Skip to content

Commit ba0ad52

Browse files
authored
Move AggregationRuleTransform to shared common package (#2316)
AggregationRuleTransform was only applied to KnativeServing but not to KnativeEventing. This caused the operator to continuously overwrite the rules of aggregated ClusterRoles (e.g. channelable-manipulator) with empty rules from the manifest, creating a race condition with the Kubernetes aggregation controller. During the race window, RBAC lookups against the aggregated role return 403 Forbidden. Move the transform from knativeserving/common to the shared reconciler/common package and apply it inside Transform(), so every component (Serving, Eventing, Kafka) benefits automatically. Signed-off-by: Christoph Stäbler <cstabler@redhat.com>
1 parent f832942 commit ba0ad52

4 files changed

Lines changed: 40 additions & 4 deletions

File tree

pkg/reconciler/knativeserving/common/aggregated_rules.go renamed to pkg/reconciler/common/aggregated_rules.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,13 @@ type unstructuredGetter interface {
2626
Get(obj *unstructured.Unstructured) (*unstructured.Unstructured, error)
2727
}
2828

29-
// AggregationRuleTransform
29+
// AggregationRuleTransform preserves the rules of aggregated ClusterRoles.
30+
// The Kubernetes aggregation controller manages the rules field of aggregated
31+
// ClusterRoles. Without this transform, manifestival overwrites the aggregated
32+
// rules with the empty rules from the manifest, causing a race condition.
3033
func AggregationRuleTransform(client unstructuredGetter) mf.Transformer {
3134
return func(u *unstructured.Unstructured) error {
3235
if u.GetKind() == "ClusterRole" && u.Object["aggregationRule"] != nil {
33-
// we rely on the controller manager to fill in rules so
34-
// ours will always trigger an unnecessary update
3536
current, err := client.Get(u)
3637
if errors.IsNotFound(err) {
3738
return nil

pkg/reconciler/knativeserving/common/aggregated_rules_test.go renamed to pkg/reconciler/common/aggregated_rules_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,41 @@ func TestAggregationRuleTransform(t *testing.T) {
7474
serving.knative.dev/controller: "true"
7575
rules: []
7676
overwriteExpected: false
77+
- name: "existing eventing aggregated role has rules"
78+
input:
79+
kind: ClusterRole
80+
apiVersion: rbac.authorization.k8s.io/v1
81+
metadata:
82+
name: channelable-manipulator
83+
aggregationRule:
84+
clusterRoleSelectors:
85+
- matchLabels:
86+
duck.knative.dev/channelable: "true"
87+
rules: []
88+
existing:
89+
kind: ClusterRole
90+
apiVersion: rbac.authorization.k8s.io/v1
91+
metadata:
92+
name: channelable-manipulator
93+
aggregationRule:
94+
clusterRoleSelectors:
95+
- matchLabels:
96+
duck.knative.dev/channelable: "true"
97+
rules:
98+
- apiGroups:
99+
- messaging.knative.dev
100+
resources:
101+
- channels
102+
- channels/status
103+
verbs:
104+
- create
105+
- get
106+
- list
107+
- watch
108+
- update
109+
- patch
110+
- delete
111+
overwriteExpected: true
77112
`)
78113
err := yaml.Unmarshal(testData, &tests)
79114
if err != nil {

pkg/reconciler/common/transformers.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ func Transform(ctx context.Context, manifest *mf.Manifest, instance base.KCompon
6565
logger.Debug("Transforming manifest")
6666

6767
transformers := transformers(ctx, instance)
68+
transformers = append(transformers, AggregationRuleTransform(manifest.Client))
6869
transformers = append(transformers, extra...)
6970

7071
m, err := manifest.Transform(transformers...)

pkg/reconciler/knativeserving/knativeserving.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,6 @@ func (r *Reconciler) transform(ctx context.Context, manifest *mf.Manifest, comp
160160
extra = append(extra,
161161
common.InjectOwner(instance, anchorOwner),
162162
ksc.CustomCertsTransform(instance, logger),
163-
ksc.AggregationRuleTransform(manifest.Client),
164163
// Ensure all resources have the selector applied so that the controller re-queues applied resources when they change.
165164
common.InjectLabel(SelectorKey, SelectorValue),
166165
)

0 commit comments

Comments
 (0)