Merge pull request #133323 from liggitt/reconcile-retry-on-conflict

Make kubectl auth reconcile retry on conflict Kubernetes-commit: 817534d78188e57e9e71618bb17d3e19a48d88fa
2026-05-28 04:35:50 -04:00 · 2025-08-27 17:17:34 -07:00 · 2025-08-27 17:17:34 -07:00 · 22d999d2fc
commit 22d999d2fc
parent 0889899212 5c587a03ba
1 changed files with 35 additions and 8 deletions
--- a/pkg/cmd/auth/reconcile.go
+++ b/pkg/cmd/auth/reconcile.go
@ -22,6 +22,7 @@ import (

 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"

 	rbacv1 "k8s.io/api/rbac/v1"
@ -33,6 +34,7 @@ import (
 	"k8s.io/cli-runtime/pkg/resource"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/component-helpers/auth/rbac/reconciliation"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"k8s.io/kubectl/pkg/scheme"
@ -197,6 +199,9 @@ func (o *ReconcileOptions) Validate() error {

 // RunReconcile performs the execution
 func (o *ReconcileOptions) RunReconcile() error {
+	// conflictBackoff retries up to 3 times on conflict, with no delay
+	conflictBackoff := wait.Backoff{Steps: 3}
+
 	return o.Visitor.Visit(func(info *resource.Info, err error) error {
 		if err != nil {
 			return err
@ -213,7 +218,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client:          o.RBACClient,
 				},
 			}
-			result, err := reconcileOptions.Run()
+			var (
+				result *reconciliation.ReconcileClusterRoleResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
+				return err
+			})
 			if err != nil {
 				return err
 			}
@ -228,7 +240,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client: o.RBACClient.ClusterRoles(),
 				},
 			}
-			result, err := reconcileOptions.Run()
+			var (
+				result *reconciliation.ReconcileClusterRoleResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
+				return err
+			})
 			if err != nil {
 				return err
 			}
@ -244,10 +263,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					NamespaceClient: o.NamespaceClient.Namespaces(),
 				},
 			}
-			result, err := reconcileOptions.Run()
-			if err != nil {
+			var (
+				result *reconciliation.ReconcileClusterRoleBindingResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
 				return err
-			}
+			})
 			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)

 		case *rbacv1.ClusterRoleBinding:
@ -259,10 +282,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client: o.RBACClient.ClusterRoleBindings(),
 				},
 			}
-			result, err := reconcileOptions.Run()
-			if err != nil {
+			var (
+				result *reconciliation.ReconcileClusterRoleBindingResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
 				return err
-			}
+			})
 			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)

 		case *rbacv1beta1.Role,