| We use OPA gatekeeper to restrict which images can be used by our kubernetes builds. This means that if a non-whitelisted image is used, the k8s API server will reject the creation of the pod. If I manually apply the yaml from jenkins, then the rejection looks like this:
> kubectl apply -f hest.yaml
Error from server ([denied by image-constraint] container <gradle> has an invalid image repo <illegal:latest>, allowed repos are ["jenkins/jnlp-slave:", "gitlab/gitlab-runner-helper:", "gitlab/gitlab-runner:", "foo.example.com:5501/", "gradle:", "alpine:", "golang:"]): error when creating "hest.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by image-constraint] container <gradle> has an invalid image repo <illegal:latest>, allowed repos are ["jenkins/jnlp-slave:", "gitlab/gitlab-runner-helper:", "gitlab/gitlab-runner:", "foo.example.com:5501/", "gradle:", "alpine:", "golang:"]
In jenkins the build hangs at "Created Pod" until aborted.
Obtained Jenkinsfile from 259e54efd09055268dbe4e56f9f9738c4607ad1b
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] podTemplate
[Pipeline] {
[Pipeline] node
Still waiting to schedule task
All nodes of label ‘gitlab-tag-service_try-jenkins-pipeline_14-x5j5r’ are offline
Created Pod: gitlab-tag-service-try-jenkins-pipeline-14-x5j5r-bsrsc-c56lf in namespace jenkins-workers
Aborted by User
As the error from the API server is immediate and informative, I would really like the message to be made visible in the build log and that the build is terminated with an error in stead of just hanging. |
