Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource-reconciler: determined that resources are NOT equal #141

Open
ilabrovic opened this issue Sep 11, 2023 · 5 comments
Open

resource-reconciler: determined that resources are NOT equal #141

ilabrovic opened this issue Sep 11, 2023 · 5 comments

Comments

@ilabrovic
Copy link

ilabrovic commented Sep 11, 2023

What are tips/approached how to troubleshoot "resource-reconciler determined that resources are NOT equal" messages?
We have a simple namespaceconfig with only 2 rolebinding creations but are unable to keep the operator log clean of these messages and wondering why the operator thinks the resources are NOT equal.

@ilabrovic
Copy link
Author

ilabrovic commented Sep 11, 2023

Tested/ruled out:
Rolebinding subjects are not changing, so that can't be it.
roleRef cannot even be changed in a rolebinding, so that's not it either
metadata, as far as i know, is always considered part of excludedPaths (https://github.com/redhat-cop/namespace-configuration-operator#Excluded-Paths)
and lastly, a rolebinding does not have a status field, so that can't be the problem either.

So i am really wondering why the operator thinks the resources are NOT equal

@raffaelespazzoli
Copy link
Collaborator

can you paste the manifest you create? Also do you see it flip flopping?

@ilabrovic
Copy link
Author

ilabrovic commented Sep 12, 2023

Unfortunately not due to company policies.
In short, it only has 1 labelSelector on spec: level to filter the correct namespaces, and then 2 objectTemplates each creating a single RoleBinding.
If there are any throubleshooting hints/techniques i could try, that would help

Maybe increasings the verbosity of the operator if that is possible?

@ilabrovic
Copy link
Author

Good new for this case!
We created a couple of rolebindings, but did not specify apiGroup: rbac.authorization.k8s.io for each Group and User in the subjects: part.
Kubernetes adds these default fields, and thats why the namespace configuration operator sees an out of sync
Kudos to my community partner GW!

@simon-wessel
Copy link

Since release v1.2.5 you can see the diff that caused the reconcile in the logs.

You have to take a close look though. I can be minor things like numbers that are written to a string field and will therefore receive quotation marks which the operator detects as a diff. Mutation Webhooks are also a possible cause of diffs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants