Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cert-manager deployment on hardening environments #9404

Merged
merged 1 commit into from
Oct 20, 2022
Merged

Fix cert-manager deployment on hardening environments #9404

merged 1 commit into from
Oct 20, 2022

Conversation

oomichi
Copy link
Contributor

@oomichi oomichi commented Oct 19, 2022
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

On hardening environments, cert-manager pods could not be created from the corresponding deployments.
This adds the securityContext to solve the issue.

This is the similar change like #9398

Which issue(s) this PR fixes:

Fixes #9349

Does this PR introduce a user-facing change?:

Fix cert-manager deployment on hardening environments

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 19, 2022
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 19, 2022
@oomichi oomichi changed the title Enable cert manager WIP: Enable cert manager Oct 19, 2022
@oomichi
Copy link
Contributor Author

oomichi commented Oct 19, 2022

There is not any cert-manager pod on the hardening job like

TASK [debug] *******************************************************************
task path: /builds/kargo-ci/kubernetes-sigs-kubespray/tests/testcases/020_check-pods-running.yml:24
Wednesday 19 October 2022  06:20:59 +0000 (0:00:00.369)       0:00:04.881 ***** 
ok: [instance-1] => {
    "msg": [
        "NAMESPACE     NAME                                      READY   STATUS    RESTARTS      AGE     IP               NODE         NOMINATED NODE   READINESS GATES",
        "default       netchecker-server-5857c6bc77-z869h        2/2     Running   1 (59s ago)   64s     10.233.87.131    instance-1   <none>           <none>",
        "kube-system   calico-kube-controllers-56fd7b8dc-vtmjz   1/1     Running   0             97s     172.30.113.243   instance-1   <none>           <none>",
        "kube-system   calico-node-vnq45                         1/1     Running   0             114s    172.30.113.243   instance-1   <none>           <none>",
        "kube-system   coredns-74d6c5659f-zkdbb                  1/1     Running   0             77s     10.233.87.129    instance-1   <none>           <none>",
        "kube-system   dns-autoscaler-6656dfd4c6-vmw2v           1/1     Running   0             73s     10.233.87.130    instance-1   <none>           <none>",
        "kube-system   etcd-instance-1                           1/1     Running   0             2m47s   172.30.113.243   instance-1   <none>           <none>",
        "kube-system   kube-apiserver-instance-1                 1/1     Running   1             2m47s   172.30.113.243   instance-1   <none>           <none>",
        "kube-system   kube-controller-manager-instance-1        1/1     Running   1             2m47s   172.30.113.243   instance-1   <none>           <none>",
        "kube-system   kube-proxy-c95pq                          1/1     Running   0             114s    172.30.113.243   instance-1   <none>           <none>",
        "kube-system   kube-scheduler-instance-1                 1/1     Running   1             2m46s   172.30.113.243   instance-1   <none>           <none>"
    ]
}

even if enabling cert-manager deployment.
That might be due to deployment issue which is reported on the issue.

@oomichi oomichi closed this Oct 19, 2022
@oomichi oomichi reopened this Oct 20, 2022
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 20, 2022
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 20, 2022
oomichi
oomichi commented Oct 20, 2022
View reviewed changes
.gitlab-ci/packet.yml Outdated Show resolved Hide resolved
@oomichi oomichi changed the title WIP: Enable cert manager WIP: Fix cert-manager deployment on hardening environments Oct 20, 2022
@oomichi
Copy link
Contributor Author

oomichi commented Oct 20, 2022
edited

All cert-manager pods are running after applying this change:

ok: [instance-1] => {
    "msg": [
        "NAMESPACE      NAME                                       READY   STATUS    RESTARTS      AGE    IP              NODE         NOMINATED NODE   READINESS GATES",
        "cert-manager   cert-manager-7d457bb758-sdlbc              1/1     Running   0             101s   10.233.87.129   instance-1   <none>           <none>",
        "cert-manager   cert-manager-cainjector-79bfdbf497-tzvdx   1/1     Running   0             101s   10.233.87.130   instance-1   <none>           <none>",
        "cert-manager   cert-manager-webhook-5fb958587d-jjzwb      1/1     Running   0             101s   10.233.87.131   instance-1   <none>           <none>",
        "default        netchecker-server-5857c6bc77-x5dbd         2/2     Running   1 (66s ago)   71s    10.233.87.134   instance-1   <none>           <none>",
        "kube-system    calico-kube-controllers-56fd7b8dc-8b7bt    1/1     Running   0             106s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    calico-node-zm8hp                          1/1     Running   0             2m7s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    coredns-74d6c5659f-69cz7                   1/1     Running   0             84s    10.233.87.132   instance-1   <none>           <none>",
        "kube-system    dns-autoscaler-6656dfd4c6-lbg2w            1/1     Running   0             80s    10.233.87.133   instance-1   <none>           <none>",
        "kube-system    etcd-instance-1                            1/1     Running   0             3m1s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    kube-apiserver-instance-1                  1/1     Running   1             3m1s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    kube-controller-manager-instance-1         1/1     Running   1             3m1s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    kube-proxy-dp7hz                           1/1     Running   0             2m7s   172.30.113.42   instance-1   <none>           <none>",
        "kube-system    kube-scheduler-instance-1                  1/1     Running   1             3m1s   172.30.113.42   instance-1   <none>           <none>"
    ]
}

@oomichi
Specify securityContext for cert-manager
1e09f15 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
@oomichi oomichi changed the title WIP: Fix cert-manager deployment on hardening environments Fix cert-manager deployment on hardening environments Oct 20, 2022
@oomichi oomichi marked this pull request as ready for review October 20, 2022 03:32
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 20, 2022
@yankay
Copy link
Member

yankay commented Oct 20, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2022
floryut
floryut approved these changes Oct 20, 2022
View reviewed changes
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oomichi Neat 👍

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, oomichi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@floryut floryut closed this Oct 20, 2022
@floryut floryut reopened this Oct 20, 2022
@k8s-ci-robot k8s-ci-robot merged commit 0374a55 into kubernetes-sigs:master Oct 20, 2022
@floryut
Copy link
Member

floryut commented Oct 20, 2022

(had to close/reopen to resync ~~)

salifou pushed a commit to salifou/kubespray that referenced this pull request Nov 13, 2022
@oomichi @salifou
Specify securityContext for cert-manager (kubernetes-sigs#9404)
5a559d5 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
@floryut floryut mentioned this pull request Jan 4, 2023
Closed
enneitex pushed a commit to enneitex/kubespray that referenced this pull request Jan 25, 2023
@oomichi @enneitex
Specify securityContext for cert-manager (kubernetes-sigs#9404)
517951d 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
HoKim98 pushed a commit to ulagbulag/kubespray that referenced this pull request Mar 8, 2023
@oomichi @HoKim98
Specify securityContext for cert-manager (kubernetes-sigs#9404)
5766bb8 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
nolimitkun pushed a commit to nolimitkun/kubespray that referenced this pull request Mar 19, 2023
@oomichi @nolimitkun
Specify securityContext for cert-manager (kubernetes-sigs#9404)
efa1e68 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@floryut floryut floryut approved these changes

@cristicalin cristicalin Awaiting requested review from cristicalin

@EppO EppO Awaiting requested review from EppO

@holmsten holmsten Awaiting requested review from holmsten

Assignees

@yankay yankay

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cert-manager pods fail to start due to violating PodSecurity on a "hardened" cluster
4 participants
@oomichi @k8s-ci-robot @yankay @floryut