Closed Neumann-Nils closed 5 years ago
We can also think about a way to delete the karydia-post container when completed:
kube-system karydia-post-6jhpj 0/1 Completed
Let's setup a meeting to discuss the mentioned points.
We can also think about a way to delete the karydia-post container when completed:
kube-system karydia-post-6jhpj 0/1 Completed
Let's setup a meeting to discuss the mentioned points.
Will be deleted by Helm after the installation process (078949851a4f569f1260a10a5d2908b8afaf660b)
For this pull request to be merged, following To-dos are necessary:
The installation process is now updated to fit the new changes. This includes the karydia config, which values can easily be configured in the values.yaml
file. Furthermore, one can install the development version by changing the dev.active
variable.
Alle these changes are documentated.
Sometimes encounter a nil pointer exception within the network reconciler when pods restart or karydia re-installs:
E0524 05:03:51.880503 1 runtime.go:66] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:72
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:65
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:51
/usr/local/go/src/runtime/panic.go:522
/usr/local/go/src/runtime/panic.go:82
/usr/local/go/src/runtime/signal_unix.go:390
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:353
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:310
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:207
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:215
/go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:148
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
/go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88
/usr/local/go/src/runtime/asm_amd64.s:1337
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1160bf5]
This problem may be adressed by #128. Should be checked after the changes are merged.
Sometimes encounter a nil pointer exception within the network reconciler when pods restart or karydia re-installs:
E0524 05:03:51.880503 1 runtime.go:66] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference) /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:72 /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:65 /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:51 /usr/local/go/src/runtime/panic.go:522 /usr/local/go/src/runtime/panic.go:82 /usr/local/go/src/runtime/signal_unix.go:390 /go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:353 /go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:310 /go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:207 /go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:215 /go/src/github.com/karydia/karydia/pkg/controller/networkpolicy_reconciler.go:148 /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134 /go/src/github.com/karydia/karydia/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88 /usr/local/go/src/runtime/asm_amd64.s:1337 panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1160bf5]
This problem may be adressed by #128. Should be checked after the changes are merged.
Looks like it works fine again.
Installation works well and as expected, but unfortunately our security measures don't work anymore.
Creating a new namespace with kubectl create ns foobar
will indirectly create a default ServiceAccount which mounts its ServiceAccountToken. This shouldn't happen with the change-default
config.
What makes me worry more is the segfault I get:
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b5a2dd]
goroutine 733 [running]:
testing.tRunner.func1(0xc0005ee700)
/usr/local/Cellar/go/1.11.4/libexec/src/testing/testing.go:792 +0x387
panic(0x1c55260, 0x286c360)
/usr/local/Cellar/go/1.11.4/libexec/src/runtime/panic.go:513 +0x1b9
github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005ee700)
To run the e2e tests against a cluster installed with helm (and not using the normal process for the e2e-tests), comment out line 48-78 in "/tests/e2e/main_test.go".
