Allow disabling service workspace volumes in k8s#6644
Merged
6543 merged 3 commits intoMay 26, 2026
Conversation
Currently when using the Kubernetes backend all services are provisioned
with the workspace PVC volume mounted. This causes problems when using
`ReadWriteOnce` PVC volumes in multi-node clusters as the service and
step Pods can be provisioned onto different nodes.
A workaround for this is to use the PodAffinity controls on the agent:
```yaml
env:
WOODPECKER_BACKEND_K8S_POD_AFFINITY: |
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector: {}
matchLabelKeys: ['woodpecker-ci.org/task-uuid']
topologyKey: 'kubernetes.io/hostname'
```
This ensures the step Pods are provisioned onto nodes already containing
Pods from the same task. This will always result in co-locating the
service Pods with step Pods.
While this kind of works, it means that a single Node now needs to be
sized appropriately to host all the service Pods as well as the step Pod
which uses them.
A better solution that allows distributing service Pods over all the
available nodes is to stop attaching the workspace PVC to service Pods.
A similar problem/solution is discussed in woodpecker-ci#3344, as well as some
related discussion in
woodpecker-ci#5312.
The discussion in woodpecker-ci#3344 mentions attaching a dedicated PVC to services,
but IMO this overly complicates things and adds very little value. I
believe that for most use-cases services' won't need to interact with a
PVC at all. They are just there to run a database or service dependency.
---
This change introduces two new controls:
- An agent-level environment variable
`WOODPECKER_BACKEND_K8S_SERVICE_WORKSPACE_VOLUME` which defaults to
`true`.
- A step-level Kubernetes backend option
`backend_options.kubernetes.workspaceVolume` which also defaults to
`true`.
If either of these are set to `false` then the workspace PVC will not be
attached to the Pod.
Closes woodpecker-ci#3344
Contributor
|
Surge PR preview deployment was removed |
Member
|
can we remove the flag, it can just cause issues that are undocumented |
Contributor
Author
|
@6543 Are you referring to the Happy to remove, but just so I understand - what issues do you foresee this causing? I thought I did update the documentation for this config. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6644 +/- ##
==========================================
+ Coverage 41.60% 41.73% +0.12%
==========================================
Files 432 433 +1
Lines 28805 28900 +95
==========================================
+ Hits 11983 12060 +77
- Misses 15747 15754 +7
- Partials 1075 1086 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Member
|
as it is a backemd flag, it is an agent flag. let agent config change pieline execution config that is transparent to the server and git-commited config but can affect workflow to fail is something i dont want to encourage :) |
Contributor
Author
|
@6543 Makes sense. I've removed the flag |
6543
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently when using the Kubernetes backend all services are provisioned with the workspace PVC volume mounted. This causes problems when using
ReadWriteOncePVC volumes in multi-node clusters as the service and step Pods can be provisioned onto different nodes.A workaround for this is to use the PodAffinity controls on the agent:
This ensures the step Pods are provisioned onto nodes already containing Pods from the same task. This will always result in co-locating the service Pods with step Pods.
While this kind of works, it means that a single Node now needs to be sized appropriately to host all the service Pods as well as the step Pod which uses them.
A better solution that allows distributing service Pods over all the available nodes is to stop attaching the workspace PVC to service Pods. A similar problem/solution is discussed in #3344, as well as some related discussion in
#5312.
The discussion in #3344 mentions attaching a dedicated PVC to services, but IMO this overly complicates things and adds very little value. I believe that for most use-cases services' won't need to interact with a PVC at all. They are just there to run a database or service dependency.
This change introduces two new controls:
WOODPECKER_BACKEND_K8S_SERVICE_WORKSPACE_VOLUMEwhich defaults totrue.backend_options.kubernetes.workspaceVolumewhich also defaults totrue.If either of these are set to
falsethen the workspace PVC will not be attached to the Pod.Closes #3344