hierarchical-namespaces
hierarchical-namespaces copied to clipboard
kubernetes-sigs
Unable to delete Subnamespaceanchor with long name
Hi,
somehow (maybe during a downtime of the hnc controller?) we managed to create a Subnamespaceanchor with a name having more than 63 characters. For obvious reasons, the controller is not able to create a corresponding namespace and the anchor remains in:
status:
status: Missing
And unfortunately we are not even able to delete the invalid Subnamespaceanchor again.
kubectl delete subns very-very-....-long-name -n my-root-ns
The SubnamespaceAnchor "very-very-....-long-name" is invalid: metadata.name: Invalid value: "very-very-....-long-name": not a valid namespace name: must be no more than 63 characters
The HNC Controller logs this message:
{"level":"info","ts":1664440307.2302854,"logger":"anchor.validate","msg":"Denied","ns":"my-root-ns","nm":"very-very-....-long-name","op":"DELETE","user":"masterclient","code":422,"reason":"Invalid","message":"SubnamespaceAnchor.hnc.x-k8s.io \"very-very-....-long-name\" is invalid: metadata.name: Invalid value: \"very-very-....-long-name\": not a valid namespace name: must be no more than 63 characters"}
Is there any way of bypassing the validation and get rid of that invalid Subnamespaceanchor?
This is definitely a clear bug and we should fix it. Sorry! In the meantime, you'll have to temporarily delete the admission webhook config and then reinstall it after you've deleted the anchor.
Thanks for the quick feedback. We will have a look into this to get rid of these objects.
After reading the docs (https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#uninstall-hnc-from-a-cluster) just one more question:
Just deleting the webhook by kubectl delete validatingwebhookconfiguration.admissionregistration.k8s.io hnc-validating-webhook-configuration will not cause any data/namespace/subnamespaceanchor/etc loss? So, after reinstalling it, everything is working as before?
That's correct, the worst thing that can happen when you delete a webhook config is that K8s will allow you to make changes that it would otherwise have blocked. So unless some other controller is going crazy trying to delete things (which really, really shouldn't be happening) you'll be fine.
If you want to be absolutely sure, you can back up your HNC objects as described here: https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#admin-backup-restore
On Wed, Oct 5, 2022 at 4:56 AM gazpwc @.***> wrote:
Thanks for the quick feedback. We will have a look into this to get rid of these objects.
After reading the docs ( https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#uninstall-hnc-from-a-cluster) just one more question:
Just deleting the webhook by kubectl delete validatingwebhookconfiguration.admissionregistration.k8s.io hnc-validating-webhook-configuration will not cause any data/namespace/subnamespaceanchor/etc loss? So, after reinstalling it, everything is working as before?
— Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/230#issuecomment-1268147570, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE43PZG6MSRAIZLLV275RYDWBU7C5ANCNFSM6AAAAAAQYREIEE . You are receiving this because you commented.Message ID: @.***>
Hi, I read this issue and tried to reproduce it. I think this bug caused by checking number of characters by validation webhook when delete subns request occurs. So validation webhook should skip the check at the deletion event, right?
I try to fix it. https://github.com/mochizuki875/hierarchical-namespaces/commit/236812a369ddc252710d83570c119ba31f574396#
If it'ok, please assign me and I'll post pull request. If there are any considerations, please comment.
@adrianludwin: Closing this issue.
In response to this:
Thanks for fixing this! /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
