patch-operator icon indicating copy to clipboard operation
patch-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-cop

label / annotationSelector in targetObjectRef ignored

Open muellerfabi opened this issue 2 years ago • 2 comments

We want to patch serviceaccounts with name "default" in all namespaces. When a specific annotation exists, this object should not be patched. I tried using labelSelector or annotationSector, but the object still gets patched. Syntax wise the Operator complains e.g. when the notation doesn't fit in operator (notin vs. NotIn)

Here's the patch:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: Patch
metadata:
  name: all-default-serviceaccount
  namespace: openshift-config
spec:
  serviceAccountRef:
    name: bit-ros-patch-all-default-serviceaccount
  patches:
    disable-automountServiceAccountToken-patch:
      patchType: application/merge-patch+json
      targetObjectRef:
        apiVersion: v1
        kind: ServiceAccount
        name: default
        annotationSelector: 
          matchExpressions:
            - key: "skip-patch"
              operator: "DoesNotExist"
      patchTemplate: |
        automountServiceAccountToken: false

Alternative approach:

        annotationSelector:
          matchExpressions: 
            - key: skip-patch
              operator: NotIn
              values: 
              - "true"

Test object:

apiVersion: v1
imagePullSecrets:
- name: default-dockercfg-xxxxx
kind: ServiceAccount
metadata:
  annotations:
    skip-patch: "true"
  labels:
    skip-patch: "true"
  name: default
  namespace: test
secrets:
- name: default-dockercfg-xxxxx

We are running OpenShift 4.11.18 / K8S 1.24.6 Patch Operator 0.1.9

muellerfabi avatar Mar 02 '23 08:03 muellerfabi

so with either of those approaches, your serviceaccounts gets patched?

On Thu, Mar 2, 2023 at 3:37 AM muellerfabi @.***> wrote:

We want to patch serviceaccounts with name "default" in all namespaces. When a specific annotation exists, this object should not be patched. I tried using labelSelector or annotationSector, but the object still gets patched. Syntax wise the Operator complains e.g. when the notation doesn't fit in operator (notin vs. NotIn)

Here's the patch:

apiVersion: redhatcop.redhat.io/v1alpha1 kind: Patch metadata: name: all-default-serviceaccount namespace: openshift-config spec: serviceAccountRef: name: bit-ros-patch-all-default-serviceaccount patches: disable-automountServiceAccountToken-patch: patchType: application/merge-patch+json targetObjectRef: apiVersion: v1 kind: ServiceAccount name: default annotationSelector: matchExpressions: - key: "skip-patch" operator: "DoesNotExist" patchTemplate: | automountServiceAccountToken: false

Alternative approach:

    annotationSelector:
      matchExpressions:
        - key: skip-patch
          operator: NotIn
          values:
          - "true"

Test object:

apiVersion: v1 imagePullSecrets:

  • name: default-dockercfg-xxxxx kind: ServiceAccount metadata: annotations: skip-patch: "true" labels: skip-patch: "true" name: default namespace: test secrets:
  • name: default-dockercfg-xxxxx

We are running OpenShift 4.11.18 / K8S 1.24.6 Patch Operator 0.1.9

— Reply to this email directly, view it on GitHub https://github.com/redhat-cop/patch-operator/issues/52, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPERXBJ4X2U6OP4ZI37ZELW2BL33ANCNFSM6AAAAAAVNCC25M . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- ciao/bye Raffaele

raffaelespazzoli avatar Mar 02 '23 12:03 raffaelespazzoli

Yes

muellerfabi avatar Mar 06 '23 07:03 muellerfabi