Comments (5)
Thanks for filing the issue!
Can you share the kube-mgmt
logs and deployment configuration (in particular the arguments passed in for --policies
)?
from kube-mgmt.
Here are the logs, nothing special is ever printed.
time="2020-05-04T20:34:47Z" level=warning msg="First line of log stream."
time="2020-05-04T20:34:47Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T20:34:47Z" level=info msg="Listed v1/namespaces and got 24 resources with resourceVersion 121047049. Took 17.147992ms."
time="2020-05-04T20:34:47Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 2.192824ms. Starting watch at resourceVersion 121047049."
time="2020-05-04T21:28:15Z" level=info msg="Sync channel for v1/namespaces closed. Restarting immediately."
time="2020-05-04T21:28:15Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T21:28:15Z" level=info msg="Listed v1/namespaces and got 25 resources with resourceVersion 121072940. Took 5.95692ms."
time="2020-05-04T21:28:15Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 2.492351ms. Starting watch at resourceVersion 121072940."
time="2020-05-04T22:23:05Z" level=info msg="Sync channel for v1/namespaces closed. Restarting immediately."
time="2020-05-04T22:23:05Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T22:23:05Z" level=info msg="Listed v1/namespaces and got 25 resources with resourceVersion 121099510. Took 5.770862ms."
time="2020-05-04T22:23:05Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 3.048985ms. Starting watch at resourceVersion 121099510."
Here is my full deployment generated using the stable/opa helm chart. Policies is currently set to false but it was true at one point in time and I turned it off since I was not using it currently. Also it looks like I'm using v0.10 in this deployment. I did try v.0.11 too. I also removed the policies from the deployment to cut out a 100ish lines of an echo to a /bootstrap file.
apiVersion: apps/v1
kind: Deployment
metadata:
name: opa-mutating
labels:
app: opa-mutating
chart: "opa-1.13.5"
release: "opa-mutating"
heritage: "Tiller"
spec:
replicas: 3
selector:
matchLabels:
app: opa-mutating
template:
metadata:
annotations:
checksum/certs: 7c150ed8d35c0d58ad88540bf343e55ce5a3314819fd099db9f84cb1d2cd89ab
labels:
app: opa-mutating
name: opa-mutating
spec:
priorityClassName: cloud-platform-critical
initContainers:
- name: initpolicy
image: openpolicyagent/kube-mgmt:0.10
imagePullPolicy: IfNotPresent
resources:
{}
command:
- /bin/sh
- -c
- |
tr -dc 'A-F0-9' < /dev/urandom | dd bs=1 count=32 2>/dev/null > /bootstrap/mgmt-token
TOKEN=`cat /bootstrap/mgmt-token`
cat > /bootstrap/authz.rego <<EOF
package system.authz
default allow = false
# Allow anonymous access to the default policy decision.
allow { input.path = [""]; input.method = "POST" }
allow { input.path = [""]; input.method = "GET" }
# This is only used for health check in liveness and readiness probe
allow { input.path = ["health"]; input.method = "GET" }
allow { input.identity == "$TOKEN" }
EOF
volumeMounts:
- name: bootstrap
mountPath: /bootstrap
containers:
- name: opa
image: openpolicyagent/opa:0.15.1
imagePullPolicy: IfNotPresent
args:
- "run"
- "--server"
- "--tls-cert-file=/certs/tls.crt"
- "--tls-private-key-file=/certs/tls.key"
- "--addr=0.0.0.0:443"
- "--log-level=error"
- "--log-format=text"
- "--authentication=token"
- "--authorization=basic"
- "--ignore=.*"
- "--addr=http://127.0.0.1:8181"
- "/bootstrap"
volumeMounts:
- name: certs
readOnly: true
mountPath: /certs
- name: bootstrap
readOnly: true
mountPath: /bootstrap
readinessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 30
livenessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 30
- name: mgmt
image: openpolicyagent/kube-mgmt:0.10
imagePullPolicy: IfNotPresent
args:
- --opa-auth-token-file=/bootstrap/mgmt-token
- --opa-url=http://127.0.0.1:8181/v1
- --replicate-path=kubernetes
- --enable-data=true
- --enable-policies=false
- --replicate-cluster=v1/namespaces
volumeMounts:
- name: bootstrap
readOnly: true
mountPath: /bootstrap
serviceAccountName: opa-mutating
volumes:
- name: certs
secret:
secretName: opa-mutating-cert
- name: bootstrap
emptyDir: {}
from kube-mgmt.
Can you try adding --policies=opa-data
to the mgmt
container's args
?
I did a little bit of digging around in the code and it looks like it will only match configmaps if they are in the namespaces configured via the CLI arguments,
kube-mgmt/pkg/configmap/configmap.go
Line 54 in c7d38d3
That parameter looks like it is plumbed through to --policies
. The documentation isn't very clear on this however..
from kube-mgmt.
That was it. And of course me using the namespace opa as an test case worked since that is one of the default namespeces it reads from when --policies is not specified.
from kube-mgmt.
Glad to hear it. I opened up #68 to update the README to point this config detail out a little more clearly.
from kube-mgmt.
Related Issues (20)
- Alpine Base image HOT 3
- Bad indents: can't specify resources for mgmt HOT 1
- Helm chart does not support Kubernetes v1.25 PodDisruptionBudget HOT 1
- helm: openpolicyagent/opa image is outdated and has a critical vulnerability
- Upgrading the Helm chart on Kubernetes v1.25 fails with podDisruptionsBudget enabled
- kube-mgmt doesn't reload configmaps if opa container restarts HOT 6
- CVE reported on kube-mgmt v8.0.1 - libcrypto1.1 HOT 1
- Breaking issue when running with more than 1 replica HOT 8
- upgrading from 8.0.2 to 8.1.0 breaks namespaces sync HOT 10
- Failed calling webhook "webhook.openpolicyagent.org" error HOT 5
- CVE reported for gopkg.in/yaml.v3 HOT 3
- Kube mgmt fails after upgrade - {"code":"undefined_document","message":"document missing: data.system.main"} HOT 2
- kube-mgmt does not retry adding policies to OPA HOT 1
- When OPA container restarted kube-mgmt is not re-syncing the policies HOT 2
- opa-kube-mgmt Helm Chart config can't use existing Cert-Manager Issuer or an existing Secret created from Cert-Manager HOT 4
- CVE Vulnerabilities HOT 1
- Add startup probe to kube-mgmt container HOT 12
- Add liveness probe to kube-mgmt container HOT 5
- Do not use ClusterRole and ClusterRoleBinding when .Values.mgmt.namespaces list is empty
- Pre populate data in opa container on startup. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-mgmt.