[JIRA] (JENKINS-41388) Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin

[rawlingsj80@gmail.com (JIRA)]

James Rawlings created an issue

Jenkins / JENKINS-41388 Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin Issue Type: Bug Assignee: Carlos Sanchez Components: kubernetes-plugin Created: 2017/Jan/24 7:50 PM Environment: Kubernetes Priority: Minor Reporter: James Rawlings Not sure if this is kubernetes-plugin issue or the Jenkins UI however... I preload a Jenkins config.xml when jenkins starts which doesn't contain the kubernetes plugin <namespace> element so that the plugin will use the current namespace to create build pods. After making a change to any config vi the http://jenkins.example.io/configure UI the kubernetes plugin config now has a Namespace of 'default'. If Jenkins is not running in the default namespace (which most set ups will use custom namespaces) then the jenkins service account doesn't have the permissions to create a build pod in the default namespace resulting in a logs error of.. io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://kubernetes.default/api/v1/namespaces/default/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked I think there was a change to the plugin so that the current namespace is used to run build pods so I'm hoping the optional config via the UI can just be removed perhaps? Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[rawlingsj80@gmail.com (JIRA)]

James Rawlings commented on JENKINS-41388

Re: Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin We also had this reported to us before https://groups.google.com/forum/#!topic/fabric8/H-UGSFJLC6g

Add Comment

[jenkins-ci@carlossanchez.eu (JIRA)]

Carlos Sanchez commented on JENKINS-41388

Re: Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin

if I try to run something without passing a namespace I get an error, so I don't know how how is it expected to infer the "current" namespace WARNING: Provisioned agent Kubernetes Pod Template failed to launch io.fabric8.kubernetes.client.KubernetesClientException: Namespace not specified. But operation requires namespace. at io.fabric8.kubernetes.client.dsl.base.OperationSupport.checkNamespace(OperationSupport.java:160) at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:207) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:643) at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:300) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud$ProvisioningCallback.call(KubernetesCloud.java:610) at org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud$ProvisioningCallback.call(KubernetesCloud.java:558) at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

Add Comment

[jukka.lehtniemi@gmail.com (JIRA)]

Jukka Lehtniemi reopened an issue

I can reproduce this or very similar problem with Jenkins 2.176.3, Kubernetes plugin 1.19.2 We configure the Kubernetes using JCasC and it generates config.xml without Kubernetes <namespace> element. However after making any change to the global configuration using the Jenkins web UI the empty elements <namespace></namespace>,<inheritFrom></inheritFrom> and <nodeSelector></nodeSelector> will appear in the config.xml. After this, Jenkins fails to launch Kubernetes slaves with following exception trace: INFO: Created Pod: default/my-jnlp-f0n0n Oct 31, 2019 8:17:36 PM hudson.slaves.NodeProvisioner$2 run INFO: Kubernetes Pod Template provisioning successfully completed. We have now 3 computer(s) Oct 31, 2019 8:17:36 PM org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch WARNING: Error in provisioning; agent=KubernetesSlave name: my-jnlp-f0n0n, template=PodTemplate{inheritFrom='', name='my-jnlp', namesp ace='', label='my-jnlp', nodeSelector='', nodeUsageMode=EXCLUSIVE, workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.works pace.DynamicPVCWorkspaceVolume@2d963013} io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.96.0.1/api/v1/namespaces/default/persistentvo lumeclaims. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. persistentvolumeclaims {{ is forbidden: User "system:serviceaccount:default:jenkins-master" cannot create resource "persistentvolumeclaims" in API group "" in the na}} mespace "default". {{ at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:510)}} {{ at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:447)}} {{ at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:413)}} {{ at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:372)}} {{ at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:241)}} {{ at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:813)}} {{ at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:328)}} {{ at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:324)}} {{ at org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.DynamicPVCWorkspaceVolume.createVolume(DynamicPVCWorkspaceVolume.java:9}} 4) {{ at org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher.launch(KubernetesLauncher.java:130)}} {{ at hudson.slaves.SlaveComputer$1.call(SlaveComputer.java:294)}} {{ at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)}} {{ at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)}} {{ at java.util.concurrent.FutureTask.run(FutureTask.java:266)}} {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)}} {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)}} {{ at java.lang.Thread.run(Thread.java:748)}}   Thus, it seems to me that the namespace='' is not equal to not having a namespace element at all in the config.xml

Jenkins / JENKINS-41388

Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin

Change By: Jukka Lehtniemi Resolution: Fixed Status: Closed Reopened

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[jukka.lehtniemi@gmail.com (JIRA)]

Jukka Lehtniemi edited a comment on JENKINS-41388

Re: Any change to Jenkins system config via UI incorrectly sets the namespace for the kubernetes-plugin

I can reproduce this or very similar problem with Jenkins 2.176.3, Kubernetes plugin 1.19.2

We configure the Kubernetes using JCasC and it generates {{config.xml}} without Kubernetes {{<namespace>}} element. However after making any change to the global configuration using the Jenkins web UI the empty elements {{<namespace></namespace>,<inheritFrom></inheritFrom> and <nodeSelector></nodeSelector>}} will appear in the {{config.xml}}. After this, Jenkins fails to launch Kubernetes slaves with following exception trace: { { code}

{code}

Thus, it seems to me that the namespace='' is not equal to not having a namespace element at all in the config.xml

Add Comment