Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46504

Kubernetes plugin requires ClusterRoles

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • kubernetes-plugin
    • None
    • Jenkins 2.65
      Kubernetes plugin 0.12
      Kubernetes 1.7.3

      Jenkins lists slave pods cluster-wide instead of in the configured namespace. And Jenkins deletes pods in a cluster context instead of in the configured namespace. This means that the cluster administrator needs to grant Jenkins RBAC permissions to list all pods in all namespaces, and delete all pods in all namespaces.

      It would be better if I could use Roles and RoleBindings in only the configured namespace.

      Here's an example stack trace from deleting a successful pod:

      Aug 28, 2017 4:58:25 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave _terminate
      SEVERE: Failed to terminate pod for slave default-f4c14
      io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: DELETE at: https://cluster.example.com:6443/api/v1/pods/default-f4c14. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:jenkins:master" cannot delete pods at the cluster scope..
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:407)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
              at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleDelete(OperationSupport.java:208)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.deleteThis(BaseOperation.java:657)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:602)
              at io.fabric8.kubernetes.client.dsl.base.BaseOperation.delete(BaseOperation.java:68)
              at org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave._terminate(KubernetesSlave.java:154)
              at hudson.slaves.AbstractCloudSlave.terminate(AbstractCloudSlave.java:67)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:129)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1$1.call(OnceRetentionStrategy.java:124)
              at hudson.model.Queue._withLock(Queue.java:1378)
              at hudson.model.Queue.withLock(Queue.java:1237)
              at org.jenkinsci.plugins.durabletask.executors.OnceRetentionStrategy$1.run(OnceRetentionStrategy.java:124)
              at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:748)

            csanchez Carlos Sanchez
            cjyar cjyar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: