search

argoproj / argo-workflows

Workflow Engine for Kubernetes
https://argo-workflows.readthedocs.io/
Apache License 2.0
14.96k stars 3.19k forks source link

Retry limit not being respected #8547

Closed rwong2888 closed 2 years ago

rwong2888 commented 2 years ago

argo v3.3.3

References: https://www.datree.io/resources/argocd-best-practices-you-should-know https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce https://github.com/argoproj/argo-workflows/discussions/8544

Trying to harden argo workflows as referenced above. Kaniko keeps failing, presumably because main container needs to be root. However, I would expect it to stop retrying, but it is going on infinitely.

apiVersion: v1
kind: ConfigMap
metadata:
  name: workflow-controller-configmap
data:
  workflowDefaults: |
    spec:
      retryStrategy:
        retryPolicy: Always
        limit: 1
        expression: 'lastRetry.status == "Error" or (lastRetry.status == "Failed" and asInt(lastRetry.exitCode) not in [0,1,2,3])'
  mainContainer: |
    serviceAccountName: workflow
    securityContext:
      runAsNonRoot: true
      runAsUser: 8737
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
  executor: |
    serviceAccountName: workflow
    securityContext:
      runAsNonRoot: true
      runAsUser: 8737
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL

image

rwong2888 commented 2 years ago

Nvm. Looks like it runs back up all the way to root 1 time. I suppose this is the desired behaviour.