Provide simple install option using Helm

Neumann-Nils commented 5 years ago

Description

This pull requests allows a user to install karydia in a simple two step process. This process includes:

Installing Helm and Tiller
Install karydia itself using Helm

The installation is fully automated and executes the needed pre-install steps in an init-container (including the creation of certificates) and register the webhooks using a post-install hook. A user can install and delete karydia as a whole using the Helm commands (e.g. helm install and helm delete). Thus, it allows an easy handling of the karydia installation process and versioning.

The process is well documented in a seperate readme and resolves #58.

Checklist

Before submitting this PR, please make sure:

[x] your code builds clean with make
[x] your code lets succeed unit tests with make test
[x] your code lets succeed integration tests
[x] you have documented new or changed features

dacappo commented 5 years ago

We can also think about a way to delete the karydia-post container when completed:

kube-system   karydia-post-6jhpj                        0/1     Completed

Let's setup a meeting to discuss the mentioned points.

Neumann-Nils commented 5 years ago

We can also think about a way to delete the karydia-post container when completed:
kube-system   karydia-post-6jhpj                        0/1     Completed
Let's setup a meeting to discuss the mentioned points.

Will be deleted by Helm after the installation process (078949851a4f569f1260a10a5d2908b8afaf660b)

Neumann-Nils commented 5 years ago

For this pull request to be merged, following To-dos are necessary:

[x] Adapt install process to recent changes
[x] Make it possible to install dev version via helm
[x] Update documenetation

Neumann-Nils commented 5 years ago

The installation process is now updated to fit the new changes. This includes the karydia config, which values can easily be configured in the values.yaml file. Furthermore, one can install the development version by changing the dev.active variable.

Alle these changes are documentated.

Neumann-Nils commented 5 years ago

Sometimes encounter a nil pointer exception within the network reconciler when pods restart or karydia re-installs:

E0524 05:03:51.880503       1 runtime.go:66] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:72
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:65
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:51
/usr/local/go/src/runtime/panic.go:522
/usr/local/go/src/runtime/panic.go:82
/usr/local/go/src/runtime/signal_unix.go:390
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:353
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:310
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:207
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:215
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:148
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88
/usr/local/go/src/runtime/asm_amd64.s:1337
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1160bf5]

This problem may be adressed by #128. Should be checked after the changes are merged.

Neumann-Nils commented 5 years ago

Sometimes encounter a nil pointer exception within the network reconciler when pods restart or karydia re-installs:

E0524 05:03:51.880503       1 runtime.go:66] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:72
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:65
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:51
/usr/local/go/src/runtime/panic.go:522
/usr/local/go/src/runtime/panic.go:82
/usr/local/go/src/runtime/signal_unix.go:390
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:353
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:310
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:207
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:215
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:148
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88
/usr/local/go/src/runtime/asm_amd64.s:1337
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
  panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1160bf5]

This problem may be adressed by #128. Should be checked after the changes are merged.

Looks like it works fine again.

dacappo commented 5 years ago

Installation works well and as expected, but unfortunately our security measures don't work anymore. Creating a new namespace with kubectl create ns foobar will indirectly create a default ServiceAccount which mounts its ServiceAccountToken. This shouldn't happen with the change-default config.

What makes me worry more is the segfault I get:

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b5a2dd]

goroutine 733 [running]:
testing.tRunner.func1(0xc0005ee700)
    /usr/local/Cellar/go/1.11.4/libexec/src/testing/testing.go:792 +0x387
panic(0x1c55260, 0x286c360)
    /usr/local/Cellar/go/1.11.4/libexec/src/runtime/panic.go:513 +0x1b9
github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005ee700)

Neumann-Nils commented 5 years ago

To run the e2e tests against a cluster installed with helm (and not using the normal process for the e2e-tests), comment out line 48-78 in "/tests/e2e/main_test.go".

