Skip to content

Improved logging for Constraint CRD creation failure without the generate flag #3967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rakshasa-1729 opened this issue May 16, 2025 · 2 comments
Open

Improved logging for Constraint CRD creation failure without the generate flag #3967

rakshasa-1729 opened this issue May 16, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@rakshasa-1729
Copy link

rakshasa-1729 commented May 16, 2025
edited
Loading

What steps did you take and what happened:

  • Installation from the helm chart with the following overrides
# Based on: https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/values.yaml

# Add annotations to the validating webhook
validatingWebhookAnnotations:
  cluster-name: "PR-dev"
# Gatekeeper controller manager settings
controllerManager:
  # Exempt specific namespaces from Gatekeeper policies
  exemptNamespaces:
    - "kube-system"
    - "istio-system"
    - "gatekeeper-system"
    - "calico-system"
    - "cert-manager"
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}
  resources:
    limits:
      cpu: 1
      memory: 1G
    requests:
      cpu: 100m
      memory: 512Mi
  securityContext:
    capabilities:
      add: ["NET_BIND_SERVICE"]
# Set the number of replicas
replicas: 2
enableConnectOperations: true
logLevel: DEBUG
# Update webhook port to 443
webhook:
  port: 443

What did you expect to happen:
Normal constraint template registration, Constraint CRD creation and constraint definition

Anything else you would like to add:
The constraint and template tried was: https://open-policy-agent.github.io/gatekeeper-library/website/validation/allowedrepos

Applied in order, constraint template followed by the constraint

https://github.com/open-policy-agent/gatekeeper/blob/7acc32e7ad160adc3e147d1a3603d[…]/controller/constrainttemplate/constrainttemplate_controller.go this could fail

Logs:

/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:222
2025-05-15T23:45:13.915Z        debug   controller      unable to ingest template       {"kind": "ConstraintTemplate", "process": "constraint_template_controller", "event_type": "template_ingest_error", "template_name": "allowedregistries"}
2025-05-15T23:45:13.915Z        error   Reconciler error        {"controller": "constrainttemplate-controller", "object": {"name":"allowedregistries"}, "namespace": "", "name": "allowedregistries", "reconcileID": "558930ff-473b-4934-bcd8-6232c1842b6d", "error": "getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=allowedregistries no matches for kind \"allowedregistries\" in version \"constraints.gatekeeper.sh/v1beta1\""}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:222
2025-05-15T23:45:13.922Z        debug   controller      loading code into rule engine   {"kind": "ConstraintTemplate", "process": "constraint_template_controller", "name": "allowedregistries", "crdName": "allowedregistries.constraints.gatekeeper.sh"}
2025-05-15T23:45:13.923Z        debug   controller      making sure constraint is in watcher registry   {"kind": "ConstraintTemplate", "process": "constraint_template_controller", "name": "allowedregistries", "crdName": "allowedregistries.constraints.gatekeeper.sh"}
2025-05-15T23:45:13.932Z        error   controller      error adding template to watch registry {"kind": "ConstraintTemplate", "process": "constraint_template_controller", "name": "allowedregistries", "crdName": "allowedregistries.constraints.gatekeeper.sh", "error": "getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=allowedregistries no matches for kind \"allowedregistries\" in version \"constraints.gatekeeper.sh/v1beta1\""}
github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate.(*ReconcileConstraintTemplate).handleUpdate
        /go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate/constrainttemplate_controller.go:470
github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate.(*ReconcileConstraintTemplate).Reconcile
        /go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate/constrainttemplate_controller.go:397
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:222
2025-05-15T23:45:13.932Z        error   controller      handle update error     {"kind": "ConstraintTemplate", "process": "constraint_template_controller", "template_name": "allowedregistries", "error": "getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=allowedregistries no matches for kind \"allowedregistries\" in version \"constraints.gatekeeper.sh/v1beta1\""}

Environment:

  • Gatekeeper version: 3.18.* -> 3.19.*
  • Kubernetes version: (use kubectl version): GKE, 1.32.3, Client 1.33
@rakshasa-1729 rakshasa-1729 added the bug Something isn't working label May 16, 2025
@JaydipGabani
Copy link
Contributor

JaydipGabani commented May 16, 2025
edited
Loading

@rakshasa-1729 can you look at the constraintTemplate and check if there are any errors reported on the status? If you can please share the whole CT yaml from api-server.

Additionally, can you also confirm is operation=generate if enabled on audit pod?

@rakshasa-1729 rakshasa-1729 changed the title Constraint CRD creation failure in Gatekeeper >=3.18 GKE Improved logging for Constraint CRD creation failure without the generate flag May 16, 2025
@rakshasa-1729
Copy link
Author

@JaydipGabani Appreciate the help resolving this, Renamed the issue to improve logging to indicate the reason for CRD not getting generated.

To quote the resolution here for future explorers:

For controller-manager need to add operation=generate . We added operation=generate to guard all "Generation behavior" in GK and only by default enabled on audit from the charts to avoid write contentions.
If you are not using audit, you need to add it to controller manager and the error should get resolved.

@rakshasa-1729 rakshasa-1729 mentioned this issue May 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rakshasa-1729 @JaydipGabani