Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run agents with separate service account and in their own (project specific) namespaces #5

Open
mbarbero opened this issue Feb 6, 2019 · 0 comments
Open

Run agents with separate service account and in their own (project specific) namespaces #5

mbarbero opened this issue Feb 6, 2019 · 0 comments
Milestone
Jiro 2.0

Comments

@mbarbero
Copy link
Member

mbarbero commented Feb 6, 2019

Currently, agents are started in the same namespace and with the same service account as the master. It means several things that we would like to avoid:

  • Secrets that should only be readable by masters are readable by agents.
  • Quotas are set globally, so it's hard to track. Ideally, if we would run in separate namespaces, we would not need to set quotas on master's namespace, only specifying master resources requests/limits would be enough, and then only set limitrange/quotas on agent ns.
  • Agents service account have more permissions than necessary (e.g. they can create other pods, it highly undesirable)
@mbarbero mbarbero mentioned this issue Feb 6, 2019
Open
mbarbero added a commit that referenced this issue Jun 25, 2020
@mbarbero
Fixed issue with instances that don't run in $.project.shortName name…
a40ff51 
…space

Eventually, $.kubernetes.agent.namespace should be set to something different from $.kubernetes.master.namespace
to run build jobs in separate namespace (see #5), but for now let's stick to same as parent.

Signed-off-by: Mikaël Barbero <[email protected]>
fredg02 pushed a commit that referenced this issue Jun 25, 2020
@mbarbero @fredg02
Fixed issue with instances that don't run in $.project.shortName name…
2603b99 
…space

Eventually, $.kubernetes.agent.namespace should be set to something different from $.kubernetes.master.namespace
to run build jobs in separate namespace (see #5), but for now let's stick to same as parent.

Signed-off-by: Mikaël Barbero <[email protected]>
@fredg02 fredg02 added this to the Jiro 2.0 milestone Nov 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Jiro 2.0
Development

No branches or pull requests
2 participants
@mbarbero @fredg02