-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy statusreconciler for prow.k8s.io #12258
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -434,6 +434,53 @@ spec: | |
serviceName: hook | ||
servicePort: 8888 | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: statusreconciler | ||
namespace: default | ||
labels: | ||
app: statusreconciler | ||
spec: | ||
replicas: 1 | ||
template: | ||
metadata: | ||
labels: | ||
app: statusreconciler | ||
spec: | ||
serviceAccountName: statusreconciler | ||
terminationGracePeriodSeconds: 180 | ||
containers: | ||
- name: statusreconciler | ||
image: gcr.io/k8s-prow/status-reconciler:v20190416-efb77f1e2 | ||
args: | ||
- --dry-run=false | ||
- --continue-on-error=true | ||
- --plugin-config=/etc/plugins/plugins.yaml | ||
- --config-path=/etc/config/config.yaml | ||
- --github-token-path=/etc/github/oauth | ||
- --job-config-path=/etc/job-config | ||
volumeMounts: | ||
- name: oauth | ||
mountPath: /etc/github | ||
readOnly: true | ||
- name: config | ||
mountPath: /etc/config | ||
readOnly: true | ||
- name: plugins | ||
mountPath: /etc/plugins | ||
readOnly: true | ||
volumes: | ||
- name: oauth | ||
secret: | ||
secretName: oauth-token | ||
- name: config | ||
configMap: | ||
name: config | ||
- name: plugins | ||
configMap: | ||
name: plugins | ||
--- | ||
kind: ServiceAccount | ||
apiVersion: v1 | ||
metadata: | ||
|
@@ -662,3 +709,35 @@ roleRef: | |
subjects: | ||
- kind: ServiceAccount | ||
name: "tide" | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
namespace: default | ||
name: "statusreconciler" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does every service really needs it's own service account as opposed to one scoped for prow or some larger subset thereof? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. More granular permissions are better IMO |
||
--- | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
namespace: default | ||
name: "statusreconciler" | ||
rules: | ||
- apiGroups: | ||
- "prow.k8s.io" | ||
resources: | ||
- prowjobs | ||
verbs: | ||
- create | ||
--- | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
namespace: default | ||
name: "statusreconciler" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: "statusreconciler" | ||
subjects: | ||
- kind: ServiceAccount | ||
name: "statusreconciler" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,9 +39,7 @@ spec: | |
- --config-path=/etc/config/config.yaml | ||
- --github-token-path=/etc/github/oauth | ||
- --job-config-path=/etc/job-config | ||
ports: | ||
- name: http | ||
containerPort: 8888 | ||
- --blacklist=kubernetes/kubernetes | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI |
||
volumeMounts: | ||
- name: oauth | ||
mountPath: /etc/github | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see
build
andcrier
use RBAC -- I don't fully understand when we can and cannot -- should I use it forstatus-reconciler
too?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would assume we can everywhere so long as it's properly configured?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cjwagner had some comments about turning off legacy authorization on the cluster?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think our cluster is ignoring RBAC because legacy authorization is enabled and I think it needs to be enabled until we figure out how to configure RBAC correctly for
plank
,deck
, andsinker
to be authenticated and authorized to create/list/delete pods in separate build clusters. I'm not entirely certain about either of those points though.