reduce github action permissions (#1523)

Signed-off-by: 守辰 <shouchen.zz@alibaba-inc.com>

.github/workflows/ci.yaml

@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # Common versions
   GO_VERSION: '1.19'

.github/workflows/docker-image.yaml

@@ -3,6 +3,9 @@ name: Docker Image CI
 on:
   workflow_dispatch:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
 
   build:

.github/workflows/e2e-1.18.yaml

@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -101,7 +104,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')  
           fi
           exit $retVal
 
@@ -188,7 +195,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')          
           fi
           exit $retVal
 
@@ -275,7 +286,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')            
           fi
           exit $retVal
 
@@ -362,7 +377,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')             
           fi
           exit $retVal
 
@@ -514,6 +533,10 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')            
           fi
           exit $retVal

.github/workflows/e2e-1.20-EphemeralJob.yaml

@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -101,6 +104,10 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')            
           fi
           exit $retVal

.github/workflows/e2e-1.24.yaml

@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -89,7 +92,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')             
           fi
           exit $retVal
 
@@ -176,7 +183,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')            
           fi
           
           exit $retVal
@@ -265,7 +276,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')          
           fi
           exit $retVal
 
@@ -353,7 +368,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')             
           fi
           exit $retVal
 
@@ -419,7 +438,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')           
           fi
           exit $retVal
 
@@ -571,7 +594,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')           
           fi
 
           exit $retVal

.github/workflows/e2e-1.26.yaml

@@ -8,6 +8,9 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 
+# Declare default permissions as read only.
+permissions: read-all
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -88,7 +91,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')         
           fi
           exit $retVal
 
@@ -175,7 +182,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')         
           fi
           
           exit $retVal
@@ -264,7 +275,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')         
           fi
           exit $retVal
 
@@ -352,7 +367,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')           
           fi
           exit $retVal
 
@@ -418,7 +437,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')             
           fi
           exit $retVal
 
@@ -570,7 +593,11 @@ jobs:
               echo "test fail, dump kruise-manager logs"
               while read pod; do 
                    kubectl logs -n kruise-system $pod
-              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}')             
+              done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') 
+              echo "test fail, dump kruise-daemon logs"
+              while read pod; do 
+                   kubectl logs -n kruise-system $pod
+              done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}')             
           fi
 
           exit $retVal

.github/workflows/license.yml

@@ -10,6 +10,9 @@ on:
       - master
       - release-*
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   license_check:
     runs-on: ubuntu-20.04

test/e2e/apps/ephemeraljob.go

@@ -288,21 +288,6 @@ var _ = SIGDescribe("EphemeralJob", func() {
 					},
 				}})
 
-			job2 := tester.CreateTestEphemeralJob(randStr+"2", 1, 1, metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"run": "nginx",
-				}}, []v1.EphemeralContainer{
-				{
-					TargetContainerName: "nginx",
-					EphemeralContainerCommon: v1.EphemeralContainerCommon{
-						Name:                     "debugger",
-						Image:                    BusyboxImage,
-						ImagePullPolicy:          v1.PullIfNotPresent,
-						Command:                  []string{"sleep", "3000"},
-						TerminationMessagePolicy: v1.TerminationMessageReadFile,
-					},
-				}})
-
 			ginkgo.By("Check the status of job")
 
 			gomega.Eventually(func() int {
@@ -320,6 +305,21 @@ var _ = SIGDescribe("EphemeralJob", func() {
 				return len(targetPod.Status.EphemeralContainerStatuses)
 			}, 60*time.Second, 3*time.Second).Should(gomega.Equal(1))
 
+			job2 := tester.CreateTestEphemeralJob(randStr+"2", 1, 1, metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"run": "nginx",
+				}}, []v1.EphemeralContainer{
+				{
+					TargetContainerName: "nginx",
+					EphemeralContainerCommon: v1.EphemeralContainerCommon{
+						Name:                     "debugger",
+						Image:                    BusyboxImage,
+						ImagePullPolicy:          v1.PullIfNotPresent,
+						Command:                  []string{"sleep", "3000"},
+						TerminationMessagePolicy: v1.TerminationMessageReadFile,
+					},
+				}})
+			ginkgo.By("Check whether ephemeral container can updated (not possible yet)")
 			gomega.Eventually(func() int32 {
 				job, _ := tester.GetEphemeralJob(job2.Name)
 				return job.Status.Matches

test/e2e/apps/imagelistpulljobs.go

@@ -181,12 +181,12 @@ var _ = SIGDescribe("PullImages", func() {
 				return job.Status.Desired
 			}, 3*time.Second, time.Second).Should(gomega.Equal(int32(len(job.Spec.Images))))
 
-			ginkgo.By("Wait completed in 180s")
+			ginkgo.By("Wait completed in 360s")
 			gomega.Eventually(func() bool {
 				job, err = testerForImageListPullJob.GetJob(job)
 				gomega.Expect(err).NotTo(gomega.HaveOccurred())
 				return job.Status.CompletionTime != nil
-			}, 180*time.Second, 3*time.Second).Should(gomega.Equal(true))
+			}, 360*time.Second, 10*time.Second).Should(gomega.Equal(true))
 			gomega.Expect(job.Status.Succeeded).To(gomega.Equal(int32(len(job.Spec.Images))))
 
 			ginkgo.By("Delete job")

test/e2e/apps/statefulset.go

@@ -663,7 +663,7 @@ var _ = SIGDescribe("StatefulSet", func() {
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By("InPlace update Pods at the new revision")
-			sst.WaitForPodNotReady(ss, pods.Items[0].Name)
+			sst.WaitForPodUpdatedAndRunning(ss, pods.Items[0].Name, currentRevision)
 			sst.WaitForRunningAndReady(3, ss)
 			ss = sst.GetStatefulSet(ss.Namespace, ss.Name)
 			pods = sst.GetPodList(ss)
@@ -761,8 +761,9 @@ var _ = SIGDescribe("StatefulSet", func() {
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By("InPlace update Pods at the new revision")
-			sst.WaitForPodNotReady(ss, pods.Items[0].Name)
+			sst.WaitForPodUpdatedAndRunning(ss, pods.Items[0].Name, currentRevision)
 			sst.WaitForRunningAndReady(3, ss)
+
 			ss = sst.GetStatefulSet(ss.Namespace, ss.Name)
 			pods = sst.GetPodList(ss)
 			for i := range pods.Items {