patch-operator
patch-operator copied to clipboard
redhat-cop
Patching objects that do not support watch
Hi,
I have a patch that seems to be working but on an object that do not support the watch method (ImageStreamTags). As a consequence, I am seeing a lot of error messages like:
E0727 12:34:19.465865 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch image.openshift.io/v1, Kind=ImageStreamTag: the server does not allow this method on the requested resource
What is the impact of this, feature and performance wise?
If needed my patch:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: Patch
metadata:
name: image-sample-scheduled-patch
namespace: openshift
spec:
serviceAccountRef:
name: patchoperator-imagetag
patches:
image-sample-scheduled-patch:
targetObjectRef:
apiVersion: image.openshift.io/v1
kind: ImageStreamTag
namespace: openshift
patchTemplate: |
{{- if eq (index . 0).tag.from.kind "DockerImage" }}
tag:
importPolicy:
scheduled: true
{{- end }}
patchType: application/strategic-merge-patch+json
to be honest I have no idea. And it shouldn't work in my opinion, so I'm not sure what is going on. Possible the client go library is able to degrade a watch to a polling when watch is not supported.
At least I can confirm it works beyond initial apply of the patch. If I manually revert the patch on one of the objects, it get applied again within the minute.
@raffaelespazzoli any news about this ? It basically highlights that the patch-operator service account (controller-manager) does not have the permissions.
And indeed, the serviceAccountRef does not reference the patch-operator service account, but another one created specifically for the patch. This is how it is supposed to work as wrote in the README. And it is working fine. The question is why is this error message showing up ? Does it try to check something with the patch-operator service account ?
It can be a bit annoying trying to debug with all these extra logs.
