Closed
Description
What happened:
We are using a cloneset with hostnetwork, but in the podTemplate, we only specified the containerPort without specifying the hostPort (we expected it to be equal to containerPort when it's empty), this used to work correctly in the older versions of openkruise. But after we upgrade the openkruise from 1.6 to 1.7, the CloneSet webhook denied the create request, below error occurs:
2025-04-02T21:17:05.295+0800 ERROR { "error": "admission webhook \"vcloneset.kb.io\" denied the request: [spec.template.spec.containers[0].ports[0].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true, spec.template.spec.containers[0].ports[1].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true, spec.template.spec.containers[0].ports[2].hostPort: Invalid value: 0: must match `containerPort` when `hostNetwork` is true]"}
I read the cloneset webhook code
, it validate the PodTemplate withwebhookutil.DefaultPodValidationOptions whose ResourceIsPod changed from False to True in openkruise-1.7, and in the validatePodHostNetworkDeps, it will validate the containerPort with hostPort based on ResourceIsPod. Based on the semantics, ResourceIsPod should be False in CloneSet webhook. Other CRs' webhooks might also have this issue. If this is confirmed to be a problem, I can submit a PR to fix it.
What you expected to happen:
this create request should not be denied
How to reproduce it (as minimally and precisely as possible):
just create a cloneset with hostnetwork=true, and specify containerPort without hostPort
Anything else we need to know?:
Environment:
- Kruise version:
- Kubernetes version (use
kubectl version): - Install details (e.g. helm install args):
- Others: