Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52897

Service account token not used on slaves

XMLWordPrintable

      We want use the service account of the master node on our slaves. Unfortunately, the salves always get the default service account's token mounted instead of the one used on the master node.

       

      Here's our setup:

       

      We create the credentials.xml file during startup and it contains the following snippet:

      <com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@2.1.13">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <!--...-->
        <org.csanchez.jenkins.plugins.kubernetes.ServiceAccountCredential plugin="kubernetes@1.0">
          <scope>GLOBAL</scope>
          <id>default-service-account</id>
          <description>Service account provided by OpenShift, typically defined in the template.</description>
        </org.csanchez.jenkins.plugins.kubernetes.ServiceAccountCredential>
        <!--...-->
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

      In the clouds section of the config.xml file, we refer to the token with the following snippet:

      <clouds>
  <org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud plugin="kubernetes@1.0">
    <!--...-->
    <credentialsId>default-service-account</credentialsId>
    <!--...-->
  </org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud>
</clouds>

      Every time a new build slave is spun up by the kubernetes-plugin, it does not provide the service account of the master node (defined by the credentialId with the name default-service-account) to the build slave. Instead, the project specific default service account is used.

      The same issue occurs if we replace the above credentials.xml snippet with the following:

      <com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@2.1.13">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <!--...-->
        <org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential plugin="kubernetes-credentials@0.3.0">
          <scope>GLOBAL</scope>
          <id>default-service-account</id>
          <description>Service account provided by OpenShift, typically defined in the template.</description>
        </org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential>
        <!--...-->
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

      We suppose that the service stored as credential with the id default-service-account is also used for the slave instead of the default one.

            csanchez Carlos Sanchez
            spanierm Markus Spanier
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: