Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70287

Kubernetes plugin doesn't respect privileged=false in jnlp container if it is defined differently in multiple Pod Templates

    XMLWordPrintable

Details

    Description

      on the same Kubernetes cloud I've multiple Pod Templates

      • some have privileged = true
      • some have privileged = false

      I run the required template using its label

      if I select the template having privileged = false, it runs with privileged = true

      the only workaround was to set for ALL Pod Templates privileged = false

      example:

      I run this to get the cloud templates having one container with privileged=false:

      result = true
      if (Jenkins.instance.clouds) {
        Jenkins.instance.clouds.each { cloud -> 
            cloud.templates.each { templ ->
              if (templ.containers.find {it.privileged == false}) {
                println "name: ${templ.label}"
                templ.containers.each { cont ->
                  println "name: ${templ.label} - ${cont.image} - ${cont.privileged}"

      {\{          }

      }}

      {\{        }

      }}

      {\{      }

      }}

      {\{  }

      }}
      }
      return result

      result:

      name: de-mx-sonar-isolated
      name: de-mx-sonar-isolated - .../data-eng-docker-local/de-jenkins-slave-dind:latest - true
      name: de-mx-sonar-isolated - .../data-eng-docker-local/de-jnlp-mx-sonar:latest - false
      Result: true

      but when I run with the label 'de-mx-sonar-isolated' I get
      apiVersion: "v1"
      kind: "Pod"
      metadata:
      labels:
      jenkins: "slave"
      jenkins/label-digest: "b1144c48a76fa6681d5957195ca5e6d11e3223a7"
      jenkins/label: "de-mx-sonar-isolated"
      name: "jnlp-dind-sonar-mf0m1"
      namespace: "de-ci"
      spec:
      containers:

      • env:
      • name: "DOCKER_HOST"
        value: "tcp://localhost:2375"
      • name: "DOCKER_TLS_CERTDIR"
        value: ""
      • name: "HOME"
        value: "/homes/sys_av_data_int"
        image: ".../data-eng-docker-local/de-jenkins-slave-dind:latest"
        imagePullPolicy: "Always"
        name: "jnlp-dind"
        resources:
        limits:
        memory: "8Gi"
        requests:
        memory: "1.5Gi"
        cpu: "1"
        securityContext:
        privileged: true
        tty: true
        volumeMounts:
      • mountPath: "/homes/sys_av_data_int"
        name: "volume-0"
        readOnly: false
      • mountPath: "/...:shared"
        name: "volume-3"
        readOnly: false
      • mountPath: "/etc/resolv.conf"
        name: "volume-1"
        readOnly: false
      • mountPath: "/homes/swlab"
        name: "volume-2"
        readOnly: false
      • mountPath: "/home/jenkins/agent"
        name: "workspace-volume"
        readOnly: false
        workingDir: "/home/jenkins/agent"
      • env:
      • name: "JENKINS_SECRET"
        value: "********"
      • name: "JENKINS_AGENT_NAME"
        value: "jnlp-dind-sonar-mf0m1"
      • name: "DOCKER_HOST"
        value: "tcp://localhost:2375"
      • name: "JENKINS_NAME"
        value: "jnlp-dind-sonar-mf0m1"
      • name: "JENKINS_AGENT_WORKDIR"
        value: "/home/jenkins/agent"
      • name: "JENKINS_URL"
        value: "http://10.155.17.249/"
      • name: "HOME"
        value: "/homes/sys_av_data_int"
        image: ".../data-eng-docker-local/de-jnlp-mx-sonar:latest"
        imagePullPolicy: "Always"
        name: "jnlp"
        resources:
        limits:
        memory: "8Gi"
        cpu: "2.5"
        requests:
        memory: "1.5Gi"
        cpu: "2"
        securityContext:
        privileged: true
        runAsGroup: 1000
        runAsUser: 600002
        tty: true
        volumeMounts:
      • mountPath: "/homes/sys_av_data_int"
        name: "volume-0"
        readOnly: false
      • mountPath: "/...:shared"
        name: "volume-3"
        readOnly: false
      • mountPath: "/etc/resolv.conf"
        name: "volume-1"
        readOnly: false
      • mountPath: "/homes/swlab"
        name: "volume-2"
        readOnly: false
      • mountPath: "/home/jenkins/agent"
        name: "workspace-volume"
        readOnly: false
        workingDir: "/home/jenkins/agent"
        hostNetwork: false
        nodeSelector:
        kubernetes.io/os: "linux"
        restartPolicy: "Never"
        securityContext:
        supplementalGroups:
      • 1053
      • 1065
      • 1298
      • 16472
      • 17545
      • 1055
      • 1186
      • 1020
      • 17536
      • 1187
      • 1066
      • 1057
      • 48008
      • 1016
        volumes:
      • hostPath:
        path: "/homes/sys_av_data_int"
        name: "volume-0"
      • hostPath:
        path: "/.../sw"
        name: "volume-2"
      • hostPath:
        path: "/etc/resolv.conf"
        name: "volume-1"
      • emptyDir:
        medium: ""
        name: "workspace-volume"
      • hostPath:
        path: "/..."
        name: "volume-3"

      Attachments

        Activity

          There is not enough information here in order to reproduce the problem.
          Please an explicit step-by-step reproducer.

          vlatombe Vincent Latombe added a comment - There is not enough information here in order to reproduce the problem. Please an explicit step-by-step reproducer.
          mifitous Michael added a comment - - edited

          Hi vlatombe 

          The description includes exactly what is required to reproduce it

          I'll take and and fix it in the code, will let you know the PR#

          Issue seems in lines:

              @Deprecated
              @DataBoundSetter
              public void setPrivileged(boolean privileged)

          Unknown macro: {         getFirstContainer().ifPresent((i) -> i.setPrivileged(privileged));     }

              @Deprecated
              public boolean isPrivileged()

          Unknown macro: {         return getFirstContainer().map(ContainerTemplate}
          mifitous Michael added a comment - - edited Hi vlatombe   The description includes exactly what is required to reproduce it I'll take and and fix it in the code, will let you know the PR# Issue seems in lines:     @Deprecated     @DataBoundSetter     public void setPrivileged(boolean privileged) Unknown macro: {         getFirstContainer().ifPresent((i) -> i.setPrivileged(privileged));     }     @Deprecated     public boolean isPrivileged() Unknown macro: {         return getFirstContainer().map(ContainerTemplate}

          People

            mifitous Michael
            mifitous Michael
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: