From dad39bc2a27363d477f921cb5332bc8790825e29 Mon Sep 17 00:00:00 2001 From: Zhen Zhang Date: Mon, 18 Mar 2024 09:36:26 +0800 Subject: [PATCH] reduce github action permissions (#1523) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 守辰 --- .github/workflows/ci.yaml | 3 ++ .github/workflows/docker-image.yaml | 3 ++ .github/workflows/e2e-1.18.yaml | 33 ++++++++++++++--- .github/workflows/e2e-1.20-EphemeralJob.yaml | 9 ++++- .github/workflows/e2e-1.24.yaml | 39 +++++++++++++++++--- .github/workflows/e2e-1.26.yaml | 39 +++++++++++++++++--- .github/workflows/license.yml | 3 ++ test/e2e/apps/ephemeraljob.go | 30 +++++++-------- test/e2e/apps/imagelistpulljobs.go | 4 +- test/e2e/apps/statefulset.go | 5 ++- test/e2e/framework/statefulset_utils.go | 22 +++++++++++ 11 files changed, 153 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2f91c1f3da..7ae0bb1e97 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,6 +8,9 @@ on: pull_request: {} workflow_dispatch: {} +# Declare default permissions as read only. +permissions: read-all + env: # Common versions GO_VERSION: '1.19' diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml index 0907ac09b4..09ac3738dc 100644 --- a/.github/workflows/docker-image.yaml +++ b/.github/workflows/docker-image.yaml @@ -3,6 +3,9 @@ name: Docker Image CI on: workflow_dispatch: +# Declare default permissions as read only. +permissions: read-all + jobs: build: diff --git a/.github/workflows/e2e-1.18.yaml b/.github/workflows/e2e-1.18.yaml index f947e41284..91a732d2d1 100644 --- a/.github/workflows/e2e-1.18.yaml +++ b/.github/workflows/e2e-1.18.yaml @@ -8,6 +8,9 @@ on: pull_request: {} workflow_dispatch: {} +# Declare default permissions as read only. +permissions: read-all + env: # Common versions GO_VERSION: '1.19' @@ -101,7 +104,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -188,7 +195,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -275,7 +286,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -362,7 +377,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -514,6 +533,10 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal diff --git a/.github/workflows/e2e-1.20-EphemeralJob.yaml b/.github/workflows/e2e-1.20-EphemeralJob.yaml index 1d6ef64943..25faa475db 100644 --- a/.github/workflows/e2e-1.20-EphemeralJob.yaml +++ b/.github/workflows/e2e-1.20-EphemeralJob.yaml @@ -8,6 +8,9 @@ on: pull_request: {} workflow_dispatch: {} +# Declare default permissions as read only. +permissions: read-all + env: # Common versions GO_VERSION: '1.19' @@ -101,6 +104,10 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal diff --git a/.github/workflows/e2e-1.24.yaml b/.github/workflows/e2e-1.24.yaml index 663e659a2d..d0d04441c2 100644 --- a/.github/workflows/e2e-1.24.yaml +++ b/.github/workflows/e2e-1.24.yaml @@ -8,6 +8,9 @@ on: pull_request: {} workflow_dispatch: {} +# Declare default permissions as read only. +permissions: read-all + env: # Common versions GO_VERSION: '1.19' @@ -89,7 +92,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -176,7 +183,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -265,7 +276,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -353,7 +368,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -419,7 +438,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -571,7 +594,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal diff --git a/.github/workflows/e2e-1.26.yaml b/.github/workflows/e2e-1.26.yaml index 91120d97d0..1da3e80f95 100644 --- a/.github/workflows/e2e-1.26.yaml +++ b/.github/workflows/e2e-1.26.yaml @@ -8,6 +8,9 @@ on: pull_request: {} workflow_dispatch: {} +# Declare default permissions as read only. +permissions: read-all + env: # Common versions GO_VERSION: '1.19' @@ -88,7 +91,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -175,7 +182,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -264,7 +275,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -352,7 +367,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -418,7 +437,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal @@ -570,7 +593,11 @@ jobs: echo "test fail, dump kruise-manager logs" while read pod; do kubectl logs -n kruise-system $pod - done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + done < <(kubectl get pods -n kruise-system -l control-plane=controller-manager --no-headers | awk '{print $1}') + echo "test fail, dump kruise-daemon logs" + while read pod; do + kubectl logs -n kruise-system $pod + done < <(kubectl get pods -n kruise-system -l control-plane=daemon --no-headers | awk '{print $1}') fi exit $retVal diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 8d49743f70..9d1bb0a73d 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -10,6 +10,9 @@ on: - master - release-* +# Declare default permissions as read only. +permissions: read-all + jobs: license_check: runs-on: ubuntu-20.04 