debug snitch sa issue

Signed-off-by: rksharma95 <[email protected]>

.github/workflows/ci-test-controllers.yml

@@ -71,12 +71,10 @@ jobs:
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest \
             --set kubearmorOperator.imagePullPolicy=Never --set snitch.imagePullPolicy=Never --set helm.repository=embed --set helm.version=v1.3.8 --set helm.chart=kubearmor
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
-          # DEBUG
-          kubectl logs -n kubearmor -l kubearmor-app=kubearmor-operator -f&
-          # DEBUG
           kubectl get pods -A
           sleep 3 # need this sleep because webhook server initialization may take some time
           kubectl wait --for=condition=established --timeout=5m crd/kubearmorconfigs.operator.kubearmor.com
+          kubectl wait --for=condition=complete --timeout=5m -n kubearmor job -l kubearmor-app=kubearmor-snitch
           # create kubearmorconfig
           if [[ ${{ steps.filter.outputs.kubearmor }} == 'true' ]]; then
             docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
@@ -91,13 +89,6 @@ jobs:
             jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never" | .spec.kubearmorImage.imagePullPolicy = "Always" | .spec.kubearmorInitImage.imagePullPolicy = "Always"' | \
             kubectl apply -f -
           fi
-          # DEBUG
-          kubectl describe job -n kubearmor -l kubearmor-app=kubearmor-snitch
-          kubectl get sa -n kubearmor kubearmor-snitch
-          kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor-snitch
-          kubectl wait --for=condition=complete --timeout=5m -n kubearmor job -l kubearmor-app=kubearmor-snitch
-          kubectl logs -n kubearmor -l kubearmor-app=kubearmor-snitch
-          # DEBUD
           kubectl wait --for=condition=ReleaseDeployed --timeout=5m kubearmorconfig.operator.kubearmor.com/kubearmorconfig-test -n kubearmor
           kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
           kubectl get pods -A

.github/workflows/ci-test-ginkgo.yml

@@ -86,19 +86,16 @@ jobs:
               sudo podman tag localhost/latest:latest docker.io/kubearmor/kubearmor-snitch:latest
             fi
           fi
+          docker system prune -a -f 
+          docker buildx prune -a -f
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest \
-            --set helm.repository=embed --set helm.version=v1.3.8 --set helm.chart=kubearmor
+            --set kubearmorOperator.imagePullPolicy=Never --set snitch.imagePullPolicy=Never --set helm.repository=embed --set helm.version=v1.3.8 --set helm.chart=kubearmor
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
-          kubectl get pods -A
+          kubectl get pods -A 
           sleep 3 # need this sleep because webhook server initialization may take some time
           kubectl wait --for=condition=established --timeout=5m crd/kubearmorconfigs.operator.kubearmor.com
-          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
-          # DEBUG
-          kubectl describe job -n kubearmor -l kubearmor-app=kubearmor-snitch
-          kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor-snitch
           kubectl wait --for=condition=complete --timeout=5m -n kubearmor job -l kubearmor-app=kubearmor-snitch
-          kubectl logs -n kubearmor -l kubearmor-app=kubearmor-snitch
-          # DEBUD
+          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
           kubectl wait --for=condition=ReleaseDeployed --timeout=5m kubearmorconfig.operator.kubearmor.com/kubearmorconfig-test -n kubearmor
           kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
           kubectl get pods -A

.github/workflows/ci-test-ubi-image.yml

@@ -68,15 +68,16 @@ jobs:
         run: |
           docker save kubearmor/kubearmor-init:latest | sudo podman load
           docker save kubearmor/kubearmor-ubi:latest | sudo podman load
-          docker save kubearmor/kubearmor-operator:latest | sudo podman load
+          docker save kubearmor/kubearmor-operator:latest |  sudo podman load
           docker save kubearmor/kubearmor-snitch:latest | sudo podman load
           helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest \
-            --set helm.repository=embed --set helm.version=v1.3.8 --set helm.chart=kubearmor
+            --set kubearmorOperator.imagePullPolicy=Never --set snitch.imagePullPolicy=Never --set helm.repository=embed --set helm.version=v1.3.8 --set helm.chart=kubearmor
           kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
           kubectl get pods -A
           sleep 3 # need this sleep because webhook server initialization may take some time
           kubectl wait --for=condition=established --timeout=5m crd/kubearmorconfigs.operator.kubearmor.com
-          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
+          kubectl wait --for=condition=complete --timeout=5m -n kubearmor job -l kubearmor-app=kubearmor-snitch
+          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
           kubectl wait --for=condition=ReleaseDeployed --timeout=5m kubearmorconfig.operator.kubearmor.com/kubearmorconfig-test -n kubearmor
           kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
           kubectl get pods -A

pkg/KubeArmorOperator/internal/controller/cluster_controller.go

@@ -29,7 +29,7 @@ import (
 
 var (
 	informer                 informers.SharedInformerFactory
-	operatorDeploymentUID    string
+	operatorDeploymentUID    types.UID
 	operatorDeploymentName   string
 	snitchPathPrefix         string
 	snitchImage              string
@@ -83,8 +83,11 @@ func NewClusterWatcher(cfg WatcherConfig, client *kubernetes.Clientset, helmCont
 		informer = informers.NewSharedInformerFactory(client, 0)
 	}
 
+	dep, err := client.AppsV1().Deployments(cfg.OperatorWatchedNamespace).Get(context.TODO(), cfg.OperatorDeploymentName, metav1.GetOptions{})
+	if err != nil {
+		operatorDeploymentUID = dep.GetUID()
+	}
 	operatorDeploymentName = cfg.OperatorDeploymentName
-	operatorDeploymentUID = cfg.OperatorDeploymentUID
 	operatorWatchedNamespace = cfg.OperatorWatchedNamespace
 	snitchPathPrefix = cfg.SnitchPathPrefix
 	snitchImage = cfg.SnitchImage
@@ -133,11 +136,12 @@ func (clusterWatcher *ClusterWatcher) WatchNodes() {
 						log.Warnf("cannot create snitch clusterrolebinding error=%s", err.Error())
 						return
 					}
-					_, err = clusterWatcher.client.CoreV1().ServiceAccounts(operatorWatchedNamespace).Create(context.Background(), genSnitchServiceAccount(), metav1.CreateOptions{})
+					sa, err := clusterWatcher.client.CoreV1().ServiceAccounts(operatorWatchedNamespace).Create(context.Background(), genSnitchServiceAccount(), metav1.CreateOptions{})
 					if err != nil && !errors.IsAlreadyExists(err) {
 						log.Warnf("cannot create snitch serviceaccount error=%s", err.Error())
 						return
 					}
+					log.Info("service account %s created in namespace %s", sa.GetName(), sa.GetNamespace())
 					// deploy snitch job
 					_, err = clusterWatcher.client.BatchV1().Jobs(operatorWatchedNamespace).Create(context.Background(), genSnitchDeployment(nodeObj.Name, runtime), metav1.CreateOptions{})
 					if err != nil {
@@ -295,7 +299,7 @@ func (clusterWatcher *ClusterWatcher) updateDaemonsets(action string, nodeInstan
 
 func genSnitchDeployment(nodename string, runtime string) *batchv1.Job {
 	job := batchv1.Job{}
-	// job = *addOwnership(&job).(*batchv1.Job)
+	job = *addOwnership(&job).(*batchv1.Job)
 	ttls := int32(100)
 	job.GenerateName = "kubearmor-snitch-"
 	var rootUser int64 = 0