[JENKINS-46504] Kubernetes plugin requires ClusterRoles

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: kubernetes-plugin
Labels:
None
Environment:
Jenkins 2.65
Kubernetes plugin 0.12
Kubernetes 1.7.3

Similar Issues:
Powered by SuggestiMate

Show

Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

It would be better if I could use Roles and RoleBindings in only the configured namespace.

Here's an example stack trace from deleting a successful pod:

Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
SEVERE: Failed to terminate pod for slave default-f4c14
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
        at hudson.model.Queue._withLock(Queue.java:1378)
        at hudson.model.Queue.withLock(Queue.java:1237)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)

duplicates

JENKINS-45910 Template namespace is ignored when deleting pod

Resolved

Carlos Sanchez added a comment - 2017-08-28 17:48

this has been fixed in master already and there is a role definition at https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

Carlos Sanchez added a comment - 2017-08-28 17:48 this has been fixed in master already and there is a role definition at https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

Florian Koch added a comment - 2017-09-05 08:10

csanchez hm the role and role binding are only per Namespace Roles, and i get this error, any ideas?

Failed to count the # of live instances on Kubernetes io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.example.net/api/v1/pods?labelSelector=jenkins%3Dslave. Message: User "docker-ci" cannot list pods at the cluster scope.. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:327) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:583) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:68) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.addProvisionedSlave(KubernetesCloud.java:792) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.provision(KubernetesCloud.java:593) at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:715) at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:320) at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:61) at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:809) at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:51) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Florian Koch added a comment - 2017-09-05 08:10 csanchez hm the role and role binding are only per Namespace Roles, and i get this error, any ideas? Failed to count the # of live instances on Kubernetes io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.example.net/api/v1/pods?labelSelector=jenkins%3Dslave . Message: User "docker-ci" cannot list pods at the cluster scope.. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:327) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:583) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:68) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.addProvisionedSlave(KubernetesCloud.java:792) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.provision(KubernetesCloud.java:593) at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:715) at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:320) at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:61) at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:809) at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:51) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Florian Koch added a comment - 2017-09-05 08:14

csanchez ok build the plugin from master, now it does work

Florian Koch added a comment - 2017-09-05 08:14 csanchez ok build the plugin from master, now it does work

SCM/JIRA link daemon added a comment - 2017-11-18 18:30

Code changed in jenkins
User: Mark Waite
Path:
src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
http://jenkins-ci.org/commit/git-client-plugin/52f681e6153eb088495edd497a82d6dc919dcae3
Log:
[Fixed JENKINS-46054] submodule repo URL with '.url' substring failed

Modify the submodule config parsing regular expression to correctly
extract the submodule name from the config output.

Splits cli submodule URL regexp use into two cases.

git config --get-regex applies the regex to match keys, and returns all
matches (including substring matches).

Thus, a config call:

git config -f .gitmodules --get-regexp "^submodule\.([^ ]+)\.url"

will report two lines of output if the submodule URL includes ".url":

submodule.modules/~~JENKINS-46504~~.url.path modules/~~JENKINS-46504~~.url
submodule.modules/~~JENKINS-46504~~.url.url https://github.com/MarkEWaite/JENKINS-46054.url

The code originally used the same pattern for get-regexp and for output parsing.
By using the same pattern in both places, it incorrectly took the first line
of output as the URL of a submodule (when it is instead the path of a submodule).

Fixes tests added in previous commits.

SCM/JIRA link daemon added a comment - 2017-11-18 18:30 Code changed in jenkins User: Mark Waite Path: src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java http://jenkins-ci.org/commit/git-client-plugin/52f681e6153eb088495edd497a82d6dc919dcae3 Log: [Fixed JENKINS-46054] submodule repo URL with '.url' substring failed Modify the submodule config parsing regular expression to correctly extract the submodule name from the config output. Splits cli submodule URL regexp use into two cases. git config --get-regex applies the regex to match keys, and returns all matches (including substring matches). Thus, a config call: git config -f .gitmodules --get-regexp "^submodule\.( [^ ] +)\.url" will report two lines of output if the submodule URL includes ".url": submodule.modules/ JENKINS-46504 .url.path modules/ JENKINS-46504 .url submodule.modules/ JENKINS-46504 .url.url https://github.com/MarkEWaite/JENKINS-46054.url The code originally used the same pattern for get-regexp and for output parsing. By using the same pattern in both places, it incorrectly took the first line of output as the URL of a submodule (when it is instead the path of a submodule). Fixes tests added in previous commits.

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Carlos Sanchez added a comment - 2017-08-28 17:48

Expand comment: Carlos Sanchez added a comment - 2017-08-28 17:48

Collapse comment: Florian Koch added a comment - 2017-09-05 08:10

Expand comment: Florian Koch added a comment - 2017-09-05 08:10

Collapse comment: Florian Koch added a comment - 2017-09-05 08:14

Expand comment: Florian Koch added a comment - 2017-09-05 08:14

Collapse comment: SCM/JIRA link daemon added a comment - 2017-11-18 18:30

Expand comment: SCM/JIRA link daemon added a comment - 2017-11-18 18:30

People

Dates