Comments (5)
patrick-east
commented on June 4, 2024
Thanks for filing the issue!
Can you share the kube-mgmt logs and deployment configuration (in particular the arguments passed in for --policies)?
from kube-mgmt.
gregsidelinger
commented on June 4, 2024
Here are the logs, nothing special is ever printed.
time="2020-05-04T20:34:47Z" level=warning msg="First line of log stream."
time="2020-05-04T20:34:47Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T20:34:47Z" level=info msg="Listed v1/namespaces and got 24 resources with resourceVersion 121047049. Took 17.147992ms."
time="2020-05-04T20:34:47Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 2.192824ms. Starting watch at resourceVersion 121047049."
time="2020-05-04T21:28:15Z" level=info msg="Sync channel for v1/namespaces closed. Restarting immediately."
time="2020-05-04T21:28:15Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T21:28:15Z" level=info msg="Listed v1/namespaces and got 25 resources with resourceVersion 121072940. Took 5.95692ms."
time="2020-05-04T21:28:15Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 2.492351ms. Starting watch at resourceVersion 121072940."
time="2020-05-04T22:23:05Z" level=info msg="Sync channel for v1/namespaces closed. Restarting immediately."
time="2020-05-04T22:23:05Z" level=info msg="Syncing v1/namespaces."
time="2020-05-04T22:23:05Z" level=info msg="Listed v1/namespaces and got 25 resources with resourceVersion 121099510. Took 5.770862ms."
time="2020-05-04T22:23:05Z" level=info msg="Loaded v1/namespaces resources into OPA. Took 3.048985ms. Starting watch at resourceVersion 121099510."
Here is my full deployment generated using the stable/opa helm chart. Policies is currently set to false but it was true at one point in time and I turned it off since I was not using it currently. Also it looks like I'm using v0.10 in this deployment. I did try v.0.11 too. I also removed the policies from the deployment to cut out a 100ish lines of an echo to a /bootstrap file.
apiVersion: apps/v1
kind: Deployment
metadata:
name: opa-mutating
labels:
app: opa-mutating
chart: "opa-1.13.5"
release: "opa-mutating"
heritage: "Tiller"
spec:
replicas: 3
selector:
matchLabels:
app: opa-mutating
template:
metadata:
annotations:
checksum/certs: 7c150ed8d35c0d58ad88540bf343e55ce5a3314819fd099db9f84cb1d2cd89ab
labels:
app: opa-mutating
name: opa-mutating
spec:
priorityClassName: cloud-platform-critical
initContainers:
- name: initpolicy
image: openpolicyagent/kube-mgmt:0.10
imagePullPolicy: IfNotPresent
resources:
{}
command:
- /bin/sh
- -c
- |
tr -dc 'A-F0-9' < /dev/urandom | dd bs=1 count=32 2>/dev/null > /bootstrap/mgmt-token
TOKEN=`cat /bootstrap/mgmt-token`
cat > /bootstrap/authz.rego <<EOF
package system.authz
default allow = false
# Allow anonymous access to the default policy decision.
allow { input.path = [""]; input.method = "POST" }
allow { input.path = [""]; input.method = "GET" }
# This is only used for health check in liveness and readiness probe
allow { input.path = ["health"]; input.method = "GET" }
allow { input.identity == "$TOKEN" }
EOF
volumeMounts:
- name: bootstrap
mountPath: /bootstrap
containers:
- name: opa
image: openpolicyagent/opa:0.15.1
imagePullPolicy: IfNotPresent
args:
- "run"
- "--server"
- "--tls-cert-file=/certs/tls.crt"
- "--tls-private-key-file=/certs/tls.key"
- "--addr=0.0.0.0:443"
- "--log-level=error"
- "--log-format=text"
- "--authentication=token"
- "--authorization=basic"
- "--ignore=.*"
- "--addr=http://127.0.0.1:8181"
- "/bootstrap"
volumeMounts:
- name: certs
readOnly: true
mountPath: /certs
- name: bootstrap
readOnly: true
mountPath: /bootstrap
readinessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 30
livenessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 30
- name: mgmt
image: openpolicyagent/kube-mgmt:0.10
imagePullPolicy: IfNotPresent
args:
- --opa-auth-token-file=/bootstrap/mgmt-token
- --opa-url=http://127.0.0.1:8181/v1
- --replicate-path=kubernetes
- --enable-data=true
- --enable-policies=false
- --replicate-cluster=v1/namespaces
volumeMounts:
- name: bootstrap
readOnly: true
mountPath: /bootstrap
serviceAccountName: opa-mutating
volumes:
- name: certs
secret:
secretName: opa-mutating-cert
- name: bootstrap
emptyDir: {}
from kube-mgmt.
patrick-east
commented on June 4, 2024
Can you try adding --policies=opa-data to the mgmt container's args?
I did a little bit of digging around in the code and it looks like it will only match configmaps if they are in the namespaces configured via the CLI arguments,
kube-mgmt/pkg/configmap/configmap.go
Line 54 in c7d38d3
That parameter looks like it is plumbed through to --policies. The documentation isn't very clear on this however..
from kube-mgmt.
gregsidelinger
commented on June 4, 2024
That was it. And of course me using the namespace opa as an test case worked since that is one of the default namespeces it reads from when --policies is not specified.
from kube-mgmt.
patrick-east
commented on June 4, 2024
Glad to hear it. I opened up #68 to update the README to point this config detail out a little more clearly.
from kube-mgmt.
Related Issues (20)
- Alpine Base image HOT 3
- Bad indents: can't specify resources for mgmt HOT 1
- Helm chart does not support Kubernetes v1.25 PodDisruptionBudget HOT 1
- helm: openpolicyagent/opa image is outdated and has a critical vulnerability
- Upgrading the Helm chart on Kubernetes v1.25 fails with podDisruptionsBudget enabled
- kube-mgmt doesn't reload configmaps if opa container restarts HOT 6
- CVE reported on kube-mgmt v8.0.1 - libcrypto1.1 HOT 1
- Breaking issue when running with more than 1 replica HOT 8
- upgrading from 8.0.2 to 8.1.0 breaks namespaces sync HOT 10
- Failed calling webhook "webhook.openpolicyagent.org" error HOT 5
- CVE reported for gopkg.in/yaml.v3 HOT 3
- Kube mgmt fails after upgrade - {"code":"undefined_document","message":"document missing: data.system.main"} HOT 2
- kube-mgmt does not retry adding policies to OPA HOT 1
- When OPA container restarted kube-mgmt is not re-syncing the policies HOT 2
- opa-kube-mgmt Helm Chart config can't use existing Cert-Manager Issuer or an existing Secret created from Cert-Manager HOT 4
- CVE Vulnerabilities HOT 1
- Add startup probe to kube-mgmt container HOT 12
- Add liveness probe to kube-mgmt container HOT 5
- Do not use ClusterRole and ClusterRoleBinding when .Values.mgmt.namespaces list is empty
- Pre populate data in opa container on startup. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-mgmt.