mirror of
https://github.com/outbackdingo/kubernetes.git
synced 2026-01-27 10:19:35 +00:00
Mark KubeletServiceAccountTokenForCredentialProviders feature gate as beta
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
Anish Ramasekar
@@ -1344,6 +1344,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
||||
|
||||
KubeletServiceAccountTokenForCredentialProviders: {
|
||||
{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
|
||||
KubeletTracing: {
|
||||
|
||||
@@ -29,6 +29,7 @@ import (
|
||||
"github.com/google/go-cmp/cmp/cmpopts"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
@@ -36,6 +37,7 @@ import (
|
||||
"k8s.io/client-go/util/flowcontrol"
|
||||
"k8s.io/component-base/featuregate"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||
crierrors "k8s.io/cri-api/pkg/errors"
|
||||
"k8s.io/kubernetes/pkg/controller/testutil"
|
||||
"k8s.io/kubernetes/pkg/credentialprovider"
|
||||
@@ -848,11 +850,19 @@ func TestParallelPuller(t *testing.T) {
|
||||
pod.Spec.ServiceAccountName = c.serviceAccountName
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
for _, expected := range c.expected {
|
||||
fakeRuntime.CalledFunctions = nil
|
||||
fakeClock.Step(time.Second)
|
||||
|
||||
_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
fakeRuntime.AssertCalls(expected.calls)
|
||||
assert.Equal(t, expected.err, err)
|
||||
assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
|
||||
@@ -886,11 +896,19 @@ func TestSerializedPuller(t *testing.T) {
|
||||
pod.Spec.ServiceAccountName = c.serviceAccountName
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
for _, expected := range c.expected {
|
||||
fakeRuntime.CalledFunctions = nil
|
||||
fakeClock.Step(time.Second)
|
||||
|
||||
_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
fakeRuntime.AssertCalls(expected.calls)
|
||||
assert.Equal(t, expected.err, err)
|
||||
assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
|
||||
@@ -936,6 +954,15 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) {
|
||||
"kubernetes.io/runtimehandler": "handler_name",
|
||||
},
|
||||
}}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
c := pullerTestCase{ // pull missing image
|
||||
testName: "test pull and list image with pod annotations",
|
||||
containerImage: "missing_image",
|
||||
@@ -954,7 +981,7 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) {
|
||||
fakeRuntime.ImageList = []Image{}
|
||||
fakeClock.Step(time.Second)
|
||||
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
fakeRuntime.AssertCalls(c.expected[0].calls)
|
||||
assert.Equal(t, c.expected[0].err, err, "tick=%d", 0)
|
||||
assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
|
||||
@@ -992,6 +1019,13 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T
|
||||
RuntimeClassName: &runtimeHandler,
|
||||
},
|
||||
}
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
c := pullerTestCase{ // pull missing image
|
||||
testName: "test pull and list image with pod annotations",
|
||||
containerImage: "missing_image",
|
||||
@@ -1011,7 +1045,7 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T
|
||||
fakeRuntime.ImageList = []Image{}
|
||||
fakeClock.Step(time.Second)
|
||||
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, runtimeHandler, container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, runtimeHandler, container.ImagePullPolicy)
|
||||
fakeRuntime.AssertCalls(c.expected[0].calls)
|
||||
assert.Equal(t, c.expected[0].err, err, "tick=%d", 0)
|
||||
assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
|
||||
@@ -1045,6 +1079,13 @@ func TestMaxParallelImagePullsLimit(t *testing.T) {
|
||||
UID: "bar",
|
||||
ResourceVersion: "42",
|
||||
}}
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
testCase := &pullerTestCase{
|
||||
containerImage: "present_image",
|
||||
@@ -1070,7 +1111,7 @@ func TestMaxParallelImagePullsLimit(t *testing.T) {
|
||||
for i := 0; i < maxParallelImagePulls; i++ {
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
assert.NoError(t, err)
|
||||
wg.Done()
|
||||
}()
|
||||
@@ -1082,7 +1123,7 @@ func TestMaxParallelImagePullsLimit(t *testing.T) {
|
||||
for i := 0; i < 2; i++ {
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
assert.NoError(t, err)
|
||||
wg.Done()
|
||||
}()
|
||||
@@ -1169,6 +1210,13 @@ func TestImagePullPrecheck(t *testing.T) {
|
||||
UID: "bar",
|
||||
ResourceVersion: "42",
|
||||
}}
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
cases := pullerTestCases()
|
||||
|
||||
@@ -1183,7 +1231,7 @@ func TestImagePullPrecheck(t *testing.T) {
|
||||
fakeRecorder.Events = []*v1.Event{}
|
||||
