Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install moco 0.25.0 without admissionregistration.k8s.io/v1beta1=true for k8s 1.30 or above #759

Closed
pddg opened this issue Nov 23, 2024 · 3 comments
Closed

Cannot install moco 0.25.0 without admissionregistration.k8s.io/v1beta1=true for k8s 1.30 or above #759

pddg opened this issue Nov 23, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@pddg
Copy link
Contributor

pddg commented Nov 23, 2024

Describe the bug

#751 introduces ValidatingAdmissionPolicy. This feature is GA in Kubernetes 1.30.
https://kubernetes.io/blog/2024/04/24/validating-admission-policy-ga/

Kubernetes 1.30 or above only accepts admissionregistration.k8s.io/v1, not admissionregistration.k8s.io/v1beta1 by default.

Environments

  • Version: 0.25.0
  • K8s: 1.30.6

To Reproduce

kind create cluster --name moco --image kindest/node:v1.30.6
curl -fsL https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml | kubectl apply -f -
helm install --create-namespace --namespace moco-system moco moco/moco

Following errors are shown:

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicy" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "moco-delete-validator" namespace: "" from "": no matches for kind "ValidatingAdmissionPolicyBinding" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first]

Expected behavior

moco 0.25.0 can be installed for any supported kubernetes versions.

Additional context

K8s cluster used in E2E Test enables the admissionregistration.k8s.io/v1beta1.

moco/e2e/kind-config.yaml

Lines 3 to 6 in 389ae12

featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1beta1: true

So the tests passed, but installation fails for the cluster with default configuration.

Replace admissionregistration.k8s.io/v1beta1 with admissionregistration.k8s.io/v1, then it can be installed without any configuration.

helm template --namespace moco-system moco moco/moco > manifests.yaml
kubectl create ns moco-system
sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -
❯ sed s%admissionregistration.k8s.io/v1beta1%admissionregistration.k8s.io/v1%g manifests.yaml | kubectl apply -f -
serviceaccount/moco-controller-manager created
customresourcedefinition.apiextensions.k8s.io/backuppolicies.moco.cybozu.com created
customresourcedefinition.apiextensions.k8s.io/mysqlclusters.moco.cybozu.com created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-backuppolicy-viewer-role created
clusterrole.rbac.authorization.k8s.io/moco-manager-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-editor-role created
clusterrole.rbac.authorization.k8s.io/moco-mysqlcluster-viewer-role created
clusterrolebinding.rbac.authorization.k8s.io/moco-manager-rolebinding created
role.rbac.authorization.k8s.io/moco-leader-election-role created
rolebinding.rbac.authorization.k8s.io/moco-leader-election-rolebinding created
service/moco-webhook-service created
deployment.apps/moco-controller created
certificate.cert-manager.io/moco-controller-grpc created
certificate.cert-manager.io/moco-grpc-ca created
certificate.cert-manager.io/moco-serving-cert created
issuer.cert-manager.io/moco-grpc-issuer created
issuer.cert-manager.io/moco-selfsigned-issuer created
mutatingwebhookconfiguration.admissionregistration.k8s.io/moco-mutating-webhook-configuration created
validatingadmissionpolicy.admissionregistration.k8s.io/moco-delete-validator created
validatingadmissionpolicybinding.admissionregistration.k8s.io/moco-delete-validator created
validatingwebhookconfiguration.admissionregistration.k8s.io/moco-validating-webhook-configuration created

❯ kubectl get po -n moco-system
NAME                               READY   STATUS    RESTARTS   AGE
moco-controller-6d7867d984-gl8n8   1/1     Running   0          29s
moco-controller-6d7867d984-gwrdk   1/1     Running   0          29s

❯ kubectl get validatingadmissionpolicy
NAME                    VALIDATIONS   PARAMKIND   AGE
moco-delete-validator   1             <unset>     60s

❯ kubectl get validatingadmissionpolicybinding
NAME                    POLICYNAME              PARAMREF   AGE
moco-delete-validator   moco-delete-validator   <unset>    78s

If additional FeatureGates are required for installation, it should be documented.
ValidatingAdmissionPolicy is not available in K8s 1.29 by default.
@pddg pddg added the bug Something isn't working label Nov 23, 2024
@shunki-fujita
Copy link
Contributor

@pddg
Thank you for the report.
It seems there was an omission in the documentation, so I will take care of it.

@shunki-fujita shunki-fujita mentioned this issue Nov 25, 2024
Merged
@mhkarimi1383
Copy link

Fixed after #760 (tested by installing chart from git repo), We should wait for chart release :)

@yamatcha
Copy link
Contributor

yamatcha commented Dec 3, 2024

Chart just have been released. chart-v0.15.1

@yamatcha yamatcha closed this as completed Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pddg @yamatcha @mhkarimi1383 @shunki-fujita