NetworkPolicies are missing from static deployment YAMLs #11048
Comments
k8s-ci-robot
added
needs-triage
|
/triage accepted @ViliusS thanks for reporting this. I will check and then maybe others will comment too |
k8s-ci-robot
added
triage/accepted
|
|
@ViliusS what do you mean admission webhook can not handle changes ? I am using v1.10.0 and I added and changed ingresses and so I am assuming admission webhook checked the changes and allowed them as my changes were valid |
|
Does your issues description mean this webhook is there but not doing any checks on my ingress resource changes ? |
|
Before that PR there was a network policy basically allowing any ingress to the controller: This network policy was controlled by the admission webhook configuration, so without admission webhooks, the controller would not have a network policy at all, not even for the other ports. Additionally all the other network policies were already disabled by default. So the network policy we are talking about probably was rendered by mistake and if your setup was relying on network policies would not have been enough to make Ingress NGINX run. See the original PR for further reasoning: #10238 To sum it up: The PR just aligned when network policies are being rendered (not at all by default) and put responsibilities where they belong to (controller has it's own network policy, other components like admission webhooks just add or remove the respective ports from it instead of mistakenly allowing all ingress). |
|
ok, what I discovered from the PR is that netol needs to be explicitly enabled in the helm chart so that means while generating the static yaml manifests, we are not enabling netpol |
|
Yes, the static files were never meant for setups relying on network policies. Even if the static files would allow access to the webhook port, they would still miss policies for... ... egress from the controller pod to any |
|
ok @Gacko ' s comment explains much of it now @ViliusS please do elaborate what you mean by "This makes admission webhooks unable to handle ingress changes." . From @Gacko 's comment, the layman takeaway seems like the netpol in place earlier was cosmetic of sorts so that PR changed it to optional via helm chart values file and static manifests are now created without that cosmetic netpol. |
|
/remove-kind bug |
k8s-ci-robot
added
kind/support
|
/assign |
|
I just tried a bare install of NGINX Controller 1.10.0 on a clean Kubernetes cluster and it works. Then tried on my production cluster and it works there too now. Sorry for the noise, no idea why it didn't work repeatedly before. Maybe that's because I have completely cleaned the admission Kubernetes Jobs before reinstalling controller this time. Just for completeness of this ticket, by "This makes admission webhooks unable to handle ingress changes" I meant that admission webhook was there and it detected the ingress changes (be it new URL rule, or a completely new ingress), but it failed the validation with an error (sorry I don't have exact error anymore). Since the validation failed the changes didn't propagate to the controller. |
|
But your changes are working now? |
|
Yes, it works now. I will close this ticket. |
What happened:
It looks like NetworkPolicies in static YAML files were briefly available in 1.9.4, but they are no longer generated since #10438 . This makes admission webhooks unable to handle ingress changes.
What you expected to happen:
Network policies should be generated in static YAML files.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
1.9.5 and 1.10.0
Kubernetes version (use
kubectl version):1.27.10
Environment:
Bare metal Kubernetes installed via kubeadm on Rocky Linux 9.3
nginx controller installed via static YAML files provided by official repo.
The text was updated successfully, but these errors were encountered: