Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CloneSet webhook denied the create request of host network container with containerPort but without hostPort #1985

Open
Yesphet opened this issue Apr 2, 2025 · 1 comment · May be fixed by #1986
Open

[BUG] CloneSet webhook denied the create request of host network container with containerPort but without hostPort #1985

Yesphet opened this issue Apr 2, 2025 · 1 comment · May be fixed by #1986
Assignees
@FillZpp
Labels
kind/bug Something isn't working
Milestone
1.9

Comments

@Yesphet
Copy link
Contributor

Yesphet commented Apr 2, 2025

What happened:

We are using a cloneset with hostnetwork, but in the podTemplate, we only specified the containerPort without specifying the hostPort (we expected it to be equal to containerPort when it's empty), this used to work correctly in the older versions of openkruise. But after we upgrade the openkruise from 1.6 to 1.7, the CloneSet webhook denied the create request, below error occurs:

2025-04-02T21:17:05.295+0800    ERROR   { "error": "admission webhook \"vcloneset.kb.io\" denied the request: [spec.template.spec.containers[0].ports[0].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true, spec.template.spec.containers[0].ports[1].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true, spec.template.spec.containers[0].ports[2].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true]"}

I read the cloneset webhook code

kruise/pkg/webhook/cloneset/validating/validation.go

Line 78 in 483dc2f

allErrs = append(allErrs, apivalidation.ValidatePodTemplateSpec(coreTemplate, fldPath.Child("template"), webhookutil.DefaultPodValidationOptions)...)
, it validate the PodTemplate with webhookutil.DefaultPodValidationOptions whose ResourceIsPod changed from False to True in openkruise-1.7, and in the validatePodHostNetworkDeps, it will validate the containerPort with hostPort based on ResourceIsPod. Based on the semantics, ResourceIsPod should be False in CloneSet webhook. Other CRs' webhooks might also have this issue. If this is confirmed to be a problem, I can submit a PR to fix it.

What you expected to happen:

this create request should not be denied

How to reproduce it (as minimally and precisely as possible):

just create a cloneset with hostnetwork=true, and specify containerPort without hostPort

Anything else we need to know?:

Environment:

  • Kruise version:
  • Kubernetes version (use kubectl version):
  • Install details (e.g. helm install args):
  • Others:
@Yesphet Yesphet added the kind/bug Something isn't working label Apr 2, 2025
@Yesphet Yesphet changed the title [BUG] CloneSet webhook denied the create request of host network container without hostPort [BUG] CloneSet webhook denied the create request of host network container with containerPort but without hostPort Apr 2, 2025
@ABNER-1
Copy link
Member

ABNER-1 commented Apr 3, 2025

Hi @Yesphet , this might be a bug. Could you help assist with a fix? Thanks!

Yesphet added a commit to yak2p/kruise that referenced this issue Apr 3, 2025
@Yesphet
fix: set the ResourceIsPod of DefaultPodValidationOptions to false
3aa11fa 
openkruise#1985
@Yesphet Yesphet linked a pull request Apr 3, 2025 that will close this issue
Open
@ABNER-1 ABNER-1 added this to the 1.9 milestone Apr 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FillZpp FillZpp

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
1.9
Development

Successfully merging a pull request may close this issue.

fix: set the ResourceIsPod of DefaultPodValidationOptions to false yak2p/kruise
3 participants
@Yesphet @FillZpp @ABNER-1