-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
Steps to reproduce:
- Install the latest staging cert-manager 1.18.0 operator
- Enable the defaultNetworkPolicy through CertManager CR
- Configure multiple user-defined networkPolicies[]
- Monitor the operator controller logs for a period of time (> 1h)
- Grep the `NetworkPolicyUpdated` event (see attachment), the controller continuously updating the same 4 network policies every ~ 400ms - 800ms
oc patch certmanager.operator cluster --type=merge -p=' spec: defaultNetworkPolicy: "true" ' oc patch certmanager.operator cluster --type=merge -p=' spec: defaultNetworkPolicy: "true" networkPolicies: - componentName: CoreController egress: - ports: - port: 80 protocol: TCP - port: 443 protocol: TCP name: allow-egress-to-acme-server - componentName: CoreController egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP name: allow-egress-to-dns-service - componentName: CoreController egress: - ports: - port: 3128 protocol: TCP name: allow-egress-to-proxy - componentName: CoreController egress: - ports: - port: 8200 protocol: TCP name: allow-egress-to-vault-server ' # wait for some time (~1h) to gather sufficient logs oc logs <pod_name> -n cert-manager-operator
Expected result: Logs should not show repeatedly `NetworkPolicyUpdated` and associated events if no human operation to the spec.networkPolicies[] at all. Unnecessary API server load, excessive event generation, and client-side throttling should be eliminated.