Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53790

Kubernetes plugin shows failing templates to only admins

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • kubernetes-plugin
    • None
    • kubernetes 1.24.0

      Background:
      We started leveraging the Kubernetes plugin to define agents using kubernetes templates. This is a great new feature but allows non admins to generate new templates even within their pipelines. But since these non admins do not have access to the Kubernetes back end or the logging within Jenkins, they do not see when or why one of these templates fails

      Issue:
      When a non-admin user creates a k8s template which is badly formed they are unable to see that the container/pod is failing because it is just "waiting on $LABEL"

      Steps to reproduce:

      Create a pipeline job
      Create a template in that job with a badly defined docker image name
      Watch the job fail to start because it can not find its label
      If you are not an admin you can not see why the container/pod is failing to start because you can not access the k8s logs or the `Manage Jenkins> System Log` area of Jenkins to create a custom logger and see the cause for failure
      Resolution:
      We need a way in the job or similar to see why the container is failing to start, perhaps just a return code from Kubernetes. Or we need to not allow them to define templates on a job level so that non-admins can not create templates at all.

          [JENKINS-53790] Kubernetes plugin shows failing templates to only admins

          Alex Taylor created issue -
          Carlos Sanchez made changes -
          Link New: This issue duplicates JENKINS-53205 [ JENKINS-53205 ]
          Carlos Sanchez made changes -
          Link New: This issue is related to JENKINS-53205 [ JENKINS-53205 ]
          Carlos Sanchez made changes -
          Link Original: This issue duplicates JENKINS-53205 [ JENKINS-53205 ]
          Carlos Sanchez made changes -
          Link New: This issue is duplicated by JENKINS-56396 [ JENKINS-56396 ]
          Carlos Sanchez made changes -
          Description Original: Background:
          With the advent of CJE2/Core on modern platforms, we started leveraging the Kubernetes plugin to define agents using kubernetes templates. This is a great new feature but allows non admins to generate new templates even within their pipelines. But since these non admins do not have access to the Kubernetes back end or the logging within Jenkins, they do not see when or why one of these templates fails

          Issue:
          When a non-admin user creates a k8s template which is badly formed they are unable to see that the container/pod is failing because it is just "waiting on $LABEL"

          Steps to reproduce:

          Create a pipeline job
          Create a template in that job with a badly defined docker image name
          Watch the job fail to start because it can not find its label
          If you are not an admin you can not see why the container/pod is failing to start because you can not access the k8s logs or the `Manage Jenkins> System Log` area of Jenkins to create a custom logger and see the cause for failure
          Resolution:
          We need a way in the job or similar to see why the container is failing to start, perhaps just a return code from Kubernetes. Or we need to not allow them to define templates on a job level so that non-admins can not create templates at all.           		New: Background:
          We started leveraging the Kubernetes plugin to define agents using kubernetes templates. This is a great new feature but allows non admins to generate new templates even within their pipelines. But since these non admins do not have access to the Kubernetes back end or the logging within Jenkins, they do not see when or why one of these templates fails

          Issue:
          When a non-admin user creates a k8s template which is badly formed they are unable to see that the container/pod is failing because it is just "waiting on $LABEL"

          Steps to reproduce:

          Create a pipeline job
          Create a template in that job with a badly defined docker image name
          Watch the job fail to start because it can not find its label
          If you are not an admin you can not see why the container/pod is failing to start because you can not access the k8s logs or the `Manage Jenkins> System Log` area of Jenkins to create a custom logger and see the cause for failure
          Resolution:
          We need a way in the job or similar to see why the container is failing to start, perhaps just a return code from Kubernetes. Or we need to not allow them to define templates on a job level so that non-admins can not create templates at all.
          Jesse Glick made changes -
          Assignee Original: Carlos Sanchez [ csanchez ] New: Pierson Yieh [ pyieh ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Jesse Glick made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "PR 440 (Web Link)" [ 22533 ]
          Vincent Latombe made changes -
          Released As New: kubernetes 1.24.0
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]

            pyieh Pierson Yieh
            ataylor Alex Taylor
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: