cloud-native-security-inspector copied to clipboard
After edit policy without changing the worknamespace, the workspace is deleted and reconcile failed
Repro steps:
- Create a policy checking the workloads under ns1, set the workNamespace to "workspace".
- Edit the policy on UI, change the label selector to make it check the workloads under ns2, without chaning the workNamespace.
2023-06-13T08:29:40Z [INFO] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:310]: Create underlying cronjob
2023-06-13T08:29:40Z [ERROR] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:312]: cronjobs.batch "demo-policyq6fl9--inspector" is forbidden: unable to create new content in namespace workspace because it is being terminatedunable to create underlying cronjobcronjobdemo-policyq6fl9--inspector
2023-06-13T08:29:40Z [INFO] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:278]: Kubebench DaemonSet demo-policy-kubebench-daemonset constructed
2023-06-13T08:29:40Z [ERROR] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:198]: failed to create the DaemonSet for kubebench daemonsets.apps "demo-policy-kubebench-daemonset" is forbidden: unable to create new content in namespace workspace because it is being terminated, err:
2023-06-13T08:29:40Z [INFO] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:310]: Create underlying cronjob
2023-06-13T08:29:40Z [ERROR] [/workspace/cnsi-manager/pkg/controllers/inspectionpolicy_controller.go:312]: cronjobs.batch "demo-policydzpx2--risk" is forbidden: unable to create new content in namespace workspace because it is being terminatedunable to create underlying cronjobcronjobdemo-policydzpx2--risk
This is because when we edit the policy, actually we delete it first then recreate.
But, the workspace is still being deleted when the updated policy is being created, thus the workspace cannot be created with no retry.
Workaround is change the workspace name when edit the policy.