Running these test will lead to the following output:

go test -v ./tests/e2e/... --server "" --kubeconfig "/Users/d064871/.kube/config"
=== RUN   TestAutomountServiceAccountToken
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount
--- FAIL: TestAutomountServiceAccountToken (287.10s)
    --- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.64s)
        admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-sh5tr {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-sh5tr,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount (9.55s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.52s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (3.64s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount (6.65s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.58s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (6.63s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount (6.69s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.71s)
    --- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.65s)
        admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-pst5z {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-pst5z,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount (6.72s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.51s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.61s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount (6.61s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.84s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (6.58s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount (6.64s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.61s)
    --- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.53s)
        admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-2jtx4 {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-2jtx4,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount (6.68s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.53s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.60s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount (6.61s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.59s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.63s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount (6.58s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.56s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.33s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount (4.39s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.38s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (7.43s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount (7.42s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.43s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.37s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount (7.46s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.36s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.38s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount (7.36s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.37s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (7.41s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount (7.40s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.37s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.45s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount (7.40s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.35s)
    --- FAIL: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (1.23s)
        admission_automount_token_test.go:190: expected is mounted to be false but is true with [{dedicated-token-7flzw {nil nil nil nil nil &SecretVolumeSource{SecretName:dedicated-token-7flzw,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount (7.35s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.41s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.41s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount (4.37s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.41s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.34s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount (7.43s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.39s)
=== RUN   TestAutomountServiceAccountTokenInDefaultNamespace
--- PASS: TestAutomountServiceAccountTokenInDefaultNamespace (3.16s)
    admission_automount_token_test.go:236: expected is mounted to be false but is true
=== RUN   TestAutomountServiceAccountTokenEditServiceAccount
--- FAIL: TestAutomountServiceAccountTokenEditServiceAccount (0.31s)
    admission_automount_token_test.go:268: failed to update service account: Operation cannot be fulfilled on serviceaccounts "dedicated": the object has been modified; please apply your changes to the latest version and try again
=== RUN   TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig
--- FAIL: TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig (0.43s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1bd88aa]

goroutine 740 [running]:
testing.tRunner.func1(0xc0005a2200)
    /usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:830 +0x392
panic(0x1cd6680, 0x29f84f0)
    /usr/local/Cellar/go/1.12.1/libexec/src/runtime/panic.go:522 +0x1b5
github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005a2200)
    /Users/d064871/go/src/github.com/karydia/karydia/tests/e2e/admission_automount_token_test.go:303 +0x2ba
testing.tRunner(0xc0005a2200, 0x1e85410)
    /usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:865 +0xc0
created by testing.(*T).Run
    /usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:916 +0x35a
FAIL    github.com/karydia/karydia/tests/e2e    291.041s
?       github.com/karydia/karydia/tests/e2e/framework  [no test files]
make: *** [e2e-test] Error 1

If you want to have a look, what YAML files are created by helm, see this branch.

Neumann-Nils commented 5 years ago

Installation works well and as expected, but unfortunately our security measures don't work anymore. Creating a new namespace with kubectl create ns foobar will indirectly create a default ServiceAccount which mounts its ServiceAccountToken. This shouldn't happen with the change-default config.

What makes me worry more is the segfault I get:
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
  panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b5a2dd]

goroutine 733 [running]:
testing.tRunner.func1(0xc0005ee700)
  /usr/local/Cellar/go/1.11.4/libexec/src/testing/testing.go:792 +0x387
panic(0x1c55260, 0x286c360)
  /usr/local/Cellar/go/1.11.4/libexec/src/runtime/panic.go:513 +0x1b9
github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005ee700)

I think, the segfault is based on unwary use of the *sAcc.AutomountServiceAccountToken pointer here. This check should look like this:

if sAcc.AutomountServiceAccountToken != nil && *sAcc.AutomountServiceAccountToken != false {

dacappo commented 5 years ago

My last commit adds serviceaccounts as resource for the admission hooks as configured in master. This lets the integration tests succeed.

SAP-archive / karydia

Provide simple install option using Helm #115

Description

Checklist