argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard

Published 20 hours ago verified publisher icon argoproj

fix!: Only get executor plugins in workflow namespace. Fixes #12708

Open jswxstw opened this issue 11 months ago • 3 comments

Fixes #12708

Motivation

Controller plugins are loaded by default, so controller service account will be accessed if AutomountServiceAccountToken is true, which cause the bug in #12708 .

Modifications

Only load plugins in user‘s workflow namespace.

Verification

local test

jswxstw avatar Mar 01 '24 08:03 jswxstw

I think this is reasonable. Can you add some tests, such as deploying a plugin under default, another plugin under controller, and checking the sidecar of the pod under default.

shuangkun avatar Apr 01 '24 13:04 shuangkun

I've tested it locally. There are two executor plugins in namespace argo and khaos-workflow.

# kubectl get cm -A -l workflows.argoproj.io/configmap-type=ExecutorPlugin
NAMESPACE        NAME                          DATA   AGE
khaos-workflow   khaos-steps-executor-plugin   2      21m
argo             hello-executor-plugin         2      10m

I submit a example plugin workflow to namespace khaos-workflow.

# argo list -n khaos-workflow
NAME          STATUS    AGE   DURATION   PRIORITY   MESSAGE
hello-fzpbc   Running   5m    5m         0
wang@ONINOWANG-MB0 demo % argo get hello-fzpbc -n khaos-workflow
Name:                hello-fzpbc
Namespace:           khaos-workflow
ServiceAccount:      unset (will run with the default ServiceAccount)
Status:              Running
Created:             Tue Apr 02 11:42:03 +0800 (6 minutes ago)
Started:             Tue Apr 02 11:42:03 +0800 (6 minutes ago)
Duration:            6 minutes 2 seconds
Progress:            0/1

STEP            TEMPLATE  PODNAME  DURATION  MESSAGE
 ◷ hello-fzpbc  main

There is only one sidecar container khaos-steps loaded in agent pod, the hello executor plugin was not loaded.

Containers:
  khaos-steps:
    Container ID:
    Image:         ccr.ccs.tencentyun.com/cdb.khaos.eros/khaos-steps-executor:develop
    Image ID:
    Port:          8888/TCP
    Host Port:     0/TCP
    Args:
      server
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     200m
      memory:  1Gi
    Requests:
      cpu:        100m
      memory:     512Mi
    Environment:  <none>
    Mounts:
      /var/run/argo from var-run-argo (ro,path="khaos-steps")
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2pwsk (ro)
  main:
    Container ID:
    Image:         quay.io/argoproj/argoexec:latest
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Command:
      argoexec
    Args:
      agent
      main
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     100m
      memory:  256M
    Requests:
      cpu:     10m
      memory:  64M
    Environment:
      ARGO_WORKFLOW_NAME:     hello-fzpbc
      ARGO_WORKFLOW_UID:      ac740ae4-2d67-4fa5-9fa5-246ea6ff935c
      ARGO_AGENT_PATCH_RATE:  1s
      ARGO_PLUGIN_ADDRESSES:  ["http://localhost:8888"]
      ARGO_PLUGIN_NAMES:      ["khaos-steps"]
    Mounts:
      /var/run/argo from var-run-argo (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wwhwr (ro)
Conditions:
  Type              Status
  Initialized       False
  Ready             False
  ContainersReady   False
  PodScheduled      True

jswxstw avatar Apr 02 '24 03:04 jswxstw

OK, thanks.

shuangkun avatar Apr 03 '24 15:04 shuangkun

@agilgur5 Can this PR be merged?

jswxstw avatar Sep 09 '24 03:09 jswxstw