diff --git a/test/e2e/apps/ephemeraljob.go b/test/e2e/apps/ephemeraljob.go index 9577424c7c..b2fd82087b 100644 --- a/test/e2e/apps/ephemeraljob.go +++ b/test/e2e/apps/ephemeraljob.go @@ -288,21 +288,6 @@ var _ = SIGDescribe("EphemeralJob", func() { }, }}) - job2 := tester.CreateTestEphemeralJob(randStr+"2", 1, 1, metav1.LabelSelector{ - MatchLabels: map[string]string{ - "run": "nginx", - }}, []v1.EphemeralContainer{ - { - TargetContainerName: "nginx", - EphemeralContainerCommon: v1.EphemeralContainerCommon{ - Name: "debugger", - Image: BusyboxImage, - ImagePullPolicy: v1.PullIfNotPresent, - Command: []string{"sleep", "3000"}, - TerminationMessagePolicy: v1.TerminationMessageReadFile, - }, - }}) - ginkgo.By("Check the status of job") gomega.Eventually(func() int { @@ -320,6 +305,21 @@ var _ = SIGDescribe("EphemeralJob", func() { return len(targetPod.Status.EphemeralContainerStatuses) }, 60*time.Second, 3*time.Second).Should(gomega.Equal(1)) + job2 := tester.CreateTestEphemeralJob(randStr+"2", 1, 1, metav1.LabelSelector{ + MatchLabels: map[string]string{ + "run": "nginx", + }}, []v1.EphemeralContainer{ + { + TargetContainerName: "nginx", + EphemeralContainerCommon: v1.EphemeralContainerCommon{ + Name: "debugger", + Image: BusyboxImage, + ImagePullPolicy: v1.PullIfNotPresent, + Command: []string{"sleep", "3000"}, + TerminationMessagePolicy: v1.TerminationMessageReadFile, + }, + }}) + ginkgo.By("Check whether ephemeral container can updated (not possible yet)") gomega.Eventually(func() int32 { job, _ := tester.GetEphemeralJob(job2.Name) return job.Status.Matches diff --git a/test/e2e/apps/imagelistpulljobs.go b/test/e2e/apps/imagelistpulljobs.go index 20e7d98076..885bf18d27 100644 --- a/test/e2e/apps/imagelistpulljobs.go +++ b/test/e2e/apps/imagelistpulljobs.go @@ -181,12 +181,12 @@ var _ = SIGDescribe("PullImages", func() { return job.Status.Desired }, 3*time.Second, time.Second).Should(gomega.Equal(int32(len(job.Spec.Images)))) - ginkgo.By("Wait completed in 180s") + ginkgo.By("Wait completed in 360s") gomega.Eventually(func() bool { job, err = testerForImageListPullJob.GetJob(job) gomega.Expect(err).NotTo(gomega.HaveOccurred()) return job.Status.CompletionTime != nil - }, 180*time.Second, 3*time.Second).Should(gomega.Equal(true)) + }, 360*time.Second, 10*time.Second).Should(gomega.Equal(true)) gomega.Expect(job.Status.Succeeded).To(gomega.Equal(int32(len(job.Spec.Images)))) ginkgo.By("Delete job") diff --git a/test/e2e/apps/statefulset.go b/test/e2e/apps/statefulset.go index fe4cf78885..bcf77f7887 100644 --- a/test/e2e/apps/statefulset.go +++ b/test/e2e/apps/statefulset.go @@ -663,7 +663,7 @@ var _ = SIGDescribe("StatefulSet", func() { gomega.Expect(err).NotTo(gomega.HaveOccurred()) ginkgo.By("InPlace update Pods at the new revision") - sst.WaitForPodNotReady(ss, pods.Items[0].Name) + sst.WaitForPodUpdatedAndRunning(ss, pods.Items[0].Name, currentRevision) sst.WaitForRunningAndReady(3, ss) ss = sst.GetStatefulSet(ss.Namespace, ss.Name) pods = sst.GetPodList(ss) @@ -761,8 +761,9 @@ var _ = SIGDescribe("StatefulSet", func() { gomega.Expect(err).NotTo(gomega.HaveOccurred()) ginkgo.By("InPlace update Pods at the new revision") - sst.WaitForPodNotReady(ss, pods.Items[0].Name) + sst.WaitForPodUpdatedAndRunning(ss, pods.Items[0].Name, currentRevision) sst.WaitForRunningAndReady(3, ss) + ss = sst.GetStatefulSet(ss.Namespace, ss.Name) pods = sst.GetPodList(ss) for i := range pods.Items { diff --git a/test/e2e/framework/statefulset_utils.go b/test/e2e/framework/statefulset_utils.go index 0f7efc807f..decc8f131a 100644 --- a/test/e2e/framework/statefulset_utils.go +++ b/test/e2e/framework/statefulset_utils.go @@ -397,6 +397,28 @@ func (s *StatefulSetTester) WaitForPodNotReady(set *appsv1beta1.StatefulSet, pod } +// WaitForPodUpdatedAndRunning wait for the Pod named podName to be updated and running, the pod should have revision other than the one in currentRevision +func (s *StatefulSetTester) WaitForPodUpdatedAndRunning(set *appsv1beta1.StatefulSet, podName string, currentRevision string) (*appsv1beta1.StatefulSet, *v1.PodList) { + var pods *v1.PodList + s.WaitForState(set, func(set2 *appsv1beta1.StatefulSet, pods2 *v1.PodList) (bool, error) { + set = set2 + pods = pods2 + for i := range pods.Items { + if pods.Items[i].Name != podName { + continue + } + + if pods.Items[i].Labels[apps.StatefulSetRevisionLabel] != currentRevision && + podutil.IsPodReady(&pods.Items[i]) { + return true, nil + } + return false, nil + } + return false, nil + }) + return set, pods +} + // WaitForRollingUpdate waits for all Pods in set to exist and have the correct revision and for the RollingUpdate to // complete. set must have a RollingUpdateStatefulSetStrategyType. func (s *StatefulSetTester) WaitForRollingUpdate(set *appsv1beta1.StatefulSet) (*appsv1beta1.StatefulSet, *v1.PodList) {