fix(devbox-bundled): drop leftover istio refs so k3s applies the knative manifest#7334
Open
pingsutw wants to merge 3 commits into
Open
fix(devbox-bundled): drop leftover istio refs so k3s applies the knative manifest#7334pingsutw wants to merge 3 commits into
pingsutw wants to merge 3 commits into
Conversation
The bundled Knative install shipped with the upstream net-istio defaults: a Service `knative-local-gateway` in the `istio-system` namespace, two istio `Gateway` CRs, and a `config-istio` ConfigMap pointing the local gateway at istio. Devbox uses kourier as the ingress and never creates the `istio-system` namespace, so k3s logged `namespaces "istio-system" not found` on every startup and the istio Gateway CRs silently failed to apply. Add kustomize patches that delete the istio-only resources and repoint `config-istio`'s local-gateway entry at `kourier-internal.kourier-system.svc.cluster.local`, then regenerate the rendered manifests. Signed-off-by: Kevin Su <pingsutw@apache.org>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the bundled devbox Knative manifests to remove Istio-specific resources that are not applicable when using kourier ingress, eliminating noisy startup apply failures.
Changes:
- Patch
config-istioto point Knative’s local gateway tokourier-internal.kourier-system.svc.cluster.local. - Delete the upstream net-istio
knative-local-gatewayService inistio-systemand the two IstioGatewayCRs. - Regenerate the rendered
manifests/dev.yamlandmanifests/complete.yamlto reflect the kustomize output.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docker/devbox-bundled/manifests/dev.yaml | Rendered dev manifest updated to remove Istio Gateway/Service and repoint local gateway; also includes additional newly-rendered resources. |
| docker/devbox-bundled/manifests/complete.yaml | Rendered complete manifest updated to remove Istio Gateway/Service and repoint local gateway; also includes additional newly-rendered resources. |
| docker/devbox-bundled/kustomize/dev/kustomization.yaml | Adds kustomize patches to repoint config-istio local gateway and delete Istio Gateway/Service resources. |
| docker/devbox-bundled/kustomize/complete/kustomization.yaml | Same as dev: repoint config-istio local gateway and delete Istio Gateway/Service resources. |
Comments suppressed due to low confidence (10)
docker/devbox-bundled/manifests/dev.yaml:8980
- The initContainer uses
image: busybox:stablewithsecurityContext.runAsNonRoot: trueand no explicitrunAsUser. Busybox images typically run as UID 0 by default, so this will be rejected by kubelet and the StatefulSet will never become Ready. Set an explicit non-root UID that exists in the image, or allow root for this initContainer if it needs to manage filesystem permissions.
selector:
matchLabels:
app: webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: 1.18.1
docker/devbox-bundled/manifests/dev.yaml:9238
- This adds an Ingress for RustFS with
ingressClassName: nginxand a hard-coded host (example.rustfs.com). If the bundled devbox doesn't ship an nginx ingress controller (and/or DNS for that host), this resource will be non-functional and may confuse users. Consider removing this Ingress from the bundled manifests or gating it behind an explicit devbox value.
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
virtual_hosts:
- name: admin_interface
domains:
docker/devbox-bundled/manifests/complete.yaml:9290
- This new RustFS StatefulSet uses the same selector labels (app.kubernetes.io/instance=flyte-devbox + app.kubernetes.io/name=rustfs) as the existing
Deployment/rustfsandService/rustfsalready present in this manifest. That will create two independent RustFS workloads and cause services to load-balance across both (and/or make it unclear which one Flyte should talk to). Either remove the old Deployment/Service or change labels/selectors so only one RustFS implementation is selected.
- data-plane.knative.dev
secretName: routing-serving-certs
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: flyte-devbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: flyte-devbox
app.kubernetes.io/version: 1.16.1
docker/devbox-bundled/manifests/complete.yaml:9302
podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecutioncombined withreplicas: 4will prevent scheduling more than 1 RustFS pod per node. Devbox/k3s is typically single-node, so 3 pods will remain Pending indefinitely. Consider removing the required anti-affinity (or making it preferred), or scaling replicas to 1 for devbox.
helm.sh/chart: flyte-devbox-0.1.0
name: flyte-console
namespace: flyte
spec:
rules:
- http:
paths:
- backend:
service:
name: flyte-console
port:
number: 80
docker/devbox-bundled/manifests/complete.yaml:9385
- The initContainer uses
image: busybox:stablewithsecurityContext.runAsNonRoot: trueand no explicitrunAsUser. Busybox images typically run as UID 0 by default, so this will be rejected by kubelet and the StatefulSet will never become Ready. Set an explicit non-root UID that exists in the image, or allow root for this initContainer if it needs to manage filesystem permissions.
selector:
matchLabels:
app: webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: 1.18.1
docker/devbox-bundled/manifests/complete.yaml:9643
- This adds an Ingress for RustFS with
ingressClassName: nginxand a hard-coded host (example.rustfs.com). If the bundled devbox doesn't ship an nginx ingress controller (and/or DNS for that host), this resource will be non-functional and may confuse users. Consider removing this Ingress from the bundled manifests or gating it behind an explicit devbox value.
