Issue #134 Permission issue when purging images from cache on OpenShift

.github/workflows/build-kube-fledged.yml

@@ -91,6 +91,10 @@ jobs:
       with:
         go-version: ${{ inputs.golang_version }}
 
+    - name: Install dependencies
+      run: |
+        go get -u golang.org/x/lint/golint
+
     - name: Run verify scripts
       run: |
         hack/verify-codegen.sh

.github/workflows/cron-cleanup-workflow-runs.yml

@@ -0,0 +1,19 @@
+name: Cron delete old workflow runs
+on:
+  schedule:
+    - cron: '0 0 * * *'
+# Run daily, at 00:00.
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: Mattraks/delete-workflow-runs@v2
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          # workflow runs older than 30 days are deleted
+          retain_days: 30
+          # however, minimum 10 runs will be retained
+          keep_minimum_runs: 10

.github/workflows/manual-cleanup-workflow-runs.yml

@@ -0,0 +1,24 @@
+name: Manual delete old workflow runs
+on:
+  workflow_dispatch:
+    inputs:
+      days:
+        description: 'Number of days.'
+        required: true
+        default: 30
+      minimum_runs:
+        description: 'The minimum runs to keep for each workflow.'
+        required: true
+        default: 10
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: Mattraks/delete-workflow-runs@v2
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          retain_days: ${{ github.event.inputs.days }}
+          keep_minimum_runs: ${{ github.event.inputs.minimum_runs }}

README.md

@@ -321,10 +321,12 @@ For more detailed description, go through _kube-fledged's_ [design proposal](doc
 
 ## Configuration Flags for Kubefledged Controller
 
-`--image-pull-deadline-duration:` Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed. default "5m"
-
 `--image-cache-refresh-frequency:` The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh. default "15m"
 
+`--image-delete-job-host-network:` Whether the pod for the image delete job should be run with 'HostNetwork: true'. Default value: false.
+
+`--image-pull-deadline-duration:` Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed. default "5m"
+
 `--image-pull-policy:` Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled.
 
 `--service-account-name:` serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used

cmd/controller/app/controller.go

@@ -96,7 +96,8 @@ func NewController(
 	criClientImage string,
 	busyboxImage string,
 	imagePullPolicy string,
-	serviceAccountName string) *Controller {
+	serviceAccountName string,
+	imageDeleteJobHostNetwork bool) *Controller {
 
 	runtime.Must(fledgedscheme.AddToScheme(scheme.Scheme))
 	glog.V(4).Info("Creating event broadcaster")
@@ -119,8 +120,9 @@ func NewController(
 		imageCacheRefreshFrequency: imageCacheRefreshFrequency,
 	}
 
-	imageManager, _ := images.NewImageManager(controller.workqueue, controller.imageworkqueue, controller.kubeclientset,
-		controller.fledgedNameSpace, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+	imageManager, _ := images.NewImageManager(controller.workqueue, controller.imageworkqueue,
+		controller.kubeclientset, controller.fledgedNameSpace, imagePullDeadlineDuration,
+		criClientImage, busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 	controller.imageManager = imageManager
 
 	glog.Info("Setting up event handlers")

cmd/controller/app/controller_test.go

@@ -64,6 +64,7 @@ func newTestController(kubeclientset kubernetes.Interface, fledgedclientset clie
 	busyboxImage := "busybox:latest"
 	imagePullPolicy := "IfNotPresent"
 	serviceAccountName := "sa-kube-fledged"
+	imageDeleteJobHostNetwork := false
 
 	/* 	startInformers := true
 	   	if startInformers {
@@ -73,8 +74,10 @@ func newTestController(kubeclientset kubernetes.Interface, fledgedclientset clie
 	   		fledgedInformerFactory.Start(stopCh)
 	   	} */
 
-	controller := NewController(kubeclientset, fledgedclientset, fledgedNameSpace, nodeInformer, imagecacheInformer,
-		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+	controller := NewController(kubeclientset,
+		fledgedclientset, fledgedNameSpace, nodeInformer, imagecacheInformer,
+		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage,
+		busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 	controller.nodesSynced = func() bool { return true }
 	controller.imageCachesSynced = func() bool { return true }
 	return controller, nodeInformer, imagecacheInformer

cmd/controller/main.go

@@ -42,6 +42,7 @@ var (
 	imagePullPolicy            string
 	fledgedNameSpace           string
 	serviceAccountName         string
+	imageDeleteJobHostNetwork  bool
 )
 
 func main() {
@@ -71,7 +72,8 @@ func main() {
 	controller := app.NewController(kubeClient, fledgedClient, fledgedNameSpace,
 		kubeInformerFactory.Core().V1().Nodes(),
 		fledgedInformerFactory.Kubefledged().V1alpha2().ImageCaches(),
-		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage, busyboxImage, imagePullPolicy, serviceAccountName)
+		imageCacheRefreshFrequency, imagePullDeadlineDuration, criClientImage,
+		busyboxImage, imagePullPolicy, serviceAccountName, imageDeleteJobHostNetwork)
 
 	glog.Info("Starting pre-flight checks")
 	if err = controller.PreFlightChecks(); err != nil {
@@ -101,4 +103,5 @@ func init() {
 		busyboxImage = "busybox:1.29.2"
 	}
 	flag.StringVar(&serviceAccountName, "service-account-name", "", "serviceAccountName used in Jobs created for pulling/deleting images. Optional flag. If not specified the default service account of the namespace is used")
+	flag.BoolVar(&imageDeleteJobHostNetwork, "image-delete-job-host-network", false, "whether the pod for the image delete job should be run with 'HostNetwork: true'. Default value: false")
 }

