Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(docs)!: remove references to no longer supported executors #12975

Merged
merged 1 commit into from
Apr 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/empty-dir.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Empty Dir

While by default, the Docker and PNS [workflow executors](workflow-executors.md) can get output artifacts/parameters from the base layer (e.g. `/tmp`), neither the Kubelet nor the K8SAPI executors can. It is unlikely you can get output artifacts/parameters from the base layer if you run your workflow pods with a [security context](workflow-pod-security-context.md).
Not all [workflow executors](workflow-executors.md) can get output artifacts/parameters from the base layer (e.g. `/tmp`).
It is unlikely you can get output artifacts/parameters from the base layer if you run your workflow pods with a [security context](workflow-pod-security-context.md).

You can work-around this constraint by mounting volumes onto your pod. The easiest way to do this is to use as `emptyDir` volume.

Expand Down
6 changes: 0 additions & 6 deletions docs/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,3 @@ Is there an RBAC error?
You're probably getting a permission denied error because your RBAC is not configured.

[Learn more about workflow RBAC](workflow-rbac.md) and [even more details](https://blog.argoproj.io/demystifying-argo-workflowss-kubernetes-rbac-7a1406d446fc)

## There is an error about `/var/run/docker.sock`

Try using a different container runtime executor.

[Learn more about executors](workflow-executors.md)
5 changes: 0 additions & 5 deletions docs/sidecar-injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,17 +15,12 @@ See [#1282](https://github.com/argoproj/argo-workflows/issues/1282).

Key:

* Unsupported - this executor is no longer supported
* Any - we can kill any image
* KubectlExec - we kill images by running `kubectl exec`

| Executor | Sidecar | Injected Sidecar |
|---|---|---|
| `docker` | Any | Unsupported |
| `emissary` | Any | KubectlExec |
| `k8sapi` | Shell | KubectlExec |
| `kubelet` | Shell | KubectlExec |
| `pns` | Any | Any |

## How We Kill Sidecars Using `kubectl exec`

Expand Down
41 changes: 0 additions & 41 deletions docs/workflow-controller-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,47 +159,6 @@ data:
# name: my-s3-credentials
# key: secretKey



# Specifies the container runtime interface to use (default: emissary)
# must be one of: docker, kubelet, k8sapi, pns, emissary
# It has lower precedence than either `--container-runtime-executor` and `containerRuntimeExecutors`.
# (removed in v3.4)
containerRuntimeExecutor: emissary

# Specifies the executor to use.
#
# You can use this to:
# * Tailor your executor based on your preference for security or performance.
# * Test out an executor without committing yourself to use it for every workflow.
#
# To find out which executor was actually use, see the `wait` container logs.
#
# The list is in order of precedence; the first matching executor is used.
# This has precedence over `containerRuntimeExecutor`.
# (removed in v3.4)
containerRuntimeExecutors: |
- name: emissary
selector:
matchLabels:
workflows.argoproj.io/container-runtime-executor: emissary
- name: pns
selector:
matchLabels:
workflows.argoproj.io/container-runtime-executor: pns

# Specifies the location of docker.sock on the host for docker executor (default: /var/run/docker.sock)
# (available v2.4-v3.3)
dockerSockPath: /var/someplace/else/docker.sock

# kubelet port when using kubelet executor (default: 10250) (kubelet executor will be deprecated use emissary instead)
# (removed in v3.4)
kubeletPort: "10250"

# disable the TLS verification of the kubelet executor (default: false)
# (removed in v3.4)
kubeletInsecure: "false"

# The command/args for each image, needed when the command is not specified and the emissary executor is used.
# https://argo-workflows.readthedocs.io/en/latest/workflow-executors/#emissary-emissary
images: |
Expand Down
81 changes: 1 addition & 80 deletions docs/workflow-executors.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,12 @@

A workflow executor is a process that conforms to a specific interface that allows Argo to perform certain actions like monitoring pod logs, collecting artifacts, managing container life-cycles, etc.

The executor to be used in your workflows can be changed in [the config map](./workflow-controller-configmap.yaml) under the `containerRuntimeExecutor` key (removed in v3.4).

## Emissary (emissary)

> v3.1 and after

Default in >= v3.3.
Only option in >= v3.4.

This is the most fully featured executor.

Expand Down Expand Up @@ -45,81 +44,3 @@ Emissary will create a cache entry, using image with version as key and command
### Exit Code 64

The emissary will exit with code 64 if it fails. This may indicate a bug in the emissary.

## Docker (docker)

⚠️Deprecated. Removed in v3.4.

Default in <= v3.2.

