Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

releng: update pull-release-image-kube-cross to set the cluster where it should run #20703

Merged
merged 1 commit into from
Feb 9, 2021
Merged

releng: update pull-release-image-kube-cross to set the cluster where it should run #20703

merged 1 commit into from
Feb 9, 2021

Conversation

cpanato
Copy link
Member

@cpanato cpanato commented Feb 2, 2021

follow up of #20689

the default cluster does not have the service account that is needed for this job, so adding the cluster that contains the setup

The error when the job tried to run

Pod can not be created: pods "63ae2683-6532-11eb-82fa-d61530c4f03a" ... count test-pods/gcb-builder: serviceaccount "gcb-builder" not found

/assign @saschagrunert @hasheddan @xmudrii @puerco
cc: @kubernetes/release-engineering

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 2, 2021
@k8s-ci-robot k8s-ci-robot added area/config Issues or PRs related to code in /config area/jobs area/release-eng Issues or PRs related to the Release Engineering subproject approved Indicates a PR has been approved by an approver from all required OWNERS files. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 2, 2021
@cpanato
Copy link
Member Author

cpanato commented Feb 2, 2021

jobs_test.go:351: pull-release-image-kube-cross: presubmits may not run in cluster: k8s-infra-prow-build-trusted

/hold to see how to fix that

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 2, 2021
@cpanato
Copy link
Member Author

cpanato commented Feb 2, 2021

@spiffxp @saschagrunert @hasheddan

We need to trigger a GCB build for PRs to test the images, but looks like the gcb-builder service account is not available in pre-submits, I did not find another service account, does that exist? If not how can we add that?

hasheddan
hasheddan reviewed Feb 2, 2021
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpanato I am guessing this is by design as typically we wouldn't be using this SA in a presubmit. However, in this specific case we have set up a testing repo so I would think the optimal scenario here would be to put a scoped token in the untrusted cluster if we want to maintain the idea of not running presubmits in trusted. Would defer to @spiffxp to weigh in though.

@cpanato
Copy link
Member Author

cpanato commented Feb 2, 2021

@hasheddan agree with you on this, lets wait for Aaron to see other options

@cpanato cpanato mentioned this pull request Feb 5, 2021
Merged
@spiffxp
Copy link
Member

spiffxp commented Feb 5, 2021

The reason the clusters are called "trusted" is that we don't want them running "untrusted" code, e.g. presubmits. We treat the act of merging as the line of trust... code has passed tests, and the relevant humans have reviewed it. So postubmits/periodics on trusted clusters are fine, but not presubmits.

@hasheddan's suggestion of scoped SA in untrusted cluster SGTM, PR to kubernetes/k8s.io would look something like:

Now might be a good time to start adding some enforcement around which jobs are allowed to use which service accounts via tests in config/tests/jobs (ssuggested this in kubernetes/k8s.io#1393 (comment))

This approach would also be baby steps toward "we should probably be using a service account per staging project" which might help address gcb quota issues #20652

@spiffxp spiffxp mentioned this pull request Feb 5, 2021
Open
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 5, 2021
@cpanato cpanato mentioned this pull request Feb 7, 2021
Merged
spiffxp
spiffxp reviewed Feb 9, 2021
View reviewed changes
config/jobs/kubernetes/release/release-config.yaml Outdated
@@ -84,6 +84,7 @@ presubmits:
testgrid-alert-email: [email protected]
testgrid-num-columns-recent: '30'
- name: pull-release-image-kube-cross
cluster: k8s-infra-prow-build-trusted
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change this to k8s-infra-prow-build

change L93 to serviceAccountName: gcb-builder-releng-test (ref: kubernetes/k8s.io#1626)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @spiffxp. updated

@spiffxp spiffxp mentioned this pull request Feb 9, 2021
Merged
@cpanato cpanato force-pushed the update-releng-image-job branch 2 times, most recently from 6263ff2 to 5e6de58 Compare February 9, 2021 10:38
@cpanato cpanato force-pushed the update-releng-image-job branch from 5e6de58 to a834252 Compare February 9, 2021 10:51
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 9, 2021
cpanato
cpanato commented Feb 9, 2021
View reviewed changes
config/jobs/kubernetes/release/release-config.yaml
@@ -102,6 +103,13 @@ presubmits:
env:
- name: LOG_TO_STDOUT
value: "y"
resources:
requests:
cpu: 1000m
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the job will run on GCB so I don't think we need many resources

@cpanato cpanato requested review from spiffxp and hasheddan February 9, 2021 11:40
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 9, 2021
spiffxp
spiffxp approved these changes Feb 9, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 9, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 315c7b1 into kubernetes:master Feb 9, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Feb 9, 2021
@k8s-ci-robot
Copy link
Contributor

@cpanato: Updated the job-config configmap in namespace default at cluster test-infra-trusted using the following files:

  • key release-config.yaml using file config/jobs/kubernetes/release/release-config.yaml

In response to this:

follow up of #20689

the default cluster does not have the service account that is needed for this job, so adding the cluster that contains the setup

The error when the job tried to run

Pod can not be created: pods "63ae2683-6532-11eb-82fa-d61530c4f03a" ... count test-pods/gcb-builder: serviceaccount "gcb-builder" not found

/assign @saschagrunert @hasheddan @xmudrii @puerco
cc: @kubernetes/release-engineering

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cpanato cpanato deleted the update-releng-image-job branch February 9, 2021 15:11
@dims dims mentioned this pull request Feb 17, 2021
Merged
@spiffxp spiffxp mentioned this pull request May 10, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffxp spiffxp spiffxp approved these changes

@justaugustus justaugustus Awaiting requested review from justaugustus

@xmudrii xmudrii Awaiting requested review from xmudrii

@hasheddan hasheddan Awaiting requested review from hasheddan

Assignees

@spiffxp spiffxp

@saschagrunert saschagrunert

@puerco puerco

@xmudrii xmudrii

@hasheddan hasheddan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/config Issues or PRs related to code in /config area/jobs area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
7 participants
@cpanato @spiffxp @k8s-ci-robot @hasheddan @saschagrunert @puerco @xmudrii