Details
-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Component/s: kubernetes-plugin
-
Labels:None
-
Environment:Jenkins 2.65
Kubernetes plugin 0.12
Kubernetes 1.7.3
-
Similar Issues:
Description
Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.
It would be better if I could use Roles and RoleBindings in only the configured namespace.
Here's an example stack trace from deleting a successful pod:
Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
SEVERE: Failed to terminate pod for slave default-f4c14
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
at hudson.model.Queue._withLock(Queue.java:1378)
at hudson.model.Queue.withLock(Queue.java:1237)
at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Attachments
Issue Links
- duplicates
-
JENKINS-45910 Template namespace is ignored when deleting pod
-
- Resolved
-
Code changed in jenkins
User: Mark Waite
Path:
src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
http://jenkins-ci.org/commit/git-client-plugin/52f681e6153eb088495edd497a82d6dc919dcae3
Log:
[Fixed JENKINS-46054] submodule repo URL with '.url' substring failed
Modify the submodule config parsing regular expression to correctly
extract the submodule name from the config output.
Splits cli submodule URL regexp use into two cases.
git config --get-regex applies the regex to match keys, and returns all
matches (including substring matches).
Thus, a config call:
git config -f .gitmodules --get-regexp "^submodule\.([^ ]+)\.url"
will report two lines of output if the submodule URL includes ".url":
submodule.modules/
JENKINS-46504.url.path modules/JENKINS-46504.urlsubmodule.modules/
JENKINS-46504.url.url https://github.com/MarkEWaite/JENKINS-46054.urlThe code originally used the same pattern for get-regexp and for output parsing.
By using the same pattern in both places, it incorrectly took the first line
of output as the URL of a submodule (when it is instead the path of a submodule).
Fixes tests added in previous commits.