Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling all the events from Storage and Ingress classes #108

Merged
merged 1 commit into from
Oct 17, 2020
Merged

Handling all the events from Storage and Ingress classes #108

merged 1 commit into from
Oct 17, 2020

Conversation

prometherion
Copy link
Member

@prometherion prometherion commented Oct 17, 2020
edited

This PR is going to close #105 and enhance the enforcement of Ingress resources, blocking any fraudulent creation performed by a Service Account that wouldn't be matched by the utils.InCapsuleGroup utiliy.

e2e suite is green and tested on my own as following:

# create the tenant oil from samples, and alive kubeconfig

$: cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  serviceName: "nginx"
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: k8s.gcr.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      storageClassName: forbidden  # since oil just allows the default one
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 1Gi
EOF
# statefulset.apps/web created

# now sts is there, hanging
$: kubectl get statefulset
NAME   READY   AGE
web    0/2     6m21s

# you can check the failed webhook, there
$: kubectl describe statefulset web | grep -i events -A 10
kubectl describe sts web| grep -i events -A 10
Events:
  Type     Reason        Age                    From                    Message
  ----     ------        ----                   ----                    -------
  Warning  FailedCreate  6m56s (x12 over 7m6s)  statefulset-controller  create Pod web-0 in StatefulSet web failed error: failed to create PVC www-web-0: admission webhook "pvc.capsule.clastix.io" denied the request: Storage Class foo is forbidden for the current Tenant
  Warning  FailedCreate  99s (x17 over 7m6s)    statefulset-controller  create Claim www-web-0 for Pod web-0 in StatefulSet web failed error: admission webhook "pvc.capsule.clastix.io" denied the request: Storage Class foo is forbidden for the current Tenant

@prometherion prometherion self-assigned this Oct 17, 2020
bsctl
bsctl approved these changes Oct 17, 2020
View reviewed changes
Copy link
Member

@bsctl bsctl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@prometherion nice work, as usual :)
Tested on a live setup. LGTM.

@prometherion prometherion merged commit b0310cd into master Oct 17, 2020
@prometherion prometherion deleted the issues/105 branch October 17, 2020 12:40
@prometherion prometherion mentioned this pull request Nov 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bsctl bsctl bsctl approved these changes

Assignees

@prometherion prometherion

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Storage Class policy is not applied to Persistent Volume Claims generated from StatefulSets
2 participants
@prometherion @bsctl