The SPO bundle leaves `mutatingwebhookconfiguration` behind

[jhrozek]

trafficstars

What happened:

When SPO is uninstalled after installation from a bundle, the mutatingwebhookconfiguration is left behind. This can be irritating for users because in case some namespaces are set to be listened to by the webhook, then launching pods in that namepsace will fail because the webhook is set to Fail and there's no service listening for the webhook config anymore.

What you expected to happen:

The webhook config should be deleted when the CSV is deleted.

How to reproduce it (as minimally and precisely as possible):

1. install SPO via OLM
2. uninstall SPO (delete csv,og,ip,sub)
3. kubectl get mutatingwebhookconfiguration

Anything else we need to know?:

I tried to fix the issue today and I like neither of the options.

First I tried to make the mutatingwebhookconfiguration owned by the operator deployment, but that doesn't work as it's a cluster-scoped resource.

Next, I tried to generate a mutatingwebhookconfiguration "stub" in the CSV, hoping that SPO would just update it but that doesn't work either, because OLM generates an instance of mutatingwebhookconfiguration CR per webhook, so you end up with one for binding and one for recording. They also use an autogenerated suffix:

- apiVersion: admissionregistration.k8s.io/v1                                                                                                                  
  kind: MutatingWebhookConfiguration                                                                                                                           
  metadata:                                                                                                                                                    
    creationTimestamp: "2022-12-12T13:49:50Z"                                                                                                                  
    generateName: binding.spo.io-                                                                                                                              
    generation: 1                                                                                                                                              
    labels:                                                                                                                                                    
      olm.owner: security-profiles-operator.v0.6.1-dev                                                                                                         
      olm.owner.kind: ClusterServiceVersion                                                                                                                    
      olm.owner.namespace: security-profiles-operator                                                                                                          
      olm.webhook-description-generate-name: binding.spo.io                                                                                                    
      olm.webhook-description-hash: 7665f6bdd9                                                                                                                 
    name: binding.spo.io-p2p8m                                                                                                                                 
    resourceVersion: "174672"                                                                                                                                  
    uid: a48351eb-11f5-490a-9501-eade8651e40e  

So far I'm thinking that the best way would be to change SPO to create two MWC objects and try to, before creating, see if there are already objects that it should update based on labels and this way just update those that are pre-created by OLM. Hopefully OLM wouldn't be smart and wouldn't try to rewrite the MWC object back as per the CSV (even on CSV updates to the next SPO version...)

Environment:

• Cloud provider or hardware configuration:
• OS (e.g: cat /etc/os-release): RHCOS-4
• Kernel (e.g. uname -a): N/A
• Others: OPC 4.12, today's master

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[jhrozek]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[vaibhav2107]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.