RBAC for Jenkins instance does not allow to create PVC

salvabot0001 commented 7 months ago

If a PodTemplate is configured with the default serviceAccount (leaving the serviceAccount empty) and with Dynamic Persistent Volume Claim as workspace volume, the pipeline pod will not come up with the exception below

To Reproduce

Configure a PodTemplate with the default serviceAccount and with dynamic PVC as workspace volume
Run a pipeline using the template

Additional information

Kubernetes version: 1.26.9 Jenkins Operator version: v0.8.0

Workaround

Creating dedicated serviceAccount (and role) for PodTemplate since permissions for PVC in jenkins-operator-jenkins are missing (see k8s resource below)

Add error logs about the problem here (operator logs and Kubernetes events).

Caused: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: [https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/jenkins/persistentvolumeclaims](https://kubernetes.default.svc.cluster.local/api/v1/namespaces/jenkins/persistentvolumeclaims). 

Message: persistentvolumeclaims is forbidden: User "system:serviceaccount:jenkins:jenkins-operator-jenkins" cannot create resource "persistentvolumeclaims" in API group "" in the namespace "jenkins". 

Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=persistentvolumeclaims, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=persistentvolumeclaims is forbidden: User "system:serviceaccount:jenkins:jenkins-operator-jenkins" cannot create resource "persistentvolumeclaims" in API group "" in the namespace "jenkins", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).


 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: jenkins-operator-jenkins
  namespace: jenkins
  resourceVersion: '262637300'
  creationTimestamp: '2023-07-13T13:58:14Z'
  labels:
    app: jenkins-operator
    jenkins-cr: jenkins
  ownerReferences:
    - apiVersion: jenkins.io/v1alpha2
      kind: Jenkins
      name: jenkins
      uid: 7b3f17bf-7498-49d2-a8d1-00fc81704f3b
      controller: true
      blockOwnerDeletion: true
rules:
  - verbs:
      - create
    apiGroups:
      - ''
    resources:
      - pods/portforward
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - pods
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - pods/exec
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - pods/log
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - events
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - image.openshift.io
    resources:
      - imagestreams
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - build.openshift.io
    resources:
      - buildconfigs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - build.openshift.io
    resources:
      - builds

brokenpip3 commented 5 months ago

can you post the podtemplate and any other manifests that we can use to replicate the issue? so we may also add a tests for this to avoid future regressions

salvabot0001 commented 5 months ago

- containers:
    - args: "1200"
       command: "sleep"
       envVars:
        - envVar:
            key: "GRADLE_OPTS"
            value: "-Dorg.gradle.caching=true -Dorg.gradle.daemon=true -Dorg.gradle.parallel=true -Dorg.gradle.welcome=never"
       image: "gradle:jdk21-jammy"
       livenessProbe:
        failureThreshold: 0
        initialDelaySeconds: 0
        periodSeconds: 0
        successThreshold: 0
        timeoutSeconds: 0
       name: "builder"
       resourceLimitMemory: "4096Mi"
  instanceCap: 1
  instanceCapStr: "1"
  name: "jdk21-agent"
  runAsGroup: "0"
  runAsUser: "0"
  workspaceVolume:
     dynamicPVC:
        accessModes: "ReadWriteOnce"
        requestsSize: "10Gi"
        storageClassName: "some-storage-class"
  yamlMergeStrategy: "override"

I changed already my PodTemplate to use emptyDir as workspaceVolume (default basically) but I took the podTemplate from my local history. If I didn't do any mistakes on indent, this should be pretty much a good example that the default service account (system:serviceaccount:jenkins:jenkins-operator-jenkins) has no rights to create a PVC

jenkinsci / kubernetes-operator

RBAC for Jenkins instance does not allow to create PVC #944