From 55ac4d16fa3cc456aed271a817a7a1f2207001b4 Mon Sep 17 00:00:00 2001 From: Andrew Senetar Date: Fri, 8 Dec 2023 01:52:40 +0000 Subject: [PATCH] fix: Don't create namespace on startup unless needed This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* and then the jspolicy pods will be able to start. NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem. --- pkg/util/secret/store.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/pkg/util/secret/store.go b/pkg/util/secret/store.go index 04fdc08b..372f17c5 100644 --- a/pkg/util/secret/store.go +++ b/pkg/util/secret/store.go @@ -30,13 +30,18 @@ func EnsureCertSecrets(ctx context.Context, client client.Client) error { return err } - // make sure the namespace exists - err = client.Create(ctx, &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: namespace, - }, - }) - if err != nil && kerrors.IsAlreadyExists(err) == false { + // check that namespace exists + err = client.Get(ctx, types.NamespacedName{Name: namespace}, &corev1.Namespace{}) + + // only attempt to create namespace if it does not exist, as this can trigger admission webhooks + if kerrors.IsNotFound(err) { + err = client.Create(ctx, &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: namespace, + }, + }) + } + if err != nil { return err }