terraform-provider-rancher2 icon indicating copy to clipboard operation
terraform-provider-rancher2 copied to clipboard

Published 20 hours ago verified publisher icon rancher

[BUG] `rancher2_pod_security_admission_configuration_template` gives error message `Unknown schema type [podSecurityPolicyTemplate]` when trying to delete the resource

Open markusewalker opened this issue 7 months ago • 0 comments

Rancher Server Setup

  • Rancher version: v2.9.0-rc2
  • Installation option (Docker install/Helm Chart): Docker
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE1/RKE2/K3S
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: v1.30.2+k3s2
  • Cluster Type (Local/Downstream): Downstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom) Cluster Owner
    • If custom, define the set of permissions:

Provider Information

  • What is the version of the Rancher v2 Terraform Provider in use? 4.2.0
  • What is the version of Terraform in use?

Describe the bug

When attempting to delete a custom PSACT resource using the Rancher2 provider, the following error is consistently seen:

Error: [ERROR] failed to remove PodSecurityAdmissionConfigurationTemplate with ID rancher-baseline: Unknown schema type [podSecurityPolicyTemplate]

This behavior is occuring specifically in v2.9.0-rc2 and was not reproducible in v2.8.5 and below, leading me to believe there was a schema change that occurred in between versions. The Rancher UI itself will remove the custom PSACT, but Terraform throws back this error message.

To Reproduce

  1. Setup Rancher v2.9.0-rc2.
  2. In your main.tf, have something like the following:
terraform {
  required_providers {
    rancher2 = {
      source = "rancher/rancher2"
      version = "4.2.0"
    }
  }
}

provider "rancher2" {
  api_url   = var.rancher_api_url
  token_key = var.rancher_admin_bearer_token
  insecure  = true
}

resource "rancher2_pod_security_admission_configuration_template" "rancher2_pod_security_admission_configuration_template" {
  name        = "rancher-baseline"
  description = "This is a custom baseline Pod Security Admission Configuration Template.It defines a minimally restrictive policy which prevents known privilege escalations. This policy contains namespace level exemptions for Rancher components."
  defaults {
    audit           = "baseline"
    audit_version   = "latest"
    enforce         = "baseline"
    enforce_version = "latest"
    warn            = "baseline"
    warn_version    = "latest"
  }
  exemptions {
    namespaces = ["ingress-nginx", "kube-system", "cattle-system", "cattle-epinio-system", "cattle-fleet-system", "longhorn-system", "cattle-neuvector-system", "cattle-monitoring-system", "rancher-alerting-drivers", "cis-operator-system", "cattle-csp-adapter-system", "cattle-externalip-system", "cattle-gatekeeper-system", "istio-system", "cattle-istio-system", "cattle-logging-system", "cattle-windows-gmsa-system", "cattle-sriov-system", "cattle-ui-plugin-system", "tigera-operator"]
  }
}
  1. Run terraform apply --auto-approve.
  2. After it creates, run terraform destroy --auto-approve.

Actual Result

When running terraform destroy --auto-approve, you get the following message: │ Error: [ERROR] failed to remove PodSecurityAdmissionConfigurationTemplate with ID rancher-baseline: Unknown schema type [podSecurityPolicyTemplate].

Expected Result

The resource should clean up without any error message.

markusewalker avatar Jul 25 '24 21:07 markusewalker