Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace pod for instances with changed file security context #2014

Merged
merged 11 commits into from
May 29, 2024
Merged

Replace pod for instances with changed file security context #2014

merged 11 commits into from
May 29, 2024

Conversation

nicmorales9
Copy link
Contributor

@nicmorales9 nicmorales9 commented May 7, 2024
edited

Description

Should solve #208 by adding a check to replacement workflow. It also adds a feature flag (default off) and an e2e test.

Type of change

  • New feature (non-breaking change which adds functionality)

Discussion

Are there any design details that you would like to discuss further?

Testing

Please describe the tests that you ran to verify your changes. Unit tests?
Manual testing?
Unit test, e2e tests
e2e test output (focus tested on the new one)

 {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Attempting to run sub-reconciler","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Replace process group","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","reason":"either FSGroup or FSGroupChangePolicy has changed for the pod SecurityContext"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Replace process group","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","reason":"either FSGroup or FSGroupChangePolicy has changed for the pod SecurityContext"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Replace process group","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","reason":"either FSGroup or FSGroupChangePolicy has changed for the pod SecurityContext"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Replace process group","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","reason":"either FSGroup or FSGroupChangePolicy has changed for the pod SecurityContext"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Replace process group","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","reason":"either FSGroup or FSGroupChangePolicy has changed for the pod SecurityContext"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Removals have been updated in the cluster status","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups"}
  {"level":"info","ts":"2024-05-21T17:54:19Z","logger":"controller","msg":"Subreconciler finished run","namespace":"nicmorales","cluster":"nicdev","reconciler":"controllers.replaceMisconfiguredProcessGroups","duration_seconds":0.031225991}

Do we need to perform additional testing once this is merged, or perform in a larger testing environment?
Any unique kubernetes environment should be checked for securityContext server-side config changes before enabling this feature.

Documentation

Did you update relevant documentation within this repository?
I think so! Added docstrings + section in docs/manual/replacements_and_deletions.md.

If this change is adding new functionality, do we need to describe it in our user manual?
I think the addition in docs/manual/replacements_and_deletions.md covers it but let me know if not.

If this change is adding or removing subreconcilers, have we updated the core technical design doc to reflect that?
N/A

If this change is adding new safety checks or new potential failure modes, have we documented and how to debug potential issues?
I think they are straightforward enough, but let me know if not

Follow-up

Are there any follow-up issues that we should pursue in the future?

Does this introduce new defaults that we should re-evaluate in the future?

@nicmorales9 nicmorales9 changed the title Replace pod for instances with changed file security context Draft: Replace pod for instances with changed file security context May 7, 2024
@nicmorales9 nicmorales9 marked this pull request as draft May 7, 2024 17:19
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 1cc8248
  • Duration 0:03:00
  • Result: ❌ FAILED
  • Error: Error while executing command: IMG=${REGISTRY}/${OPERATOR_IMAGE} make container-build container-push. Reason: exit status 2
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 61a2a82
  • Duration 0:03:00
  • Result: ❌ FAILED
  • Error: Error while executing command: IMG=${REGISTRY}/${OPERATOR_IMAGE} make container-build container-push. Reason: exit status 2
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 7022a81
  • Duration 0:03:27
  • Result: ❌ FAILED
  • Error: Error while executing command: IMG=${REGISTRY}/${OPERATOR_IMAGE} make container-build container-push. Reason: exit status 2
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@nicmorales9 nicmorales9 force-pushed the sec-ctx-replace branch 2 times, most recently from 6973575 to adc0fc4 Compare May 9, 2024 12:59
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 5c4b38f
  • Duration 2:19:28
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 6973575
  • Duration 2:33:03
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: adc0fc4
  • Duration 2:41:18
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: c840622
  • Duration 2:23:30
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

johscheuer
johscheuer reviewed May 14, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
@nicmorales9 nicmorales9 force-pushed the sec-ctx-replace branch 2 times, most recently from d1f15b3 to 7bb571b Compare May 15, 2024 11:34
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: c99f3b9
  • Duration 2:37:21
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: d1f15b3
  • Duration 2:32:46
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 7bb571b
  • Duration 2:25:57
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: aadc211
  • Duration 0:04:47
  • Result: ❌ FAILED
  • Error: reference not found for primary source and source version aadc211efc0f69bd7ca71d127cf28924e7441fe9
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: c18a3e8
  • Duration 0:10:29
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 9509765
  • Duration 2:41:10
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@nicmorales9 nicmorales9 changed the title Draft: Replace pod for instances with changed file security context Replace pod for instances with changed file security context May 21, 2024
@nicmorales9 nicmorales9 marked this pull request as ready for review May 21, 2024 15:32
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: eee8a80
  • Duration 2:20:15
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 6ca31a7
  • Duration 2:19:52
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@nicmorales9
Copy link
Contributor Author

I believe the only failure was unrelated to the test as it passed when I reran locally and I believe I have seen it flake before:

[FAIL] Operator Upgrades one process is marked for removal and is stuck in terminating state [It] Upgrade from 7.1.57 to 7.3.33 [e2e, pr]
  /codebuild/output/src477579299/src/github.com/FoundationDB/fdb-kubernetes-operator/e2e/test_operator_upgrades/operator_upgrades_test.go:573

rerunning

@nicmorales9 nicmorales9 reopened this May 22, 2024
johscheuer
johscheuer requested changes May 22, 2024
View reviewed changes
docs/manual/replacements_and_deletions.md Outdated Show resolved Hide resolved
docs/manual/replacements_and_deletions.md Outdated Show resolved Hide resolved
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 6ca31a7
  • Duration 2:33:51
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 11d61ed
  • Duration 2:30:28
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: fb29007
  • Duration 2:36:57
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

johscheuer
johscheuer reviewed May 28, 2024
View reviewed changes
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements.go Outdated Show resolved Hide resolved
internal/replacements/replacements_test.go Outdated Show resolved Hide resolved
internal/replacements/replacements_test.go Outdated Show resolved Hide resolved
internal/replacements/replacements_test.go Outdated Show resolved Hide resolved
internal/replacements/replacements_test.go Outdated Show resolved Hide resolved
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 013aa37
  • Duration 2:37:45
  • Result: ❌ FAILED
  • Error: Error while executing command: if $fail_test; then exit 1; fi. Reason: exit status 1
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: 7358c69
  • Duration 2:29:28
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

johscheuer
johscheuer approved these changes May 29, 2024
View reviewed changes
Copy link
Member

@johscheuer johscheuer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

e2e/test_operator/operator_test.go Outdated Show resolved Hide resolved
@foundationdb-ci
Copy link

Result of fdb-kubernetes-operator-pr on Linux CentOS 7

  • Commit ID: dc26323
  • Duration 2:20:25
  • Result: ✅ SUCCEEDED
  • Error: N/A
  • Build Log terminal output (available for 30 days)
  • Build Workspace zip file of the working directory (available for 30 days)

@nicmorales9 nicmorales9 merged commit ce6586a into FoundationDB:main May 29, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johscheuer johscheuer johscheuer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nicmorales9 @foundationdb-ci @johscheuer