Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46504

Kubernetes plugin requires ClusterRoles

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: kubernetes-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.65
      Kubernetes plugin 0.12
      Kubernetes 1.7.3
    • Similar Issues:

      Description

      Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

      It would be better if I could use Roles and RoleBindings in only the configured namespace.

      Here's an example stack trace from deleting a successful pod:

      Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
      SEVERE: Failed to terminate pod for slave default-f4c14
      io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
              at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
              at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
              at hudson.model.Queue._withLock(Queue.java:1378)
              at hudson.model.Queue.withLock(Queue.java:1237)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
              at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:748)

        Attachments

          Issue Links

            Activity

            cjyar cjyar created issue -
            cjyar cjyar made changes -
            Field Original Value New Value
            Description Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

            It would be better if I could use Roles and RoleBindings in only the configured namespace.

            Here's an example stack trace from deleting a successful pod:

            {{Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate}}
            {{SEVERE: Failed to terminate pod for slave default-f4c14}}
            {{io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://dev.k8s.sri.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..}}
            {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)}}
            {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)}}
            {{        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)}}
            {{        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)}}
            {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)}}
            {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)}}
            {{        at hudson.model.Queue._withLock(Queue.java:1378)}}
            {{        at hudson.model.Queue.withLock(Queue.java:1237)}}
            {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)}}
            {{        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)}}
            {{        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)}}
            {{        at java.util.concurrent.FutureTask.run(FutureTask.java:266)}}
            {{        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)}}
            {{        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)}}
            {{        at java.lang.Thread.run(Thread.java:748)}}
            Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

            It would be better if I could use Roles and RoleBindings in only the configured namespace.

            Here's an example stack trace from deleting a successful pod:

            {{Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate}}
             {{SEVERE: Failed to terminate pod for slave default-f4c14}}
             {{io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: [https://cluster.example.com:6443/api/v1/pods/default-f4c14|https://dev.k8s.sri.com:6443/api/v1/pods/default-f4c14]. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..}}
             {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)}}
             {{        at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)}}
             {{        at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)}}
             {{        at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)}}
             {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)}}
             {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)}}
             {{        at hudson.model.Queue._withLock(Queue.java:1378)}}
             {{        at hudson.model.Queue.withLock(Queue.java:1237)}}
             {{        at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)}}
             {{        at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)}}
             {{        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)}}
             {{        at java.util.concurrent.FutureTask.run(FutureTask.java:266)}}
             {{        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)}}
             {{        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)}}
             {{        at java.lang.Thread.run(Thread.java:748)}}
            csanchez Carlos Sanchez made changes -
            Link This issue duplicates JENKINS-45910 [ JENKINS-45910 ]
            csanchez Carlos Sanchez made changes -
            Status Open [ 1 ] Closed [ 6 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                csanchez Carlos Sanchez
                Reporter:
                cjyar cjyar
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: