage of my argo cluster decreased significantly along with many other metrics that improved.

Mar 13 '24 19:03 gustavo-maxmilhas

community community copied to clipboard

ACK Iam Controller reconcile loop with no apparent differences

community
community copied to clipboard