Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When tenant label is set on a NetworkPolicy, modifying isn't allowed #1058

Closed
sandert-k8s opened this issue Apr 30, 2024 · 4 comments · Fixed by #1062
Closed

When tenant label is set on a NetworkPolicy, modifying isn't allowed #1058

sandert-k8s opened this issue Apr 30, 2024 · 4 comments · Fixed by #1062
Assignees
@oliverbaehler
Labels
bug Something isn't working
Milestone
v0.7.0

Comments

@sandert-k8s
Copy link

Bug description

When the label capsule.clastix.io/tenant: [tenantname] is set on a networkpolicy, deletion and patching isn't possible as a tenant admin.

How to reproduce

Steps to reproduce the behavior:

We've reproduced this in our production environment (Capsule on OpenShift), but also on a clean Kind cluster and installed with the basic setup from the quick start.

The networkpolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-netpol
  namespace: oil-production
  labels:
    capsule.clastix.io/tenant: oil
spec:
  policyTypes:
    - Ingress

The creation of this networkpolicy works, but patching and deletion isn't working. This is executed as Tenant Admin (in the tutorial as user alice).
~ % kubectl delete -f ./test-netpol.yml

Error from server (Forbidden): error when deleting "./test-netpol.yml": admission webhook "networkpolicies.capsule.clastix.io" denied the request: Capsule Network Policies cannot be deleted: please, reach out to the system administrators

~ % kubectl delete netpol test-netpol -n oil-production

Error from server (Forbidden): admission webhook "networkpolicies.capsule.clastix.io" denied the request: Capsule Network Policies cannot be deleted: please, reach out to the system administrators

The same happens when we try to edit the networkpolicy instead of deleting:
~ % kubectl edit netpol test-netpol -n oil-production

error: networkpolicies.networking.k8s.io "test-netpol" could not be patched: admission webhook "networkpolicies.capsule.clastix.io" denied the request: Capsule Network Policies cannot be updated: please, reach out to the system administrators

Only solution is to delete the tenant label from the networkpolicy as a cluster admin.

Expected behavior

Patching or deleting the NetworkPolicy should be possible and not be rejected by Capsule.

Logs

2024-04-30T09:04:10.890Z	DEBUG	events	NetworkPolicy oil-production/test-netpol cannot be deleted	{"type": "Warning", "object": {"kind":"Tenant","name":"oil","uid":"f3c54418-213c-434c-a3bc-6c68fcae5850","apiVersion":"capsule.clastix.io/v1beta2","resourceVersion":"2450"}, "reason": "NetworkPolicyDeletion"}
2024-04-30T09:05:05.963Z	DEBUG	events	NetworkPolicy oil-production/test-netpol cannot be deleted	{"type": "Warning", "object": {"kind":"Tenant","name":"oil","uid":"f3c54418-213c-434c-a3bc-6c68fcae5850","apiVersion":"capsule.clastix.io/v1beta2","resourceVersion":"2450"}, "reason": "NetworkPolicyDeletion"}
2024-04-30T09:07:31.818Z	DEBUG	events	NetworkPolicy oil-production/test-netpol cannot be updated	{"type": "Warning", "object": {"kind":"Tenant","name":"oil","uid":"f3c54418-213c-434c-a3bc-6c68fcae5850","apiVersion":"capsule.clastix.io/v1beta2","resourceVersion":"2450"}, "reason": "NetworkPolicyUpdate"}
@sandert-k8s sandert-k8s added blocked-needs-validation Issue need triage and validation bug Something isn't working labels Apr 30, 2024
@oliverbaehler
Copy link
Collaborator

Hi, that's as intended. It arises the question why you at the tenant label to a netpol, it doesn't really do anything except allowing the behavoir you are reporting. This label should be set on resources which are reconciled by the controller. Without it it will just work.

I see your point, it's a bit ugly. But Also we are going to deprecate the netpol feature in the stable release in favour of tenantReplications:
https://projectcapsule.dev/docs/tenants/replications/

@oliverbaehler oliverbaehler added the wontfix This will not be worked on label Apr 30, 2024
@prometherion
Copy link
Member

Thanks for the reporting, @sandert-k8s.

As Oliver, pointed, the idea is to shift these resources handling to the Global Tenant Resource API which is able to replicate objects without a complicated logic across the Tenants: it would ne very valuable your feedback about this, also considering that resources replicated with that API are immutable for tenant owners, but happy to chat more.

Besides that, I'm happy seeing Capsule used on OCP, wondering if we could connect on the Slack workspace to gather more details about it, hope we can continue there to avoid polluting the GH issue.

@sandert-k8s
Copy link
Author

Thanks for your fast replies Oliver and Prometherion.

Check, if this is as desired, we will use a other label instead of this one.
Some background info: We added this label on every resource in a tenant (done by Kyverno), so we can filter on labels to get every resource within a tenant, and for example for multitenant log shipping. If this is not recommended to do with the Callastix label, we'll just move to a new label.

And sure, we can connect in Slack. I'll drop a message in a bit.

@oliverbaehler oliverbaehler reopened this May 2, 2024
@oliverbaehler
Copy link
Collaborator

Will be fixed because this might lead to errors with the capsule-proxy enabled

@oliverbaehler oliverbaehler added this to the v0.7.0 milestone May 2, 2024
@oliverbaehler oliverbaehler self-assigned this May 2, 2024
@oliverbaehler oliverbaehler removed wontfix This will not be worked on blocked-needs-validation Issue need triage and validation labels May 2, 2024
@oliverbaehler oliverbaehler mentioned this issue May 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliverbaehler oliverbaehler

Labels
bug Something isn't working
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging a pull request may close this issue.

fix(controller): change managed network policy label check oliverbaehler/capsule
3 participants
@prometherion @oliverbaehler @sandert-k8s