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
virtual_hosts:
- name: admin_interface
domains:
docker/devbox-bundled/manifests/dev.yaml:7071
- This manifest regeneration includes a large set of new RustFS Helm-chart resources (ServiceAccount/ConfigMap/Secret/Services/StatefulSet/Ingress/test Pod) that are unrelated to the PR’s stated goal of removing Istio references from Knative manifests. If these RustFS changes are intentional, they should be called out explicitly in the PR description; otherwise, consider re-generating manifests in a deterministic way so only the intended Knative/Istio changes are included (or split into a separate PR).
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: activator
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: 1.18.1
name: activator
namespace: knative-serving
---
apiVersion: v1
kind: ServiceAccount
metadata:
docker/devbox-bundled/manifests/complete.yaml:7082
- This manifest regeneration includes a large set of new RustFS Helm-chart resources (ServiceAccount/ConfigMap/Secret/Services/StatefulSet/Ingress/test Pod) that are unrelated to the PR’s stated goal of removing Istio references from Knative manifests. If these RustFS changes are intentional, they should be called out explicitly in the PR description; otherwise, consider re-generating manifests in a deterministic way so only the intended Knative/Istio changes are included (or split into a separate PR).
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: activator
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: 1.18.1
name: activator
namespace: knative-serving
---
apiVersion: v1
kind: ServiceAccount
metadata:
docker/devbox-bundled/manifests/dev.yaml:8885
- This new RustFS StatefulSet uses the same selector labels (app.kubernetes.io/instance=flyte-devbox + app.kubernetes.io/name=rustfs) as the existing
Deployment/rustfsandService/rustfsalready present in this manifest. That will create two independent RustFS workloads and cause services to load-balance across both (and/or make it unclear which one Flyte should talk to). Either remove the old Deployment/Service or change labels/selectors so only one RustFS implementation is selected.
- data-plane.knative.dev
secretName: routing-serving-certs
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: flyte-devbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: flyte-devbox
app.kubernetes.io/version: 1.16.1
docker/devbox-bundled/manifests/dev.yaml:8897
podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecutioncombined withreplicas: 4will prevent scheduling more than 1 RustFS pod per node. Devbox/k3s is typically single-node, so 3 pods will remain Pending indefinitely. Consider removing the required anti-affinity (or making it preferred), or scaling replicas to 1 for devbox.
helm.sh/chart: flyte-devbox-0.1.0
name: flyte-console
namespace: flyte
spec:
rules:
- http:
paths:
- backend:
service:
name: flyte-console
port:
number: 80
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Kevin Su <pingsutw@apache.org> # Conflicts: # docker/devbox-bundled/kustomize/complete/kustomization.yaml # docker/devbox-bundled/kustomize/dev/kustomization.yaml
Member
Author
|
Revived and merged latest |
pingsutw
changed the title
| name: webhook | ||
| namespace: knative-serving | ||
| $patch: delete | ||
| - target: |
| name: webhook | ||
| namespace: knative-serving | ||
| $patch: delete | ||
| - target: |
Comment on lines
+113
to
+116
| # net-istio also renders two PeerAuthentication CRs (security.istio.io); the | ||
| # istio CRDs aren't installed in this kourier devbox, so without these deletes | ||
| # k3s fails the whole flyte.yaml addon and the cluster never goes ready. | ||
| - patch: |- |
pingsutw
commented
Jun 27, 2026
| kind: ConfigMap | ||
| metadata: | ||
| name: config-istio | ||
| namespace: knative-serving |
Member
Author
There was a problem hiding this comment.
Failed to start the devbox sometimes if I don't remove this. It's safe to remove anyway since we never use it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
Starting the bundled devbox hangs at "Waiting for flyte cluster to be ready" and k3s logs an apply error that repeats forever:
The bundled Knative install ships with upstream net-istio defaults that don't belong in this devbox, which uses kourier for ingress and never creates the
istio-systemnamespace (and the istio CRDs aren't installed):Service knative-local-gatewayinistio-system→ namespace missing.networking.istio.io/v1beta1 GatewayCRs (knative-ingress-gateway,knative-local-gateway) → istio CRD missing.security.istio.io/v1beta1 PeerAuthenticationCRs (net-istio-webhook,webhook) → istio CRD missing.config-istioConfigMap points the local gateway at istio rather than kourier.k3s applies an addon manifest atomically, so a single un-appliable resource fails the entire
flyte.yamladdon. k3s retries every ~20s and never succeeds, so the cluster never reports ready andflyte start devboxhangs.What changes were proposed in this pull request?
In
kustomize/{complete,dev}/kustomization.yaml, add patches that:config-istio'slocal-gateway.knative-serving.knative-local-gatewayfromknative-local-gateway.istio-system.svc.cluster.local→kourier-internal.kourier-system.svc.cluster.local.Service knative-local-gatewayinistio-system.Gateway knative-local-gatewayinknative-serving(istio CRD).Gateway knative-ingress-gatewayinknative-serving(istio CRD).PeerAuthentication net-istio-webhookinknative-serving(istio CRD).PeerAuthentication webhookinknative-serving(istio CRD).Regenerate
manifests/complete.yamlandmanifests/dev.yamlso the rendered output matches.How was this patch tested?
istio-system,networking.istio.io,security.istio.io/PeerAuthentication, and thatconfig-istionow points atkourier-internal.flyte.yamlmade the addon apply cleanly (AppliedManifest) and allflytepods reachedRunning; thenamespaces "istio-system" not found/the server could not find the requested resourceerrors no longer recur. Knative cluster-local routing through kourier still works.Labels
fixed
Check all the applicable boxes