Skip to content

Commit 717a72b

Browse files
creydrknative-prow-robot
authored andcommitted
Move AggregationRuleTransform to shared common package
AggregationRuleTransform was only applied to KnativeServing but not to KnativeEventing. This caused the operator to continuously overwrite the rules of aggregated ClusterRoles (e.g. channelable-manipulator) with empty rules from the manifest, creating a race condition with the Kubernetes aggregation controller. During the race window, RBAC lookups against the aggregated role return 403 Forbidden. Move the transform from knativeserving/common to the shared reconciler/common package and apply it inside Transform(), so every component (Serving, Eventing, Kafka) benefits automatically. Signed-off-by: Christoph Stäbler <cstabler@redhat.com>
1 parent 4d4a0d4 commit 717a72b

4 files changed

Lines changed: 40 additions & 4 deletions

File tree

pkg/reconciler/knativeserving/common/aggregated_rules.go renamed to pkg/reconciler/common/aggregated_rules.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,13 @@ type unstructuredGetter interface {
2626
Get(obj *unstructured.Unstructured) (*unstructured.Unstructured, error)
2727
}
2828

29-
// AggregationRuleTransform
29+
// AggregationRuleTransform preserves the rules of aggregated ClusterRoles.
30+
// The Kubernetes aggregation controller manages the rules field of aggregated
31+
// ClusterRoles. Without this transform, manifestival overwrites the aggregated
32+
// rules with the empty rules from the manifest, causing a race condition.
3033
func AggregationRuleTransform(client unstructuredGetter) mf.Transformer {
3134
return func(u *unstructured.Unstructured) error {
3235
if u.GetKind() == "ClusterRole" && u.Object["aggregationRule"] != nil {
33-
// we rely on the controller manager to fill in rules so
34-
// ours will always trigger an unnecessary update
3536
current, err := client.Get(u)
3637
if errors.IsNotFound(err) {
3738
return nil

pkg/reconciler/knativeserving/common/aggregated_rules_test.go renamed to pkg/reconciler/common/aggregated_rules_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,41 @@ func TestAggregationRuleTransform(t *testing.T) {
7474
serving.knative.dev/controller: "true"
7575
rules: []
7676
overwriteExpected: false
77+
- name: "existing eventing aggregated role has rules"
78+
input:
79+
kind: ClusterRole
80+
apiVersion: rbac.authorization.k8s.io/v1
81+
metadata:
82+
name: channelable-manipulator
83+
aggregationRule:
84+
clusterRoleSelectors:
85+
- matchLabels:
86+
duck.knative.dev/channelable: "true"
87+
rules: []
88+
existing:
89+
kind: ClusterRole
90+
apiVersion: rbac.authorization.k8s.io/v1
91+
metadata:
92+
name: channelable-manipulator
93+
aggregationRule:
94+
clusterRoleSelectors:
95+
- matchLabels:
96+
duck.knative.dev/channelable: "true"
97+
rules:
98+
- apiGroups:
99+
- messaging.knative.dev
100+
resources:
101+
- channels
102+
- channels/status
103+
verbs:
104+
- create
105+
- get
106+
- list
107+
- watch
108+
- update
109+
- patch
110+
- delete
111+
overwriteExpected: true
77112
`)
78113
err := yaml.Unmarshal(testData, &tests)
79114
if err != nil {

pkg/reconciler/common/transformers.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ func Transform(ctx context.Context, manifest *mf.Manifest, instance base.KCompon
6565
logger.Debug("Transforming manifest")
6666

6767
transformers := transformers(ctx, instance)
68+
transformers = append(transformers, AggregationRuleTransform(manifest.Client))
6869
transformers = append(transformers, extra...)
6970

7071
m, err := manifest.Transform(transformers...)

pkg/reconciler/knativeserving/knativeserving.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,6 @@ func (r *Reconciler) transform(ctx context.Context, manifest *mf.Manifest, comp
160160
extra = append(extra,
161161
common.InjectOwner(instance, anchorOwner),
162162
ksc.CustomCertsTransform(instance, logger),
163-
ksc.AggregationRuleTransform(manifest.Client),
164163
// Ensure all resources have the selector applied so that the controller re-queues applied resources when they change.
165164
common.InjectLabel(SelectorKey, SelectorValue),
166165
)

0 commit comments

Comments
 (0)