App overwrites changed resources in namespace

I installed fluent-bit from the catalog as an app in my cluster. Now, i changed rolebindings. Deleted a restricted one and added a unrestricted. It takes couple of seconds or sometimes minutes and everything is resetted to the state before my changes. That means the restricted one is present again and my unrestricted is deleted. Is this something rancher or the catalog enforces?

Hi mighani, thank you for submitting a post and welcome to the forum! I have a few questions that may help us be able to help you.

  1. Which rolebindings have you changed? Please do not hesitate to provide details.
  2. What do you mean by “restricted” and “unrestricted”?
  3. Why change the rolebindings after installation? If configuration options are needed outside what the UI provides, I would recommend using the underlying Helm chart, and use the --set flag (or values.yaml) to determine configuration options during installation.
  4. What version of Rancher are you using and how was it installed?
  5. Please provide any logs, kubectl command outputs, and any other information that may help.

Hi Nick, thank you for getting back.

  1. Which rolebindings have you changed? Please do not hesitate to provide details.
    I have used a third party helm repo to install the app “fluent-bit”. This helm chart, among others, create a serviceaccount and a rolebinding which is bounded to a “restricted” clusterrole. Due to PSP i can then not mount a hostpath, which is needed for accessing docker logs on the host.

I create a non-restricted rolebinding and bind it to the serviceaccount, then I delete the restricted rolebinding.

  1. What do you mean by “restricted” and “unrestricted”?

see above

  1. Why change the rolebindings after installation? If configuration options are needed outside what the UI provides, I would recommend using the underlying Helm chart, and use the --set flag (or values.yaml ) to determine configuration options during installation.

I thought if that, too. Because it seemed the more natural way. But absolutely can not find out how to change the values. I installed the logshipper through a helm repo (and add App from Rancher UI) from a third party. Would I need to get the helm files before, changing values and then deploy from my own help repo or locally?

  1. What version of Rancher are you using and how was it installed?

v2.4.3

  1. Please provide any logs, kubectl command outputs, and any other information that may help.
    In the logs there are no clues to anything being changed. No events, no logs, nothing. The rolebinding which i created simply disappears and the other one which I deleted is present again. Spooky. This is why I assume that rancher will try to maintain the state from the helm yaml files. And if anything changes it will create the initial state, reflecting the state which is described in the file.

Hi again mighani. Apologies for the delay. Thank you for the notes! It helped a lot with the investigation.

It looks like the 3rd party app is using this version of fluent-bit: https://artifacthub.io/packages/helm/fluent/fluent-bit

I would recommend filing an issue or bug report to the logshipper maintainers since this bug appears to be unrelated to Rancher itself.

Why is this not a Rancher bug?
“Apps” are essentially a helm install of an upstream chart. This means that Rancher helps keep track of the lifecycle of these apps, but is unrelated to their usage or contents.

Thank you again for the post.

Hi Nick,

no problem. Thank you for your explanations. I will investigate it.

1 Like