DIND not working in standard GKE

kestra-io / helm-charts

Apache License 2.0

35 stars 26 forks source link

DIND not working in standard GKE #26

Closed alucryd closed 9 months ago

alucryd commented 10 months ago

Expected Behavior

Trying to install the chart in a standard GKE cluster (Autopilot is out because of DIND, and potentially ES which requires a privileged pod) with basically all default values should run out of the box.

Actual Behaviour

However the worker pod is stuck in a boot loop.

Screenshot from 2024-01-09 16-54-20

I deactivated DIND for now so that I can test Kestra, but I can reactivate it to provide logs in a better format if needed.

Steps To Reproduce

Create a standard GKE cluster with default configuration
Install the kestra helm chart with the values below

Environment Information

Kestra Version: 0.13.8
Helm Charts version: 0.13.0
Docker Image version: latest-full

values.yaml

deployments:
  webserver:
    enabled: true
  executor:
    enabled: true
  indexer:
    enabled: false
  scheduler:
    enabled: true
  worker:
    enabled: true
  standalone:
    enabled: false

tchiotludo commented 9 months ago

@alucryd : We have add some documentation here to help with DinD. Can you validate it help, if not, please reopen, we will add more documentation

floretan commented 4 months ago

I tried these instructions on a GKE cluster in Autopilot mode, but unfortunately it is failing as privileged containers are not allowed. Here's the error that we get:

Error: 1 error occurred: * admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: GKE Warden rejected the request because it violates one or more constraints. Violations details: {"[denied by autogke-disallow-privilege]":["container kestra-standalone-docker-dind is privileged; not allowed in Autopilot"]}

tchiotludo commented 4 months ago

yes GKE autopilot is not compatible with docker dind, we don't have any solution since it's a limitation of GKE Autopilot, but you can disable the dind container and use task runners now to have some scripting experience than dind and that should be working on autopilot

floretan commented 3 months ago

Having the task runners elsewhere could be an option, but is there a way to run the core part of Kestra on GKE without having to create a non-autopilot cluster? That option has already been removed from the Google Cloud console, and while it's still possible to create such clusters through terraform I would rather not rely on it.