Skip to content

Exclude base image validation in kube-system #9174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Exclude base image validation in kube-system #9174

wants to merge 1 commit into from

Conversation

mikkeloscar
Copy link
Contributor

@mikkeloscar mikkeloscar commented Apr 3, 2025
edited
Loading

To avoid a circular dependency as explained in #9092 exclude the base image validation in kube-system,

This check is disabled in e2e making it different from production. It's tricky to enable in e2e as we have many e2e images that would not pass.

@mikkeloscar mikkeloscar added the bugfix Bug fixes and patches, e.g. fixing of a production issue that is affecting the customer experience. label Apr 3, 2025
@mikkeloscar
Exclude base image validation in kube-system
fb9bd2a 
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
@mikkeloscar mikkeloscar force-pushed the exclude-kube-system-base-image branch from e22b422 to fb9bd2a Compare April 7, 2025 08:01
linki
linki reviewed Apr 8, 2025
View reviewed changes
cluster/config-defaults.yaml
@@ -606,6 +606,7 @@ kubelet_image_gc_low_threshold: 40
{{if eq .Cluster.Environment "production"}}
teapot_admission_controller_validate_application_label: "true"
teapot_admission_controller_validate_base_images: "true"
teapot_admission_controller_validate_base_images_namespaces: "^kube-system$"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this enable the base image check only in kube-system this way?

image

https://github.bus.zalan.do/teapot/admission-controller/blob/f3b5344ce3ad2efdf7fee04c484a8311f9263e57/pkg/config/config.go#L88-L89

Copy link
Member

@linki linki Apr 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we did base image checks in kube-system before. Looks like it's excluded here (as a protected namespace): https://github.bus.zalan.do/teapot/admission-controller/blob/6de653566e2674a442397f983a895829274a2711/pkg/podfactory/resource_validator.go#L194

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I realized this is at least wrong.

Will try to replicate the prod issue in a pet cluster to better think about a solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linki linki linki left review comments

Assignees
No one assigned
Labels
bugfix Bug fixes and patches, e.g. fixing of a production issue that is affecting the customer experience. do-not-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikkeloscar @linki