Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jobs spinning up nodes without toleration #15266

Closed
5 of 11 tasks
Rafael-Schippers opened this issue Jun 11, 2024 · 1 comment
Closed
5 of 11 tasks

Jobs spinning up nodes without toleration #15266

Rafael-Schippers opened this issue Jun 11, 2024 · 1 comment
Labels
community needs_triage type:bug

Comments

@Rafael-Schippers
Copy link

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.
  • I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

The jobs AWX spins up are not respecting my selector and tolerations. I have firewall rules in place for 2 virtual machines that have the kubernetes label team=operations so that they can ssh to the rest of the virtual machines.

AWX version

2.18.0

Select the relevant components

  • UI
  • UI (tech preview)
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

kubernetes

Modifications

no

Ansible version

AWX EE (24.5.0)

Operating system

Rocky 9

Web browser

No response

Steps to reproduce

Have kubernetes and 2 seperate nodes on it with label "team=operations"

have the following files in a directory.

awx-instance.yaml

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-instance
  namespace: awx
spec:
# ipv6 staat uit op onze vm's en dit geeft problemen als we dit niet uitzetten op awx.
  ipv6_disabled: true

# ingress
  service_type: clusterip
  ingress_type: ingress
  ingress_hosts:
    - hostname: foo.bar.com

# postgress
  postgres_storage_class: netapp
  postgres_storage_requirements:
    requests:
      storage: 100Gi

# Assigning AWX pods to specific nodes
  node_selector: |
    team: operations
  tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"
  postgres_selector: |
    team: operations
  postgres_tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"

and kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
  - github.com/ansible/awx-operator/config/default?ref=2.13.1
  - awx-instance.yaml
# Set the image tags to match the git version from above
images:
  - name: quay.io/ansible/awx-operator
    newTag: 2.18.0

# Specify a custom namespace in which to install AWX
namespace: awx

Then start up AWX

kubectl apply -k .

Then realise it spins up pods on nodes it isn't allowed to so you change your awx-instance.yaml to this.

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-instance
  namespace: awx
spec:
# ipv6 staat uit op onze vm's en dit geeft problemen als we dit niet uitzetten op awx.
  ipv6_disabled: true

# ingress
  service_type: clusterip
  ingress_type: ingress
  ingress_hosts:
    - hostname: foo.bar.com

# postgress
  postgres_storage_class: netapp
  postgres_storage_requirements:
    requests:
      storage: 100Gi

# Assigning AWX pods to specific nodes
  node_selector: |
    team: operations
  tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"
  postgres_selector: |
    team: operations
  postgres_tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"
  web_node_selector: |
    team: operations
  web_tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"
  task_node_selector: |
    team: operations
  task_tolerations: |
    - key: "team"
      operator: "Equal"
      value: "operations"
      effect: "NoSchedule"

Then execute following command again.

kubectl apply -k .

Expected results

The jobs that AWX spins up to only go on the nodes with label "team=operations"

Actual results

The jobs that AWX spins up are going to nodes that don't have the label "team=operations" and thus fail since our firewall doesn't allow other nodes to ssh to our vm's.

Additional information

No response
@TheRealHaoLiu
Copy link
Member

job pod are not controlled by the node selector defined in the awx resource

please modify the container group https://ansible.readthedocs.io/projects/awx/en/latest/administration/containers_instance_groups.html#customize-the-pod-spec and add the toleration there to control the job pods

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community needs_triage type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheRealHaoLiu @Rafael-Schippers