Previously a loop variable was being used for the node name in the diagnostic
returned from the node labels and taints check. If the offending node wasn't the
last one in the list, the wrong node name would be returned.
Add a test to reproduce the issue, and copy the loop variable to fix it.
We have a number of checks that operate on admission control webhook
configuration. Older clusters support only v1beta1 of admission control, while
newer clusters support v1. Currently clusterlint fails to run on these older
clusters because we can't fetch v1 admission control objects from them.
This change covers the following modifications:
- When listing objects, ignore "not found" errors, which mean the cluster
doesn't support the resource we're trying to list.
- Duplicate our existing admission control webhook checks for v1beta1, so that
older clusters get the same checks as newer clusters.
- Enhance the errors we return when listing objects fails so that we can tell
which resource we failed to list.
- Remove extraneous empty import: client auth plugins are already loaded in
objects.go, so no need for the import in object_filter.go.
- Ensure all object lists are non-nil after fetching objects. (Since we now
ignore not found errors, it's possible for some object lists to be nil.)
- Skip v1beta1 admission control tests when v1 objects exist.
Co-authored-by: Timo Reimann <treimann@digitalocean.com>
The tests for #90 failed because the order of map iteration is
non-deterministic, causing custom labels in the node label check to appear in
random order in the diagnostic details. Sort the slice of labels so that the
output is stable.
* Update docs to include Admission Controller Webhook Timeout check with fix
* Update file naming to be more consistent for admission controller webhooks
* Fix typo in webhook replacement struct name
Rather than relying on each check to fill in its name correctly when
producing diagnostics, fill in the name in the check runner after
running the check. This reduces the likelihood that a check gets its
name wrong or forgets to fill it in.
This also fixes a bug where the admission control webhook check was not
filling in its name at all.
DOKS has improved handling of webhooks such that the only webhooks that
cause problems are those that:
* Have failurePolicy set to Fail,
* Target a service other than the Kubernetes apiserver, and
* Apply kube-system, and
* Applies to the namespace of the targeted service or are in a
single-node cluster.
Update the webhook check to reflect this improvement.
In DOKS labels and taints applied to nodes will be lost when the cluster
is upgraded or a node is otherwise replaced. This can cause problems for
workloads if labels or taints are used for scheduling.
Add a warning if any node in a cluster has custom labels or taints.