Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
bored-table-20691
06/03/2021, 5:20 AMI’m encountering an issue when adding/removing a service account from a pod spec (in a Deployment):
Spec: &corev1.PodSpecArgs{
ServiceAccountName: tenant.serviceAccount.Metadata.Name(),[diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available (1/1 Pods available)b
billowy-army-68599
06/03/2021, 5:42 AMi'm not entirely sure without the logs from the Kubernetes side, but ultimately your pod/replica is referencing a service account which doesn't exist, so it would never become ready
b
bored-table-20691
06/03/2021, 5:47 AMThe service account is still there
I never delete it, only the reference to it in the Deployment template
The only thing I’m changing is whether or not it is mentioned in the Deployment template, and Pulumi sees that it should do a change (e.g. add it/remove it), but it doesn’t seem to be communicating this appropriately to Kubernetes.
b
billowy-army-68599
06/03/2021, 5:49 AMwhat does the diff look like when you run the update?
b
bored-table-20691
06/03/2021, 5:53 AM@billowy-army-68599 what’s the best way to send this? I’ve honestly never really been able to figure out the diffs, it just seems like it prints out some JSON blobs without telling me what’s different 🙂
I’m looking on the Pulumi app
b
billowy-army-68599
06/03/2021, 5:54 AMare you running
pulumi upb
bored-table-20691
06/03/2021, 5:54 AMI am running
pulumi previewpulumi upb
billowy-army-68599
06/03/2021, 5:54 AMyou should see a
detailsb
bored-table-20691
06/03/2021, 5:55 AMDo you want to perform this update? details
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:tenant-itay7::okera-trial-tenants::pulumi:pulumi:Stack::okera-trial-tenants-tenant-itay7]
> pulumi:pulumi:StackReference: (read)
[id=itay/okera-infra-regions/us-west-2]
[urn=urn:pulumi:tenant-itay7::okera-trial-tenants::pulumi:pulumi:StackReference::itay/okera-infra-regions/us-west-2]
name: "itay/okera-infra-regions/us-west-2"
~ kubernetes:apps/v1:Deployment: (update)
[id=itay7/cdas-rest-server]
[urn=urn:pulumi:tenant-itay7::okera-trial-tenants::kubernetes:apps/v1:Deployment::cdas_rest_serverDeployment]
~ spec: {
~ template: {
~ spec: {
- serviceAccountName: <null>
}
}
}b
billowy-army-68599
06/03/2021, 5:56 AMokay so as I said, the serviceAccountName is immutable in the deployment, and it's being remove from the spec, so the restart is expected - why exactly are you removing it? what are you expecting to happen?
b
bored-table-20691
06/03/2021, 5:57 AMSorry, let me clarify - I am expecting it to restart my pod, but it is not doing so.
b
billowy-army-68599
06/03/2021, 5:57 AMright, but it cant start the pod because it doesn't have a valid service account - you need to have something there
b
bored-table-20691
06/03/2021, 5:57 AMHmm
b
billowy-army-68599
06/03/2021, 5:58 AMyou should try doing
kubectl describe pod <name>b
bored-table-20691
06/03/2021, 5:58 AMWhen I do a describe post
pulumi upAs far as Kubernetes seems to be concerned, Pulumi did no update
OK, let me back up for a second and explain the sequence of events:
1. I had a Deployment with no explicit service account
2. I created a service account, and added it as per the above snippet.
3. All is good
4. I removed the service account reference (i.e. back to step 1)
5. I did pulumi up, and Kubernetes is showing no update of the pod/Deployment
Sorry if I am being unclear
b
billowy-army-68599
06/03/2021, 6:00 AMcan you show the output of
kubectl describe podkubectl get pod -o yamls
steep-toddler-94095
06/03/2021, 6:00 AMcurious what will happen if you change the service account to "default" instead of removing it in the pulumi config
b
billowy-army-68599
06/03/2021, 6:01 AMalso, can you clarify:
I did pulumi up, and Kubernetes is showing no update of the pod/Deploymentit seems that's not true, the pod/replicaset is updating but it's not becoming healthy, or at least that's what was described earlier?
b
bored-table-20691
06/03/2021, 6:01 AMAs far as
kubectl describe deploymentb
billowy-army-68599
06/03/2021, 6:01 AMyeah my suspicion is the same as @steep-toddler-94095 - the default created deployment used the namespaces' default service account, and now you're removing it, so it can't start
but the replicaset is changing, so it's failing because it can't start
b
bored-table-20691
06/03/2021, 6:03 AMThat sounds plausible - so basically removing the service account reference I added doesn’t really get me to the before state
(where I had no explicit service account)
b
billowy-army-68599
06/03/2021, 6:03 AMno, the kubernetes APi will fill in certain parts of stuff that you omit for the first deployment
b
bored-table-20691
06/03/2021, 6:04 AMNote that if I manually edit the Deployment to remove
serviceAccountserviceAccountNamethis is with
kubectl editwhich is roughly what I’d expect Pulumi to do here as well (i.e. I removed the explicit reference, just delete it and let Kubernetes do its thing)
s
steep-toddler-94095
06/03/2021, 6:35 AMi was able to reproduce the behavior you're getting. I see the following in the console but no change to any live state in k8s
updating. [diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available (1/1 Pods available)pulumi refreshpulumi upb
bored-table-20691
06/03/2021, 6:44 AMYes mike that’s exactly what I saw
s
steep-toddler-94095
06/03/2021, 6:46 AMit's unexpected behavior but hopefully it's not blocking you
b
bored-table-20691
06/03/2021, 6:48 AMIt’s not - this was more for testing, and as you said pulumi refresh resolves it
👍 1