From 4c03936f57bc61fffe0fa2116abff0e1e9128661 Mon Sep 17 00:00:00 2001 From: Ville Lautanala Date: Thu, 18 Oct 2018 15:27:19 +0300 Subject: [PATCH] Predeploy RoleBinding before unmanaged pods RoleBindings should be deployed before unmanaged pods. This matters when RoleBindings define Pod Security Policies. This might prevent unmanaged pods from starting unless RoleBinding has been set up. Regular pods retry so the race condition would not break anything. --- lib/kubernetes-deploy/deploy_task.rb | 1 + .../kubernetes_resource/role_binding.rb | 22 +++++++++++++++++++ test/fixtures/hello-cloud/role-binding.yml | 12 ++++++++++ test/integration/kubernetes_deploy_test.rb | 18 ++++++++++++++- 4 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 lib/kubernetes-deploy/kubernetes_resource/role_binding.rb create mode 100644 test/fixtures/hello-cloud/role-binding.yml diff --git a/lib/kubernetes-deploy/deploy_task.rb b/lib/kubernetes-deploy/deploy_task.rb index 8a29e3ac9..0b178d7c0 100644 --- a/lib/kubernetes-deploy/deploy_task.rb +++ b/lib/kubernetes-deploy/deploy_task.rb @@ -52,6 +52,7 @@ class DeployTask ConfigMap PersistentVolumeClaim ServiceAccount + RoleBinding Pod ) diff --git a/lib/kubernetes-deploy/kubernetes_resource/role_binding.rb b/lib/kubernetes-deploy/kubernetes_resource/role_binding.rb new file mode 100644 index 000000000..bcd1c9d06 --- /dev/null +++ b/lib/kubernetes-deploy/kubernetes_resource/role_binding.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true +module KubernetesDeploy + class RoleBinding < KubernetesResource + TIMEOUT = 30.seconds + + def status + exists? ? "Created" : "Unknown" + end + + def deploy_succeeded? + exists? + end + + def deploy_failed? + false + end + + def timeout_message + UNUSUAL_FAILURE_MESSAGE + end + end +end diff --git a/test/fixtures/hello-cloud/role-binding.yml b/test/fixtures/hello-cloud/role-binding.yml new file mode 100644 index 000000000..0d467a76b --- /dev/null +++ b/test/fixtures/hello-cloud/role-binding.yml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: build-robot diff --git a/test/integration/kubernetes_deploy_test.rb b/test/integration/kubernetes_deploy_test.rb index 001acbdd6..6da519ee9 100644 --- a/test/integration/kubernetes_deploy_test.rb +++ b/test/integration/kubernetes_deploy_test.rb @@ -12,7 +12,7 @@ def test_full_hello_cloud_set_deploy_succeeds %r{Deploying Pod/unmanaged-pod-[-\w]+ \(timeout: 60s\)}, # annotation timeout override "Hello from the command runner!", # unmanaged pod logs "Result: SUCCESS", - "Successfully deployed 19 resources" + "Successfully deployed 20 resources" ], in_order: true) assert_logs_match_all([ @@ -52,6 +52,22 @@ def test_service_account_predeployed_before_unmanaged_pod ], in_order: true) end + def test_role_binding_predeployed_before_unmanaged_pod + result = deploy_fixtures("hello-cloud", + subset: ["configmap-data.yml", "unmanaged-pod.yml.erb", "role-binding.yml", "service-account.yml"]) + + # Expect that role binding account is deployed before the unmanaged pod + assert_deploy_success(result) + hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace) + hello_cloud.assert_configmap_data_present + hello_cloud.assert_all_service_accounts_up + hello_cloud.assert_unmanaged_pod_statuses("Succeeded") + assert_logs_match_all([ + %r{Successfully deployed in \d.\ds: RoleBinding/role-binding}, + %r{Successfully deployed in \d.\ds: Pod/unmanaged-pod-.*} + ], in_order: true) + end + def test_pruning_works assert_deploy_success(deploy_fixtures("hello-cloud")) hello_cloud = FixtureSetAssertions::HelloCloud.new(@namespace)