Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(executor): Wait for termination using pod watch for PNS and K8SAPI executors. #4253

Merged
merged 64 commits into from
Oct 22, 2020
Merged

feat(executor): Wait for termination using pod watch for PNS and K8SAPI executors. #4253

merged 64 commits into from
Oct 22, 2020

Conversation

alexec
Copy link
Contributor

@alexec alexec commented Oct 9, 2020
edited
Loading

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this is a chore.
  • The title of the PR is (a) conventional, (b) states what changed, and (c) suffixes the related issues number. E.g. "fix(controller): Updates such and such. Fixes #1234".
  • My organization is added to USERS.md.
  • I've signed the CLA.
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My builds are green. Try syncing with master if they are not.

This PR introduces two improvements:

  • If the PNS executor cannot get the main PID (because it is runAsNonRoot it uses a pod watch to determine if the main container terminated. This allows you to use PNS with runAsNonRoot, improving its security.
  • Replaces the K8SAPI executor hard-loop with the same code, improving its scalability.

@alexec alexec added epic/scaling type/security Security related labels Oct 9, 2020
@alexec alexec requested a review from dtaniwaki October 9, 2020 15:13
@alexec alexec marked this pull request as ready for review October 14, 2020 22:33
This was linked to issues Oct 16, 2020
failed to save outputs: Get <URL> unexpected EOF #3522
Closed
PNS Executor Doesn't Work Occasionally #2671
Closed
Workflow is stuck in pending state if K8S API connection issue #3600
Closed
@juliusvonkohout juliusvonkohout mentioned this pull request Oct 20, 2020
Closed
sarabala1979
sarabala1979 reviewed Oct 21, 2020
View reviewed changes
workflow/executor/common/wait/wait.go

func UntilTerminated(kubernetesInterface kubernetes.Interface, namespace, podName, containerID string) error {
log.Infof("Waiting for container %s to be terminated", containerID)
podInterface := kubernetesInterface.CoreV1().Pods(namespace)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this idea. It is safer than earlier

sarabala1979
sarabala1979 approved these changes Oct 21, 2020
View reviewed changes
Copy link
Member

@sarabala1979 sarabala1979 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM the implementations. @jessesuen Can you quickly look at the security point of view?

@alexec alexec merged commit ec671dd into argoproj:master Oct 22, 2020
@alexec alexec deleted the pod-watch branch October 22, 2020 15:16
@alexec alexec added this to the v2.12 milestone Oct 22, 2020
This was referenced Oct 26, 2020
Closed
Closed
@rushtehrani rushtehrani mentioned this pull request Oct 27, 2020
Closed
alexcapras pushed a commit to alexcapras/argo that referenced this pull request Nov 12, 2020
@alexec @alexcapras
feat(executor): Wait for termination using pod watch for PNS and K8SA…
b46c994 
…PI executors. (argoproj#4253)

Signed-off-by: Alex Capras <[email protected]>
@hermanhobnob hermanhobnob mentioned this pull request Dec 10, 2020
Closed
@alexec alexec mentioned this pull request Dec 21, 2020
Closed
@alexec alexec mentioned this pull request Jan 27, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtaniwaki dtaniwaki dtaniwaki left review comments

@sarabala1979 sarabala1979 sarabala1979 approved these changes

@jessesuen jessesuen Awaiting requested review from jessesuen

Assignees

@sarabala1979 sarabala1979

Labels
type/security Security related
Projects
None yet
Milestone
v2.12
3 participants
@alexec @dtaniwaki @sarabala1979