Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use the k8s-staging-images project to build cloud-provider-kind images #33794

Merged
merged 1 commit into from
Nov 12, 2024
Merged

use the k8s-staging-images project to build cloud-provider-kind images #33794

merged 1 commit into from
Nov 12, 2024

Conversation

upodroid
Copy link
Member

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 12, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added area/config Issues or PRs related to code in /config area/jobs approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Nov 12, 2024
@aojea
Copy link
Member

aojea commented Nov 12, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 12, 2024
@k8s-ci-robot k8s-ci-robot merged commit d679f68 into kubernetes:master Nov 12, 2024
7 checks passed
@k8s-ci-robot
Copy link
Contributor

@upodroid: Updated the job-config configmap in namespace default at cluster test-infra-trusted using the following files:

  • key k8s-staging-cloud-provider-kind.yaml using file config/jobs/image-pushing/k8s-staging-cloud-provider-kind.yaml

In response to this:

Part of kubernetes-sigs/cloud-provider-kind#155

/cc @aojea @BenTheElder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

BenTheElder
BenTheElder reviewed Feb 5, 2025
View reviewed changes
config/jobs/image-pushing/k8s-staging-cloud-provider-kind.yaml
@@ -14,8 +14,8 @@ postsubmits:
command:
- /run.sh
args:
- --project=k8s-staging-kind
- --scratch-bucket=gs://k8s-staging-kind-gcb
- --project=k8s-staging-images
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we running all cloudbuilds here? we're going to have quota issues fetching the logs etc and we're reducing the isolation of these subprojects??

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(now someone's job that's only supposed to push some other subproject can also push to this staging location, right?)

lots of subprojects are not checking their logs closely when promoting images, if I understand what we're doing correctly: this is risky and we should go back to separate projects per subproject.

cc @kubernetes/sig-k8s-infra-leads

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the IAM permissions/ACL defined here not enough to handle this ?

Copy link
Member Author

@upodroid upodroid Feb 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The plan is for all subprojects to share the single cloudbuild project. The quotas are very high(something like 30 concurrent jobs). k/k will run cloudbuild jobs on its own project given its complexity.

We enforce the expected behaviour by only allowing promoting images from specified sources that we review. In the extremely unlikely situation that a maintainer misconfigures their cloudbuild definition and publishes it against another subprojects registry, the image can't be promoted and is deleted after 90d and they will spot the errors.

Also, humans only have privileges to push to their own respective registries and only prow and infra admins can submit cloudbuild jobs. The only way a cloudbuild job can be submitted by maintainers is via a postsubmit defined in the image pushing folder in the trusted cluster and commits to main branches approved by maintainers.

This approach is much simpler and with a reasonable set of guardrails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenTheElder BenTheElder BenTheElder left review comments

@ameukam ameukam ameukam left review comments

@aojea aojea Awaiting requested review from aojea

Assignees

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/config Issues or PRs related to code in /config area/jobs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@upodroid @k8s-ci-robot @aojea @BenTheElder @ameukam