flyte icon indicating copy to clipboard operation
flyte copied to clipboard
verified publisher icon flyteorg

[BUG] Invalid namespaced owner reference attached to mutatingwebhookconfigurations

Open mhotan opened this issue 2 months ago • 1 comments

Flyte & Flytekit version

Latest

Describe the bug

Currently, we are adding an owner reference that is namespaced to mutatingwebhookconfigurations.admissionregistration.k8s.io, specifically the flyte-pod-webhook. This is not valid and will cause mgcs to be orphaned on uninstall.

Cluster-scoped dependents can only specify cluster-scoped owners. In v1.20+, if a cluster-scoped dependent specifies a namespaced kind as an owner, it is treated as having an unresolvable owner reference, and is not able to be garbage collected.

Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/#owner-references-in-object-specifications

Expected behavior

At a minimum, we should not set the owner reference and set labels to label owners.

Additional context to reproduce

No response

Screenshots

No response

Are you sure this issue hasn't been raised already?

  • [x] Yes

Have you read the Code of Conduct?

  • [x] Yes

mhotan avatar Oct 22 '25 17:10 mhotan

You are correct: Kubernetes does not allow cluster-scoped resources (like MutatingWebhookConfiguration) to have owner references to namespaced resources (like Pods). This results in the owner reference being ignored, and the webhook configuration will not be garbage collected as expected, potentially leaving orphaned resources on uninstall. The Flyte codebase currently attempts to set such owner references for the flyte-pod-webhook, which is not valid per Kubernetes rules and should be avoided. Instead, labels should be used for tracking ownership, not owner references, in this case. See the Kubernetes documentation for details: Owner references in object specifications.

This issue is not explicitly addressed in the mainline Flyte documentation, but the problem and workaround are well described in the referenced Kubernetes documentation. Would you like more detail on how to update Flyte's deployment or Helm chart to avoid setting invalid owner references?

Sources:

This is an AI-generated response and your feedback is appreciated! Please leave a 👍 if this is helpful and 👎 if it is not.

Mention @runllm to ask follow-up questions. See runllm.com for more!

runllm[bot] avatar Oct 22 '25 17:10 runllm[bot]