serviceaccount: If namespace is terminating, ignore create errors

In some scenarios the service account and token controllers can
race with namespace deletion, causing a burst of errors as they
attempt to recreate secrets being deleted.

Instead, detect these errors and do not retry.
This commit is contained in:
Clayton Coleman 2019-10-20 16:09:19 -04:00
parent 937ef77257
commit dc0c21c7d7
No known key found for this signature in database
GPG Key ID: 3D16906B4F1C5CB3
2 changed files with 8 additions and 1 deletions

View File

@ -213,7 +213,10 @@ func (c *ServiceAccountsController) syncNamespace(key string) error {
sa.Namespace = ns.Name
if _, err := c.client.CoreV1().ServiceAccounts(ns.Name).Create(&sa); err != nil && !apierrs.IsAlreadyExists(err) {
createFailures = append(createFailures, err)
// we can safely ignore terminating namespace errors
if !apierrs.HasStatusCause(err, v1.NamespaceTerminatingCause) {
createFailures = append(createFailures, err)
}
}
}

View File

@ -408,6 +408,10 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *v1.ServiceAccou
// Save the secret
createdToken, err := e.client.CoreV1().Secrets(serviceAccount.Namespace).Create(secret)
if err != nil {
// if the namespace is being terminated, create will fail no matter what
if apierrors.HasStatusCause(err, v1.NamespaceTerminatingCause) {
return false, err
}
// retriable error
return true, err
}