Running these test will lead to the following output:
go test -v ./tests/e2e/... --server "" --kubeconfig "/Users/d064871/.kube/config"
=== RUN TestAutomountServiceAccountToken
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount
=== RUN TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount
--- FAIL: TestAutomountServiceAccountToken (287.10s)
--- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.64s)
admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-sh5tr {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-sh5tr,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount (9.55s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.52s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (3.64s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount (6.65s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.58s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (6.63s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount (6.69s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.71s)
--- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.65s)
admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-pst5z {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-pst5z,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount (6.72s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.51s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.61s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount (6.61s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.84s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (6.58s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount (6.64s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.61s)
--- FAIL: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (0.53s)
admission_automount_token_test.go:190: expected is mounted to be false but is true with [{default-token-2jtx4 {nil nil nil nil nil &SecretVolumeSource{SecretName:default-token-2jtx4,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount (6.68s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.53s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.60s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount (6.61s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.59s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.63s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount (6.58s)
--- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.56s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.33s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomounttruePodAutomount (4.39s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (3.38s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (7.43s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomounttruePodAutomount (7.42s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.43s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.37s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomounttruePodAutomount (7.46s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.36s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.38s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomounttruePodAutomount (7.36s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.37s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (7.41s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomounttruePodAutomount (7.40s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.37s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.45s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomounttruePodAutomount (7.40s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationfalseServiceAccountAutomountfalsePodAutomount (6.35s)
--- FAIL: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (1.23s)
admission_automount_token_test.go:190: expected is mounted to be false but is true with [{dedicated-token-7flzw {nil nil nil nil nil &SecretVolumeSource{SecretName:dedicated-token-7flzw,Items:[],DefaultMode:*420,Optional:nil,} nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil nil}}]
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomounttruePodAutomount (7.35s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountfalsePodAutomount (6.41s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountUndefinedPodAutomount (6.41s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomounttruePodAutomount (4.37s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationtrueServiceAccountAutomountfalsePodAutomount (3.41s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountUndefinedPodAutomount (3.34s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomounttruePodAutomount (7.43s)
--- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationfalseServiceAccountAutomountfalsePodAutomount (3.39s)
=== RUN TestAutomountServiceAccountTokenInDefaultNamespace
--- PASS: TestAutomountServiceAccountTokenInDefaultNamespace (3.16s)
admission_automount_token_test.go:236: expected is mounted to be false but is true
=== RUN TestAutomountServiceAccountTokenEditServiceAccount
--- FAIL: TestAutomountServiceAccountTokenEditServiceAccount (0.31s)
admission_automount_token_test.go:268: failed to update service account: Operation cannot be fulfilled on serviceaccounts "dedicated": the object has been modified; please apply your changes to the latest version and try again
=== RUN TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig
--- FAIL: TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig (0.43s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1bd88aa]
goroutine 740 [running]:
testing.tRunner.func1(0xc0005a2200)
/usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:830 +0x392
panic(0x1cd6680, 0x29f84f0)
/usr/local/Cellar/go/1.12.1/libexec/src/runtime/panic.go:522 +0x1b5
github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005a2200)
/Users/d064871/go/src/github.com/karydia/karydia/tests/e2e/admission_automount_token_test.go:303 +0x2ba
testing.tRunner(0xc0005a2200, 0x1e85410)
/usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:865 +0xc0
created by testing.(*T).Run
/usr/local/Cellar/go/1.12.1/libexec/src/testing/testing.go:916 +0x35a
FAIL github.com/karydia/karydia/tests/e2e 291.041s
? github.com/karydia/karydia/tests/e2e/framework [no test files]
make: *** [e2e-test] Error 1
If you want to have a look, what YAML files are created by helm, see this branch.
Installation works well and as expected, but unfortunately our security measures don't work anymore. Creating a new namespace with
kubectl create ns foobar
will indirectly create a default ServiceAccount which mounts its ServiceAccountToken. This shouldn't happen with thechange-default
config.What makes me worry more is the segfault I get:
panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b5a2dd] goroutine 733 [running]: testing.tRunner.func1(0xc0005ee700) /usr/local/Cellar/go/1.11.4/libexec/src/testing/testing.go:792 +0x387 panic(0x1c55260, 0x286c360) /usr/local/Cellar/go/1.11.4/libexec/src/runtime/panic.go:513 +0x1b9 github.com/karydia/karydia/tests/e2e.TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig(0xc0005ee700)
I think, the segfault is based on unwary use of the *sAcc.AutomountServiceAccountToken
pointer here.
This check should look like this:
if sAcc.AutomountServiceAccountToken != nil && *sAcc.AutomountServiceAccountToken != false {
My last commit adds serviceaccounts
as resource for the admission hooks as configured in master. This lets the integration tests succeed.
Description
This pull requests allows a user to install karydia in a simple two step process. This process includes:
The installation is fully automated and executes the needed pre-install steps in an init-container (including the creation of certificates) and register the webhooks using a post-install hook. A user can install and delete karydia as a whole using the Helm commands (e.g.
helm install
andhelm delete
). Thus, it allows an easy handling of the karydia installation process and versioning.The process is well documented in a seperate readme and resolves #58.
Checklist
Before submitting this PR, please make sure:
make
make test