From 266b8edb99c927724bc68090b4a9b469c870bfb7 Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Thu, 16 Jun 2022 09:02:55 -0400 Subject: [PATCH] Fix error handling for invalid pods (#16) * update readme and fix error handling for bad pods * update limitations --- packages/k8s/README.md | 23 ++++++++++++++++------- packages/k8s/src/index.ts | 2 +- packages/k8s/src/k8s/index.ts | 2 +- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/packages/k8s/README.md b/packages/k8s/README.md index ddf8815..e54b4f2 100644 --- a/packages/k8s/README.md +++ b/packages/k8s/README.md @@ -7,18 +7,27 @@ This implementation provides a way to dynamically spin up jobs to run container Some things are expected to be set when using these hooks - The runner itself should be running in a pod, with a service account with the following permissions ``` +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: runner-role +rules: - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + verbs: ["get", "list", "create", "delete"] - apiGroups: [""] resources: ["pods/exec"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + verbs: ["get", "create"] - apiGroups: [""] resources: ["pods/log"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + verbs: ["get", "list", "watch",] - apiGroups: ["batch"] resources: ["jobs"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "create", "delete"] ``` - The `ACTIONS_RUNNER_POD_NAME` env should be set to the name of the pod - The `ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER` env should be set to true to prevent the runner from running any jobs outside of a container @@ -30,7 +39,7 @@ Some things are expected to be set when using these hooks ## Limitations -- Container actions - - Building container actions from a dockerfile is not supported at this time - - Container actions will not have access to the services network or job container network +- A [job containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) will be required for all jobs +- Building container actions from a dockerfile is not supported at this time +- Container actions will not have access to the services network or job container network - Docker [create options](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions) are not supported diff --git a/packages/k8s/src/index.ts b/packages/k8s/src/index.ts index e4642e5..c41cbf0 100644 --- a/packages/k8s/src/index.ts +++ b/packages/k8s/src/index.ts @@ -43,7 +43,7 @@ async function run(): Promise { throw new Error(`Command not recognized: ${command}`) } } catch (error) { - core.error(JSON.stringify(error)) + core.error(error as Error) exitCode = 1 } process.exitCode = exitCode diff --git a/packages/k8s/src/k8s/index.ts b/packages/k8s/src/k8s/index.ts index f3c16cc..05d3c47 100644 --- a/packages/k8s/src/k8s/index.ts +++ b/packages/k8s/src/k8s/index.ts @@ -311,7 +311,7 @@ export async function waitForPodPhases( podName: string, awaitingPhases: Set, backOffPhases: Set, - maxTimeSeconds = 45 * 60 // 45 min + maxTimeSeconds = 10 * 60 // 10 min ): Promise { const backOffManager = new BackOffManager(maxTimeSeconds) let phase: PodPhase = PodPhase.UNKNOWN