Move away from Jobs to Pods #266
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lpiwowar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/9f2d32ae798a498fb41c1b99fcb8cb1e ✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 22m 41s |
With this PR [1] the test operator dropped the usage of OCP Jobs for spawning of the test pods. This change updates the test-operator role so that it works with the new version of the test-operator that spawns test pods directly through the OCP Pods object. [1] openstack-k8s-operators/test-operator#266
lpiwowar
force-pushed
the
remove-jobs-usage
branch
from
cdb82e1 to
9efbbb1
Compare
lpiwowar
changed the title
|
This change depends on a change that failed to merge. Change openstack-k8s-operators/ci-framework#2604 is needed. |
|
recheck |
In this PR [1] we dropped the usage of the Jobs by the test-operator. This allows us to drop the rights for: - ServiceAccount managing & creation - Role managing & creation - RoleBinding managing & creation These rights were only needed because Jobs were required to be spawned with an extra ServiceAccount that would have elevated privileges in case the test pods need to run with privileged SecurityContext. [1] openstack-k8s-operators#266 Depends-On: openstack-k8s-operators#266
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8d8a9fbde32c44ddbc4991307290d9e9 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 15m 41s |
With this PR [1] the test operator dropped the usage of OCP Jobs for spawning of the test pods. This change updates the test-operator role so that it works with the new version of the test-operator that spawns test pods directly through the OCP Pods object. [1] openstack-k8s-operators/test-operator#266
With this PR [1] the test operator dropped the usage of OCP Jobs for spawning of the test pods. This change updates the test-operator role so that it works with the new version of the test-operator that spawns test pods directly through the OCP Pods object. [1] openstack-k8s-operators/test-operator#266
|
recheck |
|
/hold These PRs need to be merged at the same time. The idea is to first get |
|
/test all |
The test-operator is using Jobs to spawn test pods even though it does not use any features of this k8s object. Plus usage of the Jobs requires creation of ServiceAccount in the target namespaces. In order to be able to create a new, SA the test-oprator has to have a rights to create new roles and rolebindings which in our case makes the attack surface larger. This patch drops the usage of Jobs and moves to Pods. Depends-On: openstack-k8s-operators/ci-framework#2604
We dropped the usage of Jobs in test-operator. Let's rename the file to reflect this change.
lpiwowar
force-pushed
the
remove-jobs-usage
branch
from
9efbbb1 to
cd18a0b
Compare
|
/test all |
The test-operator is using Jobs to spawn test pods even though it does
not use any features of this k8s object. Plus usage of the Jobs requires
creation of ServiceAccount in the target namespaces. In order to be able
to create a new, SA the test-oprator has to have a rights to create new
roles and rolebindings which in our case makes the attack surface
larger.
This patch drops the usage of Jobs and moves to Pods.
Depends-On: openstack-k8s-operators/ci-framework#2604