Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grafana image renderer CrashLoopBackoff due to NetPol #795

Closed
clementnuss opened this issue Nov 8, 2021 · 5 comments · Fixed by #1637
Closed

Grafana image renderer CrashLoopBackoff due to NetPol #795

clementnuss opened this issue Nov 8, 2021 · 5 comments · Fixed by #1637

Comments

@clementnuss
Copy link
Contributor

clementnuss commented Nov 8, 2021
edited
Loading

The issue is the following:
if you enable imageRenderer: true in your Grafana Helm Chart, a default Network Policy will be created, which will only allow the traffic coming from namespace labeled as follows: (here is the Helm chart)

apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: my-ns
  name: my-ns

In my case though, the namespace didn't have this label but only a kubernetes.io/metadata.name: my-ns label.
The liveness probe was therefore failing and my container was in the CrashLoopBackoff state.

Adding the label name: my-ns solves the issue for the grafana pod, but the liveness probe still fails.
@clementnuss
Copy link
Contributor Author

I really think this should be checked upon. by default, k8s seems to be assigning only the label kubernetes.io/metadata.name: namespace-name to namespaces, but this helm chart is checking on an non-existent name: ... label.

@drmalex07
Copy link

I have also stumbled on this. @clementnuss is correct: the label (required to match) does not exist (on the namespace) unless someone manually assigns it (something not always possible). As mentioned here in the official Kubernetes docs, in order to target a namespace by name, the kubernetes.io/metadata.name label should be used (which is generated by Kubernetes if the relevant feature-gate NamespaceDefaultLabelName is enabled).

So, practically, the image renderer service is not accessible from Grafana (unless you entirely disable the network policy by setting imageRenderer.networkPolicy.limitIngress=false in values.yml).

My workaround is to let the network policy enabled, and patch it after a helm install/upgrade command. Since we want to allow traffic only originating from same namespace (as netpol lives in), a better approach is to set namespaceSelector to null (as, by default, it does exactly that (kubectl explain netpol.spec.ingress.from.namespaceSelector)).

A patch would be something like:

kubectl patch --type json netpol \
   -n ${MONITORING_NAMESPACE} \
   ${RELEASE_NAME}-grafana-image-renderer-ingress \
   -p '[{"op": "remove", "path": "/spec/ingress/0/from/0/namespaceSelector"}]'

@tim-felix-lange
Copy link

I ran into the same issue and needed to use the workaround of disabling the policy entirely. I'd really love to see this fixed.

@zanhsieh
Copy link
Collaborator

zanhsieh commented Jul 2, 2022

@tim-felix-lange @drmalex07 @clementnuss
Does commenting this line would help?

helm-charts/charts/grafana/values.yaml

Line 885 in a1f486d

explicitNamespacesSelector: {} 

...
  ## Example:
  ## explicitNamespacesSelector:
  ##   matchLabels:
  ##     role: frontend
  ##   matchExpressions:
  ##    - {key: role, operator: In, values: [frontend]}
  ##
  ## explicitNamespacesSelector: {}                          <=== this line

clementnuss added a commit to clementnuss/helm-charts that referenced this issue Jul 26, 2022
@clementnuss
fix namespace selector issue
a6911fe 
fixes grafana#795
removing the `namespaceSelector` from the network policy
effectively only allows pods from the same namespace to access 
the image renderer. there is no need to manually specify the
namespace, and the label previously used to match on a namespace
isn't the default K8s namespace label (that would be 
kubernetes.io/metadata.name )
@clementnuss clementnuss mentioned this issue Jul 26, 2022
Merged
@clementnuss
Copy link
Contributor Author

@zanhsieh no, I just created a PR to fix this issue instead

clementnuss added a commit to clementnuss/helm-charts that referenced this issue Jul 26, 2022
@clementnuss
fix namespace selector issue
82b0677 
fixes grafana#795
removing the `namespaceSelector` from the network policy
effectively only allows pods from the same namespace to access
the image renderer. there is no need to manually specify the
namespace, and the label previously used to match on a namespace
isn't the default K8s namespace label (that would be
kubernetes.io/metadata.name )

Signed-off-by: Clément Nussbaumer <clement@astutus.org>
@tim-felix-lange tim-felix-lange mentioned this issue Aug 24, 2022
Open
@hervenicol hervenicol mentioned this issue Sep 12, 2022
Merged
joshmeranda pushed a commit to joshmeranda/rancher-charts that referenced this issue Sep 22, 2023
@clementnuss
(split) fix namespace selector issue
c054f4e 
fixes grafana/helm-charts#795
removing the `namespaceSelector` from the network policy
effectively only allows pods from the same namespace to access
the image renderer. there is no need to manually specify the
namespace, and the label previously used to match on a namespace
isn't the default K8s namespace label (that would be
kubernetes.io/metadata.name )

Signed-off-by: Clément Nussbaumer <clement@astutus.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[grafana] image-renderer: fix namespace selector issue clementnuss/helm-charts
4 participants
@zanhsieh @drmalex07 @clementnuss @tim-felix-lange