Int to string issue with kubernetes-pod-patches

valentin-hubert_uhg · October 14, 2022, 8:33am

Hi,

I an facing an issue with the kubernetes pod deployment patching.
I am trying to patch the pod manifest deployed by shinyproxy 2.6.0.
My app configuration looks like that :

    kubernetes-pod-patches: |
      - op: add
        path: /spec/securityContext
        value:
          runAsUser: 65534
          runAsGroup: 65534
          fsGroup: 65534
      - op: add
        path: /spec/containers/0/securityContext
        value:
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: true
          runAsUser: 65534
          capabilities:
            drop:
              - KILL
              - MKNOD
              - SYS_CHROOT
              - NET_RAW
      - op: add
        path: /spec/containers/0/startupProbe
        value:
          httpGet:
            path: "/"
            port: 80
            scheme: "HTTP"
          initialDelaySeconds: 5
          failureThreshold: 3
      - op: add
        path: /spec/containers/0/livenessProbe
        value:
          httpGet:
            path: "/"
            port: 80
            scheme: "HTTP"
          initialDelaySeconds: 5
          failureThreshold: 3

I have enabled the kubernetes.debug-patches to see what is going on and i see :

spec:
containers:
image: “xxxxxx”
imagePullPolicy: “Always”
livenessProbe:
failureThreshold: 3
httpGet:
path: “/”
port: “80”
scheme: “HTTP”
initialDelaySeconds: 5
securityContext:
capabilities:
drop:
- “KILL”
- “MKNOD”
- “SYS_CHROOT”
- “NET_RAW”
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 65534
startupProbe:
httpGet:
path: “/”
port: 80
scheme: “HTTP”
initialDelaySeconds: 5
failureThreshold: 3

So the Kubernetes API do not want to deploy that manifests saying that :

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://kubernetes.default.svc.cluster.local/api/v1/namespaces/rshiny/pods. Message: Pod “sp-pod-e8fcb447-0561-4d49-bbbc-7b51ef52d741” is invalid: spec.containers[0].livenessProbe.httpGet.port: Invalid value: “80”: must contain at least one letter (a-z). Received status: Status(apiVersion=v1, code=422, details=StatusDetails(causes=[StatusCause(field=spec.containers[0].livenessProbe.httpGet.port, message=Invalid value: “80”: must contain at least one letter (a-z), reason=FieldValueInvalid, additionalProperties={})], group=null, kind=Pod, name=sp-pod-e8fcb447-0561-4d49-bbbc-7b51ef52d741, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=Pod “sp-pod-e8fcb447-0561-4d49-bbbc-7b51ef52d741” is invalid: spec.containers[0].livenessProbe.httpGet.port: Invalid value: “80”: must contain at least one letter (a-z), metadata=ListMeta(_continue=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Invalid, status=Failure, additionalProperties={}).

The issue is that the port of the livenessProbe is “80” with doubles quotes so considered by Kubernetes like a string and not an int.
I do not understand why this does no occur for startupProbe which is the first to be patched. It would be the issue would occur for the second probe in the kubernetes-pod-patches list.

I an unsure what to do. I have tried a lot of things to bypass that behavior but nothing seems to work. Any help would be really appreciated.

valentin-hubert_uhg · October 14, 2022, 9:52am

I tried a few things. It would appear that the issue is not order related, the issue never occurs with startupProbe but always with readinessProbe or livenessProbe, which does not make any sense.
If i try :

    kubernetes-pod-patches: |
      - op: add
        path: /spec/securityContext
        value:
          runAsUser: 65534
          runAsGroup: 65534
          fsGroup: 65534
      - op: add
        path: /spec/containers/0/securityContext
        value:
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: true
          runAsUser: 65534
          capabilities:
            drop:
              - KILL
              - MKNOD
              - SYS_CHROOT
              - NET_RAW
      - op: add
        path: /spec/containers/0/startupProbe
        value:
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 5
          failureThreshold: 3
      - op: add
        path: /spec/containers/0/readinessProbe
        value:
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 5
          failureThreshold: 3

or

    kubernetes-pod-patches: |
      - op: add
        path: /spec/securityContext
        value:
          runAsUser: 65534
          runAsGroup: 65534
          fsGroup: 65534
      - op: add
        path: /spec/containers/0/securityContext
        value:
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: true
          runAsUser: 65534
          capabilities:
            drop:
              - KILL
              - MKNOD
              - SYS_CHROOT
              - NET_RAW
      - op: add
        path: /spec/containers/0/readinessProbe
        value:
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 5
          failureThreshold: 3
      - op: add
        path: /spec/containers/0/startupProbe
        value:
          httpGet:
            path: /
            port: 80
            scheme: HTTP
          initialDelaySeconds: 5
          failureThreshold: 3

The error will still be with readinessProbe and never the startupProbe.

tdekoninck · October 17, 2022, 6:59am

Hi

This is unfortunately an issue with the Kubernetes API client we use. I’ll have a look how we can solve this, but currently there is no workaround.