kopf icon indicating copy to clipboard operation
kopf copied to clipboard
verified publisher icon nolar

Controlling Kopf Operator Behavior to Prevent Unwanted Object Creation

Open skandarchahbouni opened this issue 1 year ago • 8 comments

Keywords

No response

Problem

Hello, I am using Kopf, and I noticed that the CRD objects are always created. For example, let's suppose we have a CRD named "app", which has a Kopf operator with the create handler. If an exception or an error is triggered when the create function is executed, I want the instance to not exist. I mean, if I run the kubectl get app command, I want to find that the instance wasn't created because the create handler triggered an error. However, in Kopf, I noticed that the CRD instances are always created.

Is there a way to avoid that?

skandarchahbouni avatar Dec 31 '23 15:12 skandarchahbouni

The on.create() handlers are reacting to the creation of the resource, so any failure in the handler cannot prevent the creation that already happened.

If you want to be able to block the creation of the CR you can use a validating webhook which can reject the creation request if your criteria are/are not met. See: https://kopf.readthedocs.io/en/stable/admission/#validation-handlers

bobh66 avatar Dec 31 '23 19:12 bobh66

Hello again, I am struggling to use the admission controller in Kopf. I was using Kind and then switched to Minikube. I have been following the documentation, but it's not working, and I am encountering some unusual errors. I would be very grateful if you could provide any assistance regarding this.

image

skandarchahbouni avatar Jan 03 '24 21:01 skandarchahbouni

I have even tried the webhookMinikube method, but it didn't work either. image

skandarchahbouni avatar Jan 03 '24 21:01 skandarchahbouni

It looks like the Windows signal interface is not compatible - you might want to try Linux.

bobh66 avatar Jan 03 '24 21:01 bobh66

My friend is using Windows WSL, but he is also facing some errors, and it's a bit ambiguous to set up the admission controller. @bobh66, have you ever used it? If so, could you please share the steps you have followed?

skandarchahbouni avatar Jan 03 '24 21:01 skandarchahbouni

This is how I configure the admission webhook:

@kopf.on.startup()
async def configure(
    settings: kopf.OperatorSettings, logger: kopf.Logger, memo: kopf.Memo, **_
):
    addr = socket.gethostbyname(socket.gethostname())
    with socket.socket() as s:
        s.bind(("", 0))  # Bind to a free port provided by the host.
        port = s.getsockname()[1]
    settings.admission.server = kopf.WebhookServer(port=port, addr=addr)
    settings.admission.managed = "auto.kopf.dev"

bobh66 avatar Jan 03 '24 21:01 bobh66

Thank you for your response, but unfortunately the same problem always.

image

skandarchahbouni avatar Jan 03 '24 22:01 skandarchahbouni

[2024-01-03 23:01:58,265] kopf._core.reactor.o [ERROR ] Request attempt #9/9 failed; escalating: GET https://127.0.0.1:39627/api -> ClientConnectorError(ConnectionKey(host='127.0.0.1', port=39627, is_ssl=True, ssl=None, proxy=None, proxy_auth=None, proxy_headers_hash=2483569142402266527), ConnectionRefusedError(111, "Connect call failed ('127.0.0.1', 39627)"))

skandarchahbouni avatar Jan 03 '24 22:01 skandarchahbouni