Skip to content

fix: webhook fails closed when rule listing errors #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dorodb-web22 wants to merge 2 commits into
base: main
Choose a base branch
from
+6 −3
Open

fix: webhook fails closed when rule listing errors #252

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d439b78
fix:webhook fails closed when rule listing errors
dorodb-web22 May 14, 2026
c58fe57
use nil field path in InternalError for list failure
dorodb-web22 May 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions internal/webhook/nodereadinessgaterule_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,12 @@ func (w *NodeReadinessRuleWebhook) validateTaintConflicts(ctx context.Context, r
// List all existing rules
ruleList := &readinessv1alpha1.NodeReadinessRuleList{}
if err := w.List(ctx, ruleList); err != nil {
// If we can't list rules, allow the operation but log the issue
ctrl.Log.Error(err, "Failed to list rules for conflict validation")
Comment on lines 83 to -85
Copy link
Copy Markdown
Member

@Priyankasaggu11929 Priyankasaggu11929 May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, let's keep the log line as it is - ctrl.Log.Error(err, "Failed to list rules for conflict validation")

it will show up in the controller logs and would be useful for debugging.

return allErrs
// Fail closed: if we can't list rules, we cannot safely validate
// for conflicts. Reject the request so the client can retry.
return append(allErrs, field.InternalError(
nil,
fmt.Errorf("unable to validate taint conflicts, please retry: %w", err),
))
Copy link
Copy Markdown
Member

@Priyankasaggu11929 Priyankasaggu11929 May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nil path is confusing in the actual admission error:

Error from server (Forbidden): error when creating "test-nrr.yaml": admission webhook "vnodereadinessrule.kb.io" denied the request: validation failed: [<nil>: Internal error: unable to validate taint conflicts, please retry]

I suggest to add back the spec.taint.key path but change the error line to read coherently (because indeed the admission validation error happened at the taint key field in the nrr object schema)

Suggested change
))
// Fail closed: if we can't list rules, we cannot safely validate
// for conflicts. Reject the request so the client can retry.
return append(allErrs, field.InternalError(
field.NewPath("spec", "taint", "key"),
fmt.Errorf("failed to validate taint %q against existing rules: %w", rule.Spec.Taint.Key, err),
))

so, it outputs an error like:

Error from server (Forbidden): error when creating "test-nrr.yaml": admission webhook "vnodereadinessrule.kb.io" denied the request: validation failed: [spec.taint.key: Internal error: failed to validate taint "readiness.k8s.io/example-taint" against existing rules: context deadline exceeded]

}

taintField := field.NewPath("spec", "taint", "key")
Expand Down
Loading