-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NetworkPolicy resources are not predeployed when using calico as the network provider #773
Comments
I'm surprised this is happening. By default CRs are pre-deployed. This behavior can be turned off by an annotation on the CRD https://github.com/Shopify/krane#customizing-behaviour-with-annotations Can you add the example CR and CRD to a comment in this issue? |
We're setting up That happens in every workload we deploy to the cluster, no matter what the CR
Examples
|
Oh, I see When you use Calico it also adds a So fixing this is a bit tricky. My two stabs at it are in #774, but neither are quite right. I've got a 3rd idea (we have to track the groups to pre-deploy and the groups not to pre-deploy), but might not finish it today. |
Yay, glad it makes sense with more context 🎉 I couldn't think of an elegant way to solve it, because in some cases you may want to predeploy CRDs and not CRs (seemed like that was the case for the feature request that the grouping was addressing, i.e. #728). I was wondering if there is a definite set of cases for which resources you may or may not want to predeploy, or can it depend on the workload/how the cluster is set up? |
Its up to each operator if they want to pre-deploy CRs or not. As an example: If you use a CR to do canary deploys, you wouldn't want that to be pre-deployed. |
Hi @dturn, happy new year 🎉 Did you end up making any progress on a different approach? Anything I could do to help? Happy to provide more info and brainstorm :) |
Following up @dturn :) Anything I could do to help? |
I'm slowly making progress on #774 but when I went to write the test I realized this is going to take longer than expected. It turns out there are at least 3 places we assume The PR originally was trying to solve the first issue. Solving the second one is done locally, but still haven't had enough time to finish up the 3rd. Assuming no more surprises, I'm optimistic I'll get it done this week. |
@trueskawka you've probably figured this out, but I haven't had as much time to work on this as needed. I can't commit to getting this fixed in a reasonable time frame. If you're interested in taking over let me know and I'll do my best to support you. Otherwise, you can follow this this issue and I'll keep it updated. |
Hi @dturn! We were able to work around it by doing our networking a bit differently and not having to depend on calico as much. I'm happy to try and PR a change to fix it for others who might be still running into this issue. Gonna do a PR sometime in the next two weeks and @-mention you :) |
@dturn @trueskawka Has anything changed since the last comments here? I'm running into this same problem. @dturn I know you stated there's three bugs to fix, but I wonder if it's necessary to fix them all together. If you have a solution for the specific issue described here, is it not possible to ship that on its own, acknowledging that other similar issues will remain? |
We've been using your tooling for a while, thanks for making it open-source <3 Appreciate all the work you put into it!
We recently went through the full update path from
kubernetes-deploy
in0.25.0
and wanted to update to the newestkrane
, but this bug is preventing us from updating beyond major version 1.Bug report
When using
calico
as the network provider,NetworkPolicy
resources are no longer pre-deployed.Expected behavior:
NetworkPolicy
resources are pre-deployed as priority.Actual behavior:
NetworkPolicy
resources are being deployed with non-priority resources.Version(s) affected:
This has been introduced when bumping to major 2, in #735
Steps to Reproduce
You can test it in
minikube
using your test suite, after starting it withcalico
as the network providerFeature request
Proposal:
Changing the way resources are being prioritized. I'd prefer to go with approach 1, since it would make it more flexible, but I may not have enough context and maybe making a strong assumption about
NetworkPolicy
resources proposed in approach 2 is sufficient.Make predeploy sequence configurable
Since the change that introduced this issue has been implemented to address a request for a reverse priority order (i.e. custom resource over core, Service deployed in priority resources phase #728), it seems like having a strong assumption on which resources should be prioritized written directly in code could potentially not fit all the use cases.
Providing a configurable way for the user to define which resources should be predeployed would allow for allowing any use cases they need.
Ensure
NetworkPolicy
resources are always predeployedFilter out
NetworkPolicy
resources from this hash:1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.
The text was updated successfully, but these errors were encountered: