Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for deployment cancellation and error surface when admission webhook blocks pod skaffold is waiting on #8624

Merged
merged 1 commit into from
Apr 6, 2023
Merged

feat: add support for deployment cancellation and error surface when admission webhook blocks pod skaffold is waiting on #8624

merged 1 commit into from
Apr 6, 2023

Conversation

aaron-prindle
Copy link
Contributor

@aaron-prindle aaron-prindle commented Apr 3, 2023
edited

fixes #8610

Manually tested against GKE cluster w/ binauthz enabled following the guide here:
https://cloud.google.com/architecture/binary-auth-with-cloud-build-and-gke

Before this change:

aprindle@aprindle-ssd ~/bad-image  [bad-image]$ skaffold apply manifests.yaml 
Starting deploy...
 - deployment.apps/bad-image configured
Waiting for deployments to stabilize...
 - deployment/bad-image: waiting for rollout to finish: 0 out of 1 new replicas have been updated...
 # ...
 # hangs here, waits until statusCheckDeadlineSeconds

After this change:

aprindle@aprindle-ssd ~/bad-image  [bad-image]$ skaffold apply manifests.yaml 
Starting deploy...
 - deployment.apps/bad-image created
Waiting for deployments to stabilize...
 - deployment/bad-image: Failed to create Pod for Deployment bad-image: Error creating: admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by Binary Authorization cluster admission rule for us-central1.prod-cluster. Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by attestor projects/aprindle-test-cluster/attestors/vulnz-attestor: No attestations found that were valid and signed by a key trusted by the attestor. Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by attestor projects/aprindle-test-cluster/attestors/qa-attestor: No attestations found that were valid and signed by a key trusted by the attestor
 - deployment/bad-image failed. Error: Failed to create Pod for Deployment bad-image: Error creating: admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by Binary Authorization cluster admission rule for us-central1.prod-cluster. Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by attestor projects/aprindle-test-cluster/attestors/vulnz-attestor: No attestations found that were valid and signed by a key trusted by the attestor. Image us-central1-docker.pkg.dev/aprindle-test-cluster/applications/bad-image:0b78553-dirty@sha256:2fca1fa0b2831ff007d1416e690ae8f882aad5a6c490d801ccdc659ed8b96c22 denied by attestor projects/aprindle-test-cluster/attestors/qa-attestor: No attestations found that were valid and signed by a key trusted by the attestor.
1/1 deployment(s) failed

@aaron-prindle aaron-prindle force-pushed the fix-8610 branch 6 times, most recently from b98e114 to d0a4569 Compare April 4, 2023 00:49
@pull-request-size pull-request-size bot added size/L and removed size/M labels Apr 4, 2023
@codecov
Copy link

codecov bot commented Apr 4, 2023
edited

Codecov Report

Merging #8624 (eb8e9bc) into main (290280e) will decrease coverage by 6.28%.
The diff coverage is 54.47%.

❗ Current head eb8e9bc differs from pull request most recent head ad9e67a. Consider uploading reports for the commit ad9e67a to get more accurate results

@@            Coverage Diff             @@
##             main    #8624      +/-   ##
==========================================
- Coverage   70.48%   64.21%   -6.28%     
==========================================
  Files         515      613      +98     
  Lines       23150    30725    +7575     
==========================================
+ Hits        16317    19729    +3412     
- Misses       5776     9516    +3740     
- Partials     1057     1480     +423
Impacted Files Coverage Δ
cmd/skaffold/app/cmd/completion.go 13.04% <0.00%> (-1.25%) ⬇️
cmd/skaffold/app/cmd/config/list.go 65.21% <ø> (ø)
cmd/skaffold/app/cmd/config/set.go 88.72% <ø> (ø)
cmd/skaffold/app/cmd/config/util.go 54.28% <ø> (ø)
cmd/skaffold/app/cmd/credits.go 100.00% <ø> (ø)
cmd/skaffold/app/cmd/credits/export.go 0.00% <0.00%> (ø)
cmd/skaffold/app/cmd/deploy.go 40.90% <0.00%> (-12.94%) ⬇️
cmd/skaffold/app/cmd/generate_pipeline.go 60.00% <ø> (ø)
cmd/skaffold/app/cmd/inspect_modules.go 65.00% <ø> (ø)
cmd/skaffold/app/cmd/inspect_profiles.go 66.66% <ø> (ø)
... and 39 more

... and 393 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@aaron-prindle aaron-prindle force-pushed the fix-8610 branch 3 times, most recently from 24fc1f0 to eb8e9bc Compare April 4, 2023 17:54
renzodavid9
renzodavid9 reviewed Apr 5, 2023
View reviewed changes
integration/testdata/helm-multi-config/skaffold/artifacts.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we don't need this file? The integration test is using the examples/kustomize. Same will be for the other files in the integration/testdata/helm- folders.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, missed this. Updated now

integration/binauthz_test.go
// TestBinAuthZWithDeploy targets the integration-tests-binauthz cluster on k8s-skaffold which has '--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE' set
func TestBinAuthZWithDeploy(t *testing.T) {
MarkIntegrationTest(t, NeedsGcp)
if os.Getenv("GKE_CLUSTER_NAME") != binauthzClusterName {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to do a change in Kokoro to make this work, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're correct - currently this won't run in kokoro (but won't affect the test negatively). Plan is to make the kokoro change to add this cluster and possible modify the test harness as well to only run this test in that cluster

@aaron-prindle
feat: add support for deployment cancellation and error surface when …
ad9e67a 
…admission webhook blocks pod skaffold is waiting on
@pull-request-size pull-request-size bot added size/M and removed size/L labels Apr 5, 2023
@aaron-prindle aaron-prindle merged commit 3f33f60 into GoogleContainerTools:main Apr 6, 2023
12 checks passed
aaron-prindle added a commit that referenced this pull request May 15, 2023
@aaron-prindle
feat: add support for deployment cancellation and error surface when …
f839499 
…admission webhook blocks pod skaffold is waiting on (#8624)

(cherry picked from commit 3f33f60)
@ericzzzzzzz ericzzzzzzz mentioned this pull request Aug 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renzodavid9 renzodavid9 renzodavid9 approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support/error-handling for when admission controller denies a deployment's pods
2 participants
@aaron-prindle @renzodavid9