Skip to content

Check serviceaccount and imagepullsecret availability before creating pod

Romuald Atchadé requested to merge k8s-pull-secret-check-during-prepare into main

What does this MR do?

Check availability of service account and ImagePullSecret when set

Why was this MR needed?

To prevent the pod creation when needed resources are not available

What's the best way to test this MR?

Not existing service account

  1. Use the following config.toml. In this configuration, the service_account is set to image-pull-secret-sa which actually doesn't exist in the cluster
config.toml 
concurrent = 90
check_interval = 1
log_level = "debug"

[session_server]
  session_timeout = 1800

[[runners]]
  request_concurrency = 1
  url = "https://gitlab.com/"
  token = "__REDACTED__"
  executor = "kubernetes"
  [runners.custom_build_dir]
  [runners.kubernetes]
    service_account="image-pull-secret-sa"
    pull_policy="always"
    image = "alpine:latest"
    namespace_overwrite_allowed = ""
    privileged = true
    allow_privilege_escalation = true
    service_account_overwrite_allowed = ""
    pod_annotations_overwrite_allowed = ""
    terminationGracePeriodSeconds = 30
    [runners.kubernetes.affinity]
    [runners.kubernetes.volumes]
    [runners.kubernetes.dns_config]
  1. Use the following gitlab-ci.yml
gitlab-ci 
job:
  script:
  - sleep 15
  1. The job will fail with the following error
ERROR: Job failed (system failure): prepare environment: setting up build pod: checking ImagePullSecret: couldn't find ImagePullSecret or ServiceAccount. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Job Link

Existing service account

  1. Use the following config.toml. In this configuration, the service_account is set to default the default service account in the cluster
config.toml 
concurrent = 90
check_interval = 1
log_level = "debug"

[session_server]
  session_timeout = 1800

[[runners]]
  request_concurrency = 1
  url = "https://gitlab.com/"
  token = "__REDACTED__"
  executor = "kubernetes"
  [runners.custom_build_dir]
  [runners.kubernetes]
    service_account="default"
    pull_policy="always"
    image = "alpine:latest"
    namespace_overwrite_allowed = ""
    privileged = true
    allow_privilege_escalation = true
    service_account_overwrite_allowed = ""
    pod_annotations_overwrite_allowed = ""
    terminationGracePeriodSeconds = 30
    [runners.kubernetes.affinity]
    [runners.kubernetes.volumes]
    [runners.kubernetes.dns_config]
  1. Use the following gitlab-ci.yml
gitlab-ci 
job:
  script:
  - sleep 15
  1. The job will succeed

Job Link

What are the relevant issue numbers?

close #27664 (closed)

Edited by Romuald Atchadé

Merge request reports