* Least secure:
* It requires `privileged` access to `docker.sock` of the host to be mounted which. Often rejected by Open Policy Agent (OPA) or your Pod Security Policy (PSP).
* It can escape the privileges of the pod's service account
* It cannot [`runAsNonRoot`](workflow-pod-security-context.md).
* Equal most scalable:
* It communicates directly with the local Docker daemon.
* Artifacts:
* Output artifacts can be located on the base layer (e.g. `/tmp`).
* Configuration:
* No additional configuration needed.

**Note**: when using docker as workflow executors, messages printed in both `stdout` and `stderr` are captured in the [Argo variable](./variables.md#scripttemplate) `.outputs.result`.

## Kubelet (kubelet)

⚠️Deprecated. Removed in v3.4.

* Secure
* No `privileged` access
* Cannot escape the privileges of the pod's service account
* [`runAsNonRoot`](workflow-pod-security-context.md) - TBD, see [#4186](https://github.com/argoproj/argo-workflows/issues/4186)
* Scalable:
* Operations performed against the local Kubelet
* Artifacts:
* Output artifacts must be saved on volumes (e.g. [empty-dir](empty-dir.md)) and not the base image layer (e.g. `/tmp`)
* Step/Task result:
* Warnings that normally goes to stderr will get captured in a step or a dag task's `outputs.result`. May require changes if your pipeline is conditioned on `steps/tasks.name.outputs.result`
* Configuration:
* Additional Kubelet configuration maybe needed

## Kubernetes API (`k8sapi`)

⚠️Deprecated. Removed in v3.4.

* Reliability:
* Works on GKE Autopilot
* Most secure:
* No `privileged` access
* Cannot escape the privileges of the pod's service account
* Can [`runAsNonRoot`](workflow-pod-security-context.md)
* Least scalable:
* Log retrieval and container operations performed against the remote Kubernetes API
* Artifacts:
* Output artifacts must be saved on volumes (e.g. [empty-dir](empty-dir.md)) and not the base image layer (e.g. `/tmp`)
* Step/Task result:
* Warnings that normally goes to stderr will get captured in a step or a dag task's `outputs.result`. May require changes if your pipeline is conditioned on `steps/tasks.name.outputs.result`
* Configuration:
* No additional configuration needed.

## Process Namespace Sharing (`pns`)

⚠️Deprecated. Removed in v3.4.

* More secure:
* No `privileged` access
* cannot escape the privileges of the pod's service account
* Can [`runAsNonRoot`](workflow-pod-security-context.md), if you use volumes (e.g. [empty-dir](empty-dir.md)) for your output artifacts
* Processes are visible to other containers in the pod. This includes all information visible in /proc, such as passwords that were passed as arguments or environment variables. These are protected only by regular Unix permissions.
* Scalable:
* Most operations use local `procfs`.
* Log retrieval uses the remote Kubernetes API
* Artifacts:
* Output artifacts can be located on the base layer (e.g. `/tmp`)
* Cannot capture artifacts from a base layer which has a volume mounted under it
* Cannot capture artifacts from base layer if the container is short-lived.
* Configuration:
* No additional configuration needed.
* Process will no longer run with PID 1
* [Doesn't work for Windows containers](https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-pod).

[Learn more](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/)
6 changes: 3 additions & 3 deletions docs/workflow-pod-security-context.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Workflow Pod Security Context

By default, all workflow pods run as root. The Docker executor even requires `privileged: true`.
By default, all workflow pods run as root.

For other [workflow executors](workflow-executors.md), you can run your workflow pods more securely by configuring the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for your workflow pod.
You can run your workflow pods more securely by configuring the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for your workflow pod.

This is likely to be necessary if you have a [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). You probably can't use the Docker executor if you have a pod security policy.
This is likely to be necessary if you have a [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).

```yaml
apiVersion: argoproj.io/v1alpha1
Expand Down
22 changes: 0 additions & 22 deletions docs/workflow-rbac.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,25 +26,3 @@ rules:
- create
- patch
```

For <= v3.3 use.

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: executor
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
```

Warning: For many organizations, it may not be acceptable to give a workflow the `pod patch` permission, see [#3961](https://github.com/argoproj/argo-workflows/issues/3961)

If you are not using the emissary, you'll need additional permissions.
See [executor](https://github.com/argoproj/argo-workflows/tree/main/manifests/quick-start/base/executor) for suitable permissions.
18 changes: 0 additions & 18 deletions manifests/quick-start/base/executor/docker/executor-role.yaml

This file was deleted.

37 changes: 0 additions & 37 deletions manifests/quick-start/base/executor/k8sapi/executor-role.yaml

This file was deleted.

18 changes: 0 additions & 18 deletions manifests/quick-start/base/executor/kubelet/executor-role.yaml

This file was deleted.

This file was deleted.

This file was deleted.

28 changes: 0 additions & 28 deletions manifests/quick-start/base/executor/pns/executor-role.yaml

This file was deleted.

Loading