Skip to content

fix: Prevent permission errors for ignored workload types #996 #1013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 27, 2025
Merged

fix: Prevent permission errors for ignored workload types #996 #1013

merged 1 commit into from
Oct 27, 2025

Conversation

@praddy26
Copy link
Contributor

Fix permission errors when workload types are ignored

Problem

The original PR #997 attempted to fix issue #996 but only addressed part of the problem. While it prevented reloading of ignored workload types, it didn't prevent the initial listing of those resources, which still caused permission errors.

What was happening:

  • Users set --ignored-workload-types=jobs,cronjobs and removed RBAC permissions for Jobs/CronJobs
  • Reloader would still attempt to list these resources during startup/operation
  • This resulted in permission errors: Failed to list cronjobs/jobs: cronjobs.batch is forbidden

Fault in previous PR:

The original fix only added checks in the ShouldReload function, but the doRollingUpgrade function was still calling rollingUpgrade for Jobs and CronJobs, which internally tries to list these resources regardless of the ignore flags.

Solution

Modified doRollingUpgrade function in internal/pkg/handler/upgrade.go to check ignored workload types before attempting to list/process Jobs and CronJobs:

// Only process cronjobs if not ignored
if !ignoredWorkloadTypes.Contains("cronjobs") {
    if err := r.rollingUpgrade(clients, config, envVars, "cronjobs"); err != nil {
        logrus.Errorf("Error while reloading cronjobs %v", err)
    }
}

// Only process jobs if not ignored  
if !ignoredWorkloadTypes.Contains("jobs") {
    if err := r.rollingUpgrade(clients, config, envVars, "jobs"); err != nil {
        logrus.Errorf("Error while reloading jobs %v", err)
    }
}

Testing

Test Environment:

  • Kind cluster with restricted RBAC (no Jobs/CronJobs permissions)
  • Reloader deployed with --ignored-workload-types=jobs,cronjobs
  • Test workloads and ConfigMaps to trigger reloader operations

Test Results:

Before Fix (upstream image):

Failed to list cronjobs: cronjobs.batch is forbidden: User "system:serviceaccount:reloader-test:reloader-test" cannot list resource "cronjobs" in API group "batch"
Failed to list jobs: jobs.batch is forbidden: User "system:serviceaccount:reloader-test:reloader-test" cannot list resource "jobs" in API group "batch"

After Fix:

  • ✅ No permission errors
  • ✅ ConfigMap changes detected and processed correctly
  • ✅ Other workload types (Deployments, etc.) reload properly
  • ✅ Clean logs with only expected debug/info messages

Validation:

  1. Deployed both upstream and fixed images in the same environment
  2. Triggered ConfigMap changes to verify functionality
  3. Confirmed permission errors are eliminated while maintaining full reloader functionality

Impact

Closes #996

@msafwankarim msafwankarim merged commit 1084574 into stakater:master Oct 27, 2025
16 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msafwankarim msafwankarim msafwankarim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] setting ignoreJobs/ignoreCronJobs just removes the RBAC permissions

2 participants

@praddy26 @msafwankarim