🐛 Prevent access entries delete+recreate cycle on EKS reconciliation#6007
🐛 Prevent access entries delete+recreate cycle on EKS reconciliation#6007raykrueger wants to merge 1 commit into
Conversation
When accessEntries with an unspecified type field are defined in AWSManagedControlPlane, the reconciler detects drift on every cycle because an empty Type is compared as "" against "STANDARD" (the EKS default) from the AWS API. This triggers a continuous delete-and-recreate loop every ~7s, with each deletion removing the access policy association and the subsequent recreation racing against the next reconcile before the policy can be re-associated. Normalize empty Type to AccessEntryTypeStandard before comparison in updateAccessEntry. Also skip re-associating access policies that already match the desired scope to avoid unnecessary API calls. Signed-off-by: Ray Krueger <raykrueger@gmail.com>
k8s-ci-robot
added
release-note
k8s-ci-robot
added
needs-priority
size/L
|
Hi @raykrueger. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
cncf-cla: yes
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
|
This looks good to me, thanks @raykrueger |
|
/test ? |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
When the e2e passes feel free to unhold. /hold But from my side: /approve |
k8s-ci-robot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@raykrueger: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
This is failing on the upgrade policy test. So we'll still need #5992 |
4 participants
What type of PR is this?
/kind bug
What this PR does / why we need it:
When
accessEntrieswith an unspecifiedtypefield are defined inAWSManagedControlPlane, the reconciler detects drift on every cycle because an emptyTypeis compared as""against"STANDARD"(the EKS default) from the AWS API. This triggers a continuous delete-and-recreate loop every ~7s, with each deletion removing the access policy association and the subsequent recreation racing against the next reconcile before the policy can be re-associated.This change:
TypetoAccessEntryTypeStandardbefore comparison inupdateAccessEntry, so unspecified types no longer appear as drift.Which issue(s) this PR fixes
Fixes #6003
Special notes for your reviewer:
The fix touches two functions in
pkg/cloud/services/eks/accessentry.go:updateAccessEntry— normalizes empty type before drift detectionreconcileAccessPolicies— skips already-matching policy associations; new helperpolicyScopeMatchescompares desired vs existing scopeAI Usage:
This PR benefited from AI assistance (Qwen3.6-27B via Opencode) for:
AccessEntryType.APIValue()comparisonChecklist:
Release note: