-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubectl apply's get /namespaces/{} output is disregarded #1619
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/sig api-machinery |
/sig cli |
This might be a client-go thing but I think kubectl should triage it first. |
Did you test the same steps with different resource (e.g. pods, etc.) other than serviceaccounts?. Because there might be an explicitly defined behavior specifically for serviceaccounts. If this happens other resources as well, I think it requires investigation. |
Sure. With Secrets (forgive the censorship on the IP):
Even with Pods:
|
/assign |
@mfranzil thank you for spending time on this issue with me. Could you please try the same steps by using |
What happened?
Every time
kubectl apply
is used, instead of the direct API call,kubectl
automatically evaluates the correct command to be used (e.g., apatch
for an existent object, acreate
for a new one). To do so, usuallykubectl
runs the following commands (assume I am manipulating a ServiceAccount for simplicity)/openapi/v3/
and/openapi/v3/api/{etc..}
/api/v1/namespaces/{namespace}/serviceaccounts/{my_sa}
- here the decision is taken whether to call additional APIs; if so,/api/v1/namespaces/{namespace}/
The problem is, the GET to the namespace object is completely irrelevant to the calls made after: even if the API call reports a 403, or 404 (extreme corner case in which the namespace was deleted in the middle),
kubectl
mindlessly goes forward with the following call. This leads me to think that this GET to the namespace is irrelevant, and could be skipped.What did you expect to happen?
Either the GET call not to be present or to have some sort of role in the
apply
process.How can we reproduce it (as minimally and precisely as possible)?
kubectl apply
, put a non-existent name and an existent namespace:Inspect the API calls, you will find a GET https://[redacted]:6443/api/v1/namespaces/default 403 Forbidden. Yet, the POST goes forward.
Even without a clusterrole, try creating a ServiceAccount on a non-existent namespace:
your-sa
namespaceapply
goes forward:Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: