Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NetworkPolicy pruning is deleting also Tenant ones #24

Closed
prometherion opened this issue Aug 3, 2020 · 5 comments · Fixed by #29
Closed

NetworkPolicy pruning is deleting also Tenant ones #24

prometherion opened this issue Aug 3, 2020 · 5 comments · Fixed by #29
Assignees
@prometherion
Labels
bug Something isn't working high-priority Feature Request with high-priority

Comments

@prometherion
Copy link
Member

Bug description

If the Tenant owner is going to deploy manually some NetworkPolicy resources on their namespaces and a reconciliation occurs, these are going to be deleted.

How to reproduce

Given the following np.yaml:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: dont-delete-me-capsule
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}
  1. kubectl apply -f np.yaml
  2. reconcile the Tenant, restarting Capsule for example
  3. kubectl get networkpolicies.networking.k8s.io -w and notice how it's deleted

Expected behavior

User NetworkPolicy resource should not be deleted.

Logs

Irrelevant.

Additional context

  • Capsule version: 0.0.1
  • Kubernetes version: Irrelevant
@prometherion prometherion added bug Something isn't working high-priority Feature Request with high-priority labels Aug 3, 2020
@prometherion prometherion self-assigned this Aug 3, 2020
@prometherion
Copy link
Member Author

The issue is here and we need to provide a requirement with a sort of and operator:

delete resources **with** Capsule base label **and** not in the following list

@bsctl
Copy link
Member

bsctl commented Aug 3, 2020

@prometherion Good catch! Is this applicable to all other user defined resources in the tenant (eg. quota, limits, roles, ...)?

@prometherion
Copy link
Member Author

It is appliable only to LimitRange, ResourceQuota, and NetworkPolicy resources, although, from my perspective, the Tenant owner should not create further resources of the first two kinds: we're not blocking it but additional ones would be useless.

@bsctl
Copy link
Member

bsctl commented Aug 4, 2020

It is appliable only to LimitRange, ResourceQuota, and NetworkPolicy resources, although, from my perspective, the Tenant owner should not create further resources of the first two kinds: we're not blocking it but additional ones would be useless.

@prometherion in some cases (that we just do not imagine now), the Tenant owner can create additional LimitRange, ResourceQuota, and NetworkPolicy for a specific namespace and the Capsule operator should leave the Tenant owner to do it. Of course, the Cluster admin (and the Capsule operator acting on behalf of him) is not responsabile for the wrong logic implemented by the Tenant admin. IMO this is according to the design principles of Capsule leaving the Tenant owner complete freedom within his namespaces.

@prometherion
Copy link
Member Author

It makes sens: we're going to address this issue once #4 is closed.

@prometherion prometherion mentioned this issue Aug 4, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prometherion prometherion

Labels
bug Something isn't working high-priority Feature Request with high-priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding exists requirement to avoid pruning tenant owner resources projectcapsule/capsule
2 participants
@bsctl @prometherion