Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46504

Kubernetes plugin requires ClusterRoles

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: kubernetes-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.65
      Kubernetes plugin 0.12
      Kubernetes 1.7.3
    • Similar Issues:

      Description

      Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

      It would be better if I could use Roles and RoleBindings in only the configured namespace.

      Here's an example stack trace from deleting a successful pod:

      Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
      SEVERE: Failed to terminate pod for slave default-f4c14
      io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
              at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
              at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
              at hudson.model.Queue._withLock(Queue.java:1378)
              at hudson.model.Queue.withLock(Queue.java:1237)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
              at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:748)

        Attachments

          Issue Links

            Activity

            Hide
            csanchez Carlos Sanchez added a comment -

            this has been fixed in master already and there is a role definition at https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

            Show
            csanchez Carlos Sanchez added a comment - this has been fixed in master already and there is a role definition at https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml
            Hide
            f0 Florian Koch added a comment -

            Carlos Sanchez hm the role and role binding are only per Namespace Roles, and i get this error, any ideas?

            Failed to count the # of live instances on Kubernetes io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.example.net/api/v1/pods?labelSelector=jenkins%3Dslave. Message: User "docker-ci" cannot list pods at the cluster scope.. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:327) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:583) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:68) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.addProvisionedSlave(KubernetesCloud.java:792) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.provision(KubernetesCloud.java:593) at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:715) at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:320) at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:61) at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:809) at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:51) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

            Show
            f0 Florian Koch added a comment - Carlos Sanchez hm the role and role binding are only per Namespace Roles, and i get this error, any ideas? Failed to count the # of live instances on Kubernetes io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.example.net/api/v1/pods?labelSelector=jenkins%3Dslave . Message: User "docker-ci" cannot list pods at the cluster scope.. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:327) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:583) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.list(BaseOperation.java:68) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.addProvisionedSlave(KubernetesCloud.java:792) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud.provision(KubernetesCloud.java:593) at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:715) at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:320) at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:61) at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:809) at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:51) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
            Hide
            f0 Florian Koch added a comment -

            Carlos Sanchez ok build the plugin from master, now it does work

            Show
            f0 Florian Koch added a comment - Carlos Sanchez ok build the plugin from master, now it does work
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Mark Waite
            Path:
            src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java
            http://jenkins-ci.org/commit/git-client-plugin/52f681e6153eb088495edd497a82d6dc919dcae3
            Log:
            [Fixed JENKINS-46054] submodule repo URL with '.url' substring failed

            Modify the submodule config parsing regular expression to correctly
            extract the submodule name from the config output.

            Splits cli submodule URL regexp use into two cases.

            git config --get-regex applies the regex to match keys, and returns all
            matches (including substring matches).

            Thus, a config call:

            git config -f .gitmodules --get-regexp "^submodule\.([^ ]+)\.url"

            will report two lines of output if the submodule URL includes ".url":

            submodule.modules/JENKINS-46504.url.path modules/JENKINS-46504.url
            submodule.modules/JENKINS-46504.url.url https://github.com/MarkEWaite/JENKINS-46054.url

            The code originally used the same pattern for get-regexp and for output parsing.
            By using the same pattern in both places, it incorrectly took the first line
            of output as the URL of a submodule (when it is instead the path of a submodule).

            Fixes tests added in previous commits.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/java/org/jenkinsci/plugins/gitclient/CliGitAPIImpl.java http://jenkins-ci.org/commit/git-client-plugin/52f681e6153eb088495edd497a82d6dc919dcae3 Log: [Fixed JENKINS-46054] submodule repo URL with '.url' substring failed Modify the submodule config parsing regular expression to correctly extract the submodule name from the config output. Splits cli submodule URL regexp use into two cases. git config --get-regex applies the regex to match keys, and returns all matches (including substring matches). Thus, a config call: git config -f .gitmodules --get-regexp "^submodule\.( [^ ] +)\.url" will report two lines of output if the submodule URL includes ".url": submodule.modules/ JENKINS-46504 .url.path modules/ JENKINS-46504 .url submodule.modules/ JENKINS-46504 .url.url https://github.com/MarkEWaite/JENKINS-46054.url The code originally used the same pattern for get-regexp and for output parsing. By using the same pattern in both places, it incorrectly took the first line of output as the URL of a submodule (when it is instead the path of a submodule). Fixes tests added in previous commits.

              People

              • Assignee:
                csanchez Carlos Sanchez
                Reporter:
                cjyar cjyar
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: