Segfault on Kubernetes 1.27.1 #6033
Description
Describe the bug:
When using cert-manager on K8s v1.27.1 with a lot of other custom resources, the k8s client libraries <=0.26.3 can crash (see also derailed/k9s#2055 and kubernetes/kubernetes#116666). This can be solved by updating the client libraries to >=0.26.4.
Logs of cert-manager-webhook:
I0507 12:20:37.233421 1 feature_gate.go:249] feature gates: &{map[]}
W0507 12:20:37.233481 1 client_config.go:618] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x152b890]
goroutine 1 [running]:
k8s.io/client-go/discovery.convertAPIResource(...)
k8s.io/client-go@v0.26.0/discovery/aggregated_discovery.go:88
k8s.io/client-go/discovery.convertAPIGroup({{{0x0, 0x0}, {0x0, 0x0}}, {{0xc000121770, 0x15}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
k8s.io/client-go@v0.26.0/discovery/aggregated_discovery.go:69 +0x5f0
k8s.io/client-go/discovery.SplitGroupsAndResources({{{0xc000120540, 0x15}, {0xc0001266a0, 0x1b}}, {{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
k8s.io/client-go@v0.26.0/discovery/aggregated_discovery.go:35 +0x2f8
k8s.io/client-go/discovery.(*DiscoveryClient).downloadAPIs(0x98?)
k8s.io/client-go@v0.26.0/discovery/discovery_client.go:310 +0x47c
k8s.io/client-go/discovery.(*DiscoveryClient).GroupsAndMaybeResources(0xc000703ba0?)
k8s.io/client-go@v0.26.0/discovery/discovery_client.go:198 +0x5c
k8s.io/client-go/discovery.(*DiscoveryClient).ServerGroups(0x40b8bd?)
k8s.io/client-go@v0.26.0/discovery/discovery_client.go:321 +0x19
github.com/cert-manager/cert-manager/internal/plugin/admission/certificaterequest/approval.(*certificateRequestApproval).ValidateInitialization(0x0?)
github.com/cert-manager/cert-manager/internal/plugin/admission/certificaterequest/approval/certificaterequest_approval.go:283 +0x32
github.com/cert-manager/cert-manager/pkg/webhook/admission.ValidateInitialization({0x1ff78e0?, 0xc00061d5e0?})
github.com/cert-manager/cert-manager/pkg/webhook/admission/plugins.go:88 +0x3e
github.com/cert-manager/cert-manager/pkg/webhook/admission.(*Plugins).InitPlugin(0x1abda80?, {0x1d4e20b, 0x1a}, {0x1ffc660, 0xc0002c2680})
github.com/cert-manager/cert-manager/pkg/webhook/admission/plugins.go:77 +0x6d
github.com/cert-manager/cert-manager/pkg/webhook/admission.(*Plugins).NewFromPlugins(0x1be5640?, {0xc0002c2640?, 0x4, 0x3b9aca00?}, {0x1ffc660, 0xc0002c2680})
github.com/cert-manager/cert-manager/pkg/webhook/admission/plugins.go:48 +0xf5
github.com/cert-manager/cert-manager/internal/webhook.buildAdmissionChain({0x202c680, 0xc000703ba0})
github.com/cert-manager/cert-manager/internal/webhook/webhook.go:113 +0x35e
github.com/cert-manager/cert-manager/internal/webhook.NewCertManagerWebhookServer({{_, _}, _}, {{_, _}}, {{{0x0, 0x0}, {0x0, 0x0}}, 0xc000616028, ...}, ...)
github.com/cert-manager/cert-manager/internal/webhook/webhook.go:69 +0x111
Expected behaviour:
It doesn't crash with a segfault
Steps to reproduce the bug:
See linked issues above.
Environment details::
- Kubernetes version: 1.27.1
- Cloud-provider/provisioner: Bare-Metal (Talos)
- cert-manager version: 1.11.1
- Install method: helm
/kind bug