diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index fe87acac097..73da3a9cfbf 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -1332,6 +1332,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate KubeletServiceAccountTokenForCredentialProviders: { {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, KubeletTracing: { diff --git a/pkg/kubelet/images/image_manager_test.go b/pkg/kubelet/images/image_manager_test.go index 68fb9b8a691..1f98d734a72 100644 --- a/pkg/kubelet/images/image_manager_test.go +++ b/pkg/kubelet/images/image_manager_test.go @@ -29,6 +29,7 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -36,6 +37,7 @@ import ( "k8s.io/client-go/util/flowcontrol" "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" + runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" crierrors "k8s.io/cri-api/pkg/errors" "k8s.io/kubernetes/pkg/controller/testutil" "k8s.io/kubernetes/pkg/credentialprovider" @@ -848,11 +850,19 @@ func TestParallelPuller(t *testing.T) { pod.Spec.ServiceAccountName = c.serviceAccountName } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } + for _, expected := range c.expected { fakeRuntime.CalledFunctions = nil fakeClock.Step(time.Second) - _, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy) + _, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) fakeRuntime.AssertCalls(expected.calls) assert.Equal(t, expected.err, err) assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded) @@ -886,11 +896,19 @@ func TestSerializedPuller(t *testing.T) { pod.Spec.ServiceAccountName = c.serviceAccountName } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } + for _, expected := range c.expected { fakeRuntime.CalledFunctions = nil fakeClock.Step(time.Second) - _, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy) + _, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) fakeRuntime.AssertCalls(expected.calls) assert.Equal(t, expected.err, err) assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded) @@ -936,6 +954,15 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) { "kubernetes.io/runtimehandler": "handler_name", }, }} + + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } + c := pullerTestCase{ // pull missing image testName: "test pull and list image with pod annotations", containerImage: "missing_image", @@ -954,7 +981,7 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) { fakeRuntime.ImageList = []Image{} fakeClock.Step(time.Second) - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) fakeRuntime.AssertCalls(c.expected[0].calls) assert.Equal(t, c.expected[0].err, err, "tick=%d", 0) assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded) @@ -992,6 +1019,13 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T RuntimeClassName: &runtimeHandler, }, } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } c := pullerTestCase{ // pull missing image testName: "test pull and list image with pod annotations", containerImage: "missing_image", @@ -1011,7 +1045,7 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T fakeRuntime.ImageList = []Image{} fakeClock.Step(time.Second) - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, nil, runtimeHandler, container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, runtimeHandler, container.ImagePullPolicy) fakeRuntime.AssertCalls(c.expected[0].calls) assert.Equal(t, c.expected[0].err, err, "tick=%d", 0) assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded) @@ -1045,6 +1079,13 @@ func TestMaxParallelImagePullsLimit(t *testing.T) { UID: "bar", ResourceVersion: "42", }} + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } testCase := &pullerTestCase{ containerImage: "present_image", @@ -1070,7 +1111,7 @@ func TestMaxParallelImagePullsLimit(t *testing.T) { for i := 0; i < maxParallelImagePulls; i++ { wg.Add(1) go func() { - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) assert.NoError(t, err) wg.Done() }() @@ -1082,7 +1123,7 @@ func TestMaxParallelImagePullsLimit(t *testing.T) { for i := 0; i < 2; i++ { wg.Add(1) go func() { - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, testCase.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) assert.NoError(t, err) wg.Done() }() @@ -1169,6 +1210,13 @@ func TestImagePullPrecheck(t *testing.T) { UID: "bar", ResourceVersion: "42", }} + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } cases := pullerTestCases() @@ -1183,7 +1231,7 @@ func TestImagePullPrecheck(t *testing.T) { fakeRecorder.Events = []*v1.Event{} fakeClock.Step(time.Second) - _, _, err := puller.EnsureImageExists(ctx, &v1.ObjectReference{}, pod, container.Image, c.pullSecrets, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, &v1.ObjectReference{}, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy) fakeRuntime.AssertCalls(expected.calls) var recorderEvents []v1.Event for _, event := range fakeRecorder.Events { @@ -1223,6 +1271,14 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) { }, } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } + cases := []struct { name string containerImage string @@ -1330,7 +1386,7 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) { ImagePullPolicy: tc.policy, } - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, podSandboxConfig, "", container.ImagePullPolicy) require.NoError(t, err) if tc.shouldCallMustAttemptPull { @@ -1361,6 +1417,14 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) { }, } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: pod.Name, + Namespace: pod.Namespace, + Uid: string(pod.UID), + }, + } + ctx := context.Background() fakeClock := testingclock.NewFakeClock(time.Now()) fakeRuntime := &ctest.FakeRuntime{T: t} @@ -1401,7 +1465,7 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) { ImagePullPolicy: v1.PullIfNotPresent, } - _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, nil, "", container.ImagePullPolicy) + _, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, []v1.Secret{}, podSandboxConfig, "", container.ImagePullPolicy) require.NoError(t, err) // Verify that MustAttemptImagePull was called with empty secrets and service accounts diff --git a/pkg/kubelet/kuberuntime/kuberuntime_image_test.go b/pkg/kubelet/kuberuntime/kuberuntime_image_test.go index 090915b71f3..bbc4529a946 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_image_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_image_test.go @@ -260,6 +260,14 @@ func TestPullWithSecrets(t *testing.T) { t.Errorf("unexpected error: %v", err) } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: "testpod", + Namespace: "testpod-ns", + Uid: "testpod-uid", + }, + } + tests := map[string]struct { imageName string passedSecrets []v1.Secret @@ -335,7 +343,7 @@ func TestPullWithSecrets(t *testing.T) { &fakePodPullingTimeRecorder{}, ) - _, _, err = fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, nil, "", v1.PullAlways) + _, _, err = fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, podSandboxConfig, "", v1.PullAlways) require.NoError(t, err) fakeImageService.AssertImagePulledWithAuth(t, &runtimeapi.ImageSpec{Image: test.imageName, Annotations: make(map[string]string)}, test.expectedAuth, description) } @@ -358,6 +366,14 @@ func TestPullWithSecretsWithError(t *testing.T) { t.Fatal(err) } + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: "testpod", + Namespace: "testpod-ns", + Uid: "testpod-uid", + }, + } + for _, test := range []struct { name string imageName string @@ -409,7 +425,7 @@ func TestPullWithSecretsWithError(t *testing.T) { &fakePodPullingTimeRecorder{}, ) - imageRef, _, err := fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, nil, "", v1.PullAlways) + imageