Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When "image-scanner-jobs" namespace is in "Terminating" state the image-scanner should report an error when it's not able to create scan Jobs #225

Open
bendikp opened this issue Feb 21, 2023 · 0 comments
Open

When "image-scanner-jobs" namespace is in "Terminating" state the image-scanner should report an error when it's not able to create scan Jobs #225

bendikp opened this issue Feb 21, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@bendikp
Copy link
Member

bendikp commented Feb 21, 2023
edited
Loading

Environmental Info:
Image Scanner Version:
0.4.1

Kubernetes distro and version:
OpenShift v4.11

Describe the bug:
I delete the "image-scanner-jobs" namespace, and while the namespace is terminating, the image-scanner is unable to create Jobs in the namespace, as expected, but there are no errors in the logs.

Steps To Reproduce:
Not very easy to reproduce this with a "long running" terminating namespace, but I'll guess the same behavior can be reproduced by if you remove the RBAC to create Jobs in "image-scanner-jobs" namespace.

Expected behavior:
I would expect an error in the image-scanner logs telling me that something is wrong. I.e.:
jobs.batch "xxxxxxxxx" is forbidden: unable to create new content in namespace image-scanner-jobs because it is being terminated

Actual behavior:
There are nothing in the logs indicating that the image-scanner is struggling to create Jobs in "image-scanner-jobs" namespace.

Additional context / logs:
Audit event:

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "stage": "ResponseComplete",
  "requestURI": "/apis/batch/v1/namespaces/image-scanner-jobs/jobs",
  "verb": "create",
  "user": {
    "username": "system:serviceaccount:image-scanner:image-scanner-controller-manager",
  },
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "objectRef": {
    "resource": "jobs",
    "namespace": "image-scanner-jobs",
    "name": "application-abc",
    "apiGroup": "batch",
    "apiVersion": "v1"
  },
  "responseStatus": {
    "metadata": {},
    "status": "Failure",
    "message": "jobs.batch \"application-abc\" is forbidden: unable to create new content in namespace image-scanner-jobs because it is being terminated",
    "reason": "Forbidden",
    "details": {
      "name": "application-abc",
      "group": "batch",
      "kind": "jobs",
      "causes": [
        {
          "reason": "NamespaceTerminating",
          "message": "namespace image-scanner-jobs is being terminated",
          "field": "metadata.namespace"
        }
      ]
    },
    "code": 403
  },
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"image-scanner-manager-rolebinding\" of ClusterRole \"image-scanner-manager-role\" to ServiceAccount \"image-scanner-controller-manager/image-scanner\""
  }
}
@bendikp bendikp added the bug Something isn't working label Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bendikp