flux2
flux2 copied to clipboard
Flux diff not working for roles with aggregationRule
Describe the bug
It seems that flux diff is not working properly when a (cluster)role has an aggregationRule.
It seems that the aggregation is ignored and thus the diff shows a lot removed rules which should be applied by the aggregations.
Steps to reproduce
Create role like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-public-viewer
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-kube-public-viewer: "true"
rules: []
---
# Cluster role for Read-only access to default K8S resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-public-secret-reader
labels:
rbac.authorization.k8s.io/aggregate-to-kube-public-viewer: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
resourceNames:
- "infrastructure"
- "cluster"
Run flux diff afterwards
Output of diff:
► ClusterRole/kube-public-viewer drifted
rules
± type change from list to <nil>
- - apiGroups:
-
resourceNames:
- infrastructure
- cluster
resources:
- secrets
verbs:
- get
- watch
- list
+ <nil>
```
### Expected behavior
I would expected that the aggregation is detected as it is the case in the kubernetes cluster and i get no diff.
### Screenshots and recordings
_No response_
### OS / Distro
macos 11.6
### Flux version
flux: v0.27.2
### Flux check
n/a
### Git provider
_No response_
### Container Registry provider
_No response_
### Additional context
_No response_
### Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Can you please try this with kubectl diff --server-side
? I suspect this is a bug in Kubernetes server-side apply dry-run, we don't do anything special with RBAC, we send it to the API and show the diff output.
@stefanprodan I'm not familiar with the kubectl diff and which options to use but here is some input:
kubectl diff --server-side -k . --force-conflicts=true -> i see the same deletes of rules like i do for flux diff
kubectl diff --server-side -k .
Error from server (Conflict): Apply failed with 1 conflict: conflict with "clusterrole-aggregation-controller": .rules
kubectl diff -k . -> i see the same deletes of rules like i do for flux diff
i hope that helps?
kubectl version --client=true
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:33:37Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"darwin/amd64"}
kubectl diff --server-side -k . --force-conflicts=true -> i see the same deletes of rules like i do for flux diff
Ok so this is a bug in Kubernetes API, please report this to the Kubernetes team.
I just stumbled across this and was able to resolve it by removing the empty "rules" key.
Flux will reconcile it every time when defined like that:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-view
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules: []
Works:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-view
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"