deploy/kubefledged-operator/helm-charts/kubefledged/README.md

@@ -45,15 +45,16 @@ Kube-fledged is a kubernetes operator for creating and managing a cache of conta
 | image.kubefledgedCRIClientRepository | docker.io/senthilrch/kubefledged-cri-client | Repository name of kubefledged-cri-client image |
 | image.kubefledgedWebhookServerRepository | docker.io/senthilrch/kubefledged-webhook-server | Repository name of kubefledged-webhook-server image |
 | image.pullPolicy | Always | Image pull policy for kubefledged-controller and kubefledged-webhook-server pods |
-| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
-| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImageCacheRefreshFrequency | 15m | The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh |
+| args.controllerImageDeleteJobHostNetwork | false | Whether the pod for the image delete job should be run with 'HostNetwork: true' |
+| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImagePullPolicy | IfNotPresent | Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled |
 | args.controllerServiceAccountName | "" | serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used |
-| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
+| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
 | args.webhookServerCertFile | /var/run/secrets/webhook-server/tls.crt | Path of server certificate of kubefledged-webhook-server |
 | args.webhookServerKeyFile | /var/run/secrets/webhook-server/tls.key | Path of server key of kubefledged-webhook-server |
 | args.webhookServerPort | 443 | Listening port of kubefledged-webhook-server |
+| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
 | nameOverride | "" | nameOverride replaces the name of the chart in Chart.yaml, when this is used to construct Kubernetes object names |
 | fullnameOverride | "" | fullnameOverride completely replaces the generated name |
 |  |  |  |

deploy/kubefledged-operator/helm-charts/kubefledged/templates/deployment-controller.yaml

@@ -38,6 +38,7 @@ spec:
           {{- if .Values.args.controllerServiceAccountName }}
             - "--service-account-name={{ .Values.args.controllerServiceAccountName }}"
           {{- end }}
+            - "--image-delete-job-host-network={{ .Values.args.controllerImageDeleteJobHostNetwork }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: KUBEFLEDGED_NAMESPACE

deploy/kubefledged-operator/helm-charts/kubefledged/values.yaml

@@ -25,6 +25,7 @@ args:
   controllerImageCacheRefreshFrequency: 15m
   controllerImagePullPolicy: IfNotPresent
   controllerServiceAccountName: ""
+  controllerImageDeleteJobHostNetwork: false
   webhookServerLogLevel: INFO
   webhookServerCertFile: /var/run/secrets/webhook-server/tls.crt
   webhookServerKeyFile: /var/run/secrets/webhook-server/tls.key

docs/helm-parameters.md

@@ -11,15 +11,16 @@
 | image.kubefledgedCRIClientRepository | docker.io/senthilrch/kubefledged-cri-client | Repository name of kubefledged-cri-client image |
 | image.kubefledgedWebhookServerRepository | docker.io/senthilrch/kubefledged-webhook-server | Repository name of kubefledged-webhook-server image |
 | image.pullPolicy | Always | Image pull policy for kubefledged-controller and kubefledged-webhook-server pods |
-| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
-| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImageCacheRefreshFrequency | 15m | The image cache is refreshed periodically to ensure the cache is up to date. Setting this flag to "0s" will disable refresh |
+| args.controllerImageDeleteJobHostNetwork | false | Whether the pod for the image delete job should be run with 'HostNetwork: true' |
+| args.controllerImagePullDeadlineDuration | 5m | Maximum duration allowed for pulling an image. After this duration, image pull is considered to have failed |
 | args.controllerImagePullPolicy | IfNotPresent | Image pull policy for pulling images into and refreshing the cache. Possible values are 'IfNotPresent' and 'Always'. Default value is 'IfNotPresent'. Image with no or ":latest" tag are always pulled |
 | args.controllerServiceAccountName | "" | serviceAccountName used in Jobs created for pulling or deleting images. Optional flag. If not specified the default service account of the namespace is used |
-| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
+| args.controllerLogLevel | INFO | Log level of kubefledged-controller |
 | args.webhookServerCertFile | /var/run/secrets/webhook-server/tls.crt | Path of server certificate of kubefledged-webhook-server |
 | args.webhookServerKeyFile | /var/run/secrets/webhook-server/tls.key | Path of server key of kubefledged-webhook-server |
 | args.webhookServerPort | 443 | Listening port of kubefledged-webhook-server |
+| args.webhookServerLogLevel | INFO | Log level of kubefledged-webhook-server |
 | nameOverride | "" | nameOverride replaces the name of the chart in Chart.yaml, when this is used to construct Kubernetes object names |
 | fullnameOverride | "" | fullnameOverride completely replaces the generated name |
 |  |  |  |

go.mod

@@ -13,34 +13,32 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/evanphx/json-patch v4.9.0+incompatible // indirect
-	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/go-logr/logr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
-	github.com/golang/protobuf v1.4.3 // indirect
-	github.com/google/go-cmp v0.5.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/googleapis/gnostic v0.4.1 // indirect
+	github.com/googleapis/gnostic v0.5.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.1 // indirect
-	github.com/json-iterator/go v1.1.10 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-        golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
 	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
-	golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect
-	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
+	golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
-        golang.org/x/tools v0.1.9 // indirect
 	google.golang.org/appengine v1.6.6 // indirect
-	google.golang.org/protobuf v1.25.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-        k8s.io/code-generator v0.21.1 // indirect
-	k8s.io/klog/v2 v2.8.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect
-	k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/klog/v2 v2.40.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220310132336-3f90b8c54bbb // indirect
+	k8s.io/utils v0.0.0-20210802155522-efc7438f0176 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.0 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )