Skip to content

fix: webhook fails closed when rule listing errors#252

Open
dorodb-web22 wants to merge 1 commit into
kubernetes-sigs:mainfrom
dorodb-web22:fix/webhook-fail-closed-on-list-error
Open

fix: webhook fails closed when rule listing errors#252
dorodb-web22 wants to merge 1 commit into
kubernetes-sigs:mainfrom
dorodb-web22:fix/webhook-fail-closed-on-list-error

Conversation

@dorodb-web22
Copy link
Copy Markdown

@dorodb-web22 dorodb-web22 commented May 14, 2026

Fixes #251

When validateTaintConflicts cannot list existing rules, it previously logged the error and allowed the request through (fail-open).
This means two rules with the same taint key/effect and overlapping selectors could be created during an API degradation window, causing taints to flip-flop indefinitely on affected nodes.

This change returns an InternalError instead, rejecting the request with a clear message so the client can retry when the system is healthy.
This aligns with the Kubernetes admission webhook best-practice offail-closed validation.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 14, 2026
edited
Loading

Deploy Preview for node-readiness-controller canceled.

Name Link
🔨 Latest commit d439b78
🔍 Latest deploy log https://app.netlify.com/projects/node-readiness-controller/deploys/6a0586ae18a8cd0008578d64

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 14, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dorodb-web22
Once this PR has been reviewed and has the lgtm label, please assign tallclair for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 14, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 14, 2026

Hi @dorodb-web22. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 14, 2026
@dorodb-web22 dorodb-web22 force-pushed the fix/webhook-fail-closed-on-list-error branch from a39181c to d439b78 Compare May 14, 2026 08:24
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 14, 2026
AvineshTripathi
AvineshTripathi reviewed May 15, 2026
View reviewed changes
Comment thread internal/webhook/nodereadinessgaterule_webhook.go
// Fail closed: if we can't list rules, we cannot safely validate
// for conflicts. Reject the request so the client can retry.
return append(allErrs, field.InternalError(
field.NewPath("spec", "taint", "key"),
Copy link
Copy Markdown
Contributor

@AvineshTripathi AvineshTripathi May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about using field.NewPath("spec", "taint", "key") here. A List failure is a systemic/infrastructure issue, not an error with the user's input in that specific field. Attributing it to the taint key could be misleading for users debugging their YAML.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajaysundark ajaysundark Awaiting requested review from ajaysundark

@haircommander haircommander Awaiting requested review from haircommander

1 more reviewer

@AvineshTripathi AvineshTripathi AvineshTripathi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: webhook fails open on rule listing error

3 participants

@dorodb-web22 @k8s-ci-robot @AvineshTripathi