fakeClock.Step(time.Second)
|
||||
|
||||
_, _, err := puller.EnsureImageExists(ctx, &v1.ObjectReference{}, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, &v1.ObjectReference{}, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
fakeRuntime.AssertCalls(expected.calls)
|
||||
var recorderEvents []v1.Event
|
||||
for _, event := range fakeRecorder.Events {
|
||||
@@ -1223,6 +1271,14 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
cases := []struct {
|
||||
name string
|
||||
containerImage string
|
||||
@@ -1330,7 +1386,7 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) {
|
||||
ImagePullPolicy: tc.policy,
|
||||
}
|
||||
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
if tc.shouldCallMustAttemptPull {
|
||||
@@ -1361,6 +1417,14 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: pod.Name,
|
||||
Namespace: pod.Namespace,
|
||||
Uid: string(pod.UID),
|
||||
},
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
fakeClock := testingclock.NewFakeClock(time.Now())
|
||||
fakeRuntime := &ctest.FakeRuntime{T: t}
|
||||
@@ -1401,7 +1465,7 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) {
|
||||
ImagePullPolicy: v1.PullIfNotPresent,
|
||||
}
|
||||
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, nil, "", container.ImagePullPolicy)
|
||||
_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, podSandboxConfig, "", container.ImagePullPolicy)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Verify that MustAttemptImagePull was called with empty secrets and service accounts
|
||||
|
||||
@@ -260,6 +260,14 @@ func TestPullWithSecrets(t *testing.T) {
|
||||
t.Errorf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: "testpod",
|
||||
Namespace: "testpod-ns",
|
||||
Uid: "testpod-uid",
|
||||
},
|
||||
}
|
||||
|
||||
tests := map[string]struct {
|
||||
imageName string
|
||||
passedSecrets []v1.Secret
|
||||
@@ -335,7 +343,7 @@ func TestPullWithSecrets(t *testing.T) {
|
||||
&fakePodPullingTimeRecorder{},
|
||||
)
|
||||
|
||||
_, _, err = fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, nil, "", v1.PullAlways)
|
||||
_, _, err = fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, podSandboxConfig, "", v1.PullAlways)
|
||||
require.NoError(t, err)
|
||||
fakeImageService.AssertImagePulledWithAuth(t, &runtimeapi.ImageSpec{Image: test.imageName, Annotations: make(map[string]string)}, test.expectedAuth, description)
|
||||
}
|
||||
@@ -358,6 +366,14 @@ func TestPullWithSecretsWithError(t *testing.T) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: "testpod",
|
||||
Namespace: "testpod-ns",
|
||||
Uid: "testpod-uid",
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range []struct {
|
||||
name string
|
||||
imageName string
|
||||
@@ -409,7 +425,7 @@ func TestPullWithSecretsWithError(t *testing.T) {
|
||||
&fakePodPullingTimeRecorder{},
|
||||
)
|
||||
|
||||
imageRef, _, err := fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, nil, "", v1.PullAlways)
|
||||
imageRef, _, err := fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, podSandboxConfig, "", v1.PullAlways)
|
||||
assert.Error(t, err)
|
||||
assert.Equal(t, "", imageRef)
|
||||
|
||||
|
||||
@@ -2847,6 +2847,14 @@ func TestGetImageVolumes(t *testing.T) {
|
||||
imageSpec1 := runtimeapi.ImageSpec{Image: image1, UserSpecifiedImage: image1}
|
||||
imageSpec2 := runtimeapi.ImageSpec{Image: image2, UserSpecifiedImage: image2}
|
||||
|
||||
podSandboxConfig := &runtimeapi.PodSandboxConfig{
|
||||
Metadata: &runtimeapi.PodSandboxMetadata{
|
||||
Name: "test-pod",
|
||||
Namespace: "test-namespace",
|
||||
Uid: "test-uid",
|
||||
},
|
||||
}
|
||||
|
||||
for desc, tc := range map[string]struct {
|
||||
pod *v1.Pod
|
||||
expectedImageVolumePulls imageVolumePulls
|
||||
@@ -2883,7 +2891,8 @@ func TestGetImageVolumes(t *testing.T) {
|
||||
},
|
||||
},
|
||||
} {
|
||||
imageVolumePulls, err := manager.getImageVolumes(tCtx, tc.pod, nil, nil)
|
||||
|
||||
imageVolumePulls, err := manager.getImageVolumes(tCtx, tc.pod, podSandboxConfig, nil)
|
||||
if tc.expectedError != nil {
|
||||
require.EqualError(t, err, tc.expectedError.Error())
|
||||
} else {
|
||||
|
||||
@@ -1105,6 +1105,12 @@ items:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- get
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -799,6 +799,10 @@
|
||||
lockToDefault: false
|
||||
preRelease: Alpha
|
||||
version: "1.33"
|
||||
- default: true
|
||||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.34"
|
||||
- name: KubeletTracing
|
||||
versionedSpecs:
|
||||
- default: false
|
||||
|
||||
Reference in New Issue
Block a user