[JENKINS-46504] Kubernetes plugin requires ClusterRoles

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: kubernetes-plugin
Labels:
None
Environment:
Jenkins 2.65
Kubernetes plugin 0.12
Kubernetes 1.7.3

Similar Issues:
Powered by SuggestiMate

Show

Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

It would be better if I could use Roles and RoleBindings in only the configured namespace.

Here's an example stack trace from deleting a successful pod:

Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
SEVERE: Failed to terminate pod for slave default-f4c14
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
        at hudson.model.Queue._withLock(Queue.java:1378)
        at hudson.model.Queue.withLock(Queue.java:1237)
        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)

duplicates

JENKINS-45910 Template namespace is ignored when deleting pod

Resolved

cjyar created issue - 2017-08-28 17:26

cjyar made changes - 2017-08-28 17:27

Description

Original: Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

It would be better if I could use Roles and RoleBindings in only the configured namespace.

Here's an example stack trace from deleting a successful pod:

{{Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate}}
{{SEVERE: Failed to terminate pod for slave default-f4c14}}
{{io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://dev.k8s.sri.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)}}
{{        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)}}
{{        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)}}
{{        at hudson.model.Queue._withLock(Queue.java:1378)}}
{{        at hudson.model.Queue.withLock(Queue.java:1237)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)}}
{{        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)}}
{{        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)}}
{{        at java.util.concurrent.FutureTask.run(FutureTask.java:266)}}
{{        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)}}
{{        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)}}
{{        at java.lang.Thread.run(Thread.java:748)}}

New: Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

It would be better if I could use Roles and RoleBindings in only the configured namespace.

Here's an example stack trace from deleting a successful pod:

{{Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate}}
{{SEVERE: Failed to terminate pod for slave default-f4c14}}
{{io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: [https://cluster.example.com:6443/api/v1/pods/default-f4c14|https://dev.k8s.sri.com:6443/api/v1/pods/default-f4c14]. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)}}
{{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)}}
{{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)}}
{{        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)}}
{{        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)}}
{{        at hudson.model.Queue._withLock(Queue.java:1378)}}
{{        at hudson.model.Queue.withLock(Queue.java:1237)}}
{{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)}}
{{        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)}}
{{        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)}}
{{        at java.util.concurrent.FutureTask.run(FutureTask.java:266)}}
{{        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)}}
{{        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)}}
{{        at java.lang.Thread.run(Thread.java:748)}}

Carlos Sanchez made changes - 2017-08-28 17:51

Link

New: This issue duplicates ~~JENKINS-45910~~ [ ~~JENKINS-45910~~ ]

Carlos Sanchez made changes - 2017-08-29 18:05

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates