consul-k8s icon indicating copy to clipboard operation
consul-k8s copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

kubectl replace cannot be used on ServiceIntentions

Open aufarg opened this issue 3 years ago • 6 comments

Hello, I have ServiceIntentions CRs that I want to update with kubectl replace but it gets rejected by admission webhook with the following error:

Error from server: error when replacing "/tmp/test.yaml": admission webhook "mutate-serviceintentions.consul.hashicorp.com" denied the request: spec.destination.name and spec.destination.namespace are immutable fields for ServiceIntentions

Is this expected behavior? It doesn't seem to be documented anywhere that it shouldn't be updated with kubectl replace and it's also not clear why patching is allowed but replacement is prohibited.

The consul-k8s on my cluster is installed via consul-helm v0.31.1 on Kubernetes v1.20

aufarg avatar Jun 22 '22 09:06 aufarg

I looked a bit at the source code, it seems that the line is triggered here: https://github.com/hashicorp/consul-k8s/blob/fe39eda7ebeb7e8a157206e076ad797d07837977/control-plane/api/v1alpha1/serviceintentions_webhook.go#L84

The conditional there looks like it shouldn't matter if it's apply or replace tho

aufarg avatar Jun 22 '22 09:06 aufarg

Hey @aufarg!! Yeah. That condition should behave identically as long as the request is effectively an Update request. If you don't mind my asking, what fields are you attempting to update using the replace operation?

thisisnotashwin avatar Jun 22 '22 13:06 thisisnotashwin

I was trying to update an entry on the spec.sources list. spec.destination.name stays the same tho.

aufarg avatar Jun 23 '22 04:06 aufarg

Hey, I found out that the manifest that I'm applying does not have spec.destination.namespace defined 🤦 . Thanks for answering the question

aufarg avatar Jun 23 '22 04:06 aufarg

Sorry for reopening this, but I noticed in the documention that spec.destination.namespace is optional. There's no indication that namespace can only work with patch and not replace.

It seems that during creation, it automatically fills in spec.destination.namespace with a value. During replace operation, the admission controller sees the new object but the value is not automatically filled in before the comparison is done. Can this be considered a bug then?

aufarg avatar Jun 29 '22 08:06 aufarg

Hi @aufarg can you show the yaml of your serviceintentions? I can't repro this with:

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: api
spec:
  destination:
    name: api
  sources:
    - name: bye
      action: deny

and then replacing with

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: api
spec:
  destination:
    name: api
  sources:
    - name: hi
      action: deny

lkysow avatar Jul 11 '22 17:07 lkysow

Closing as no response since last request for followup.

david-yu avatar Aug 30 '22 16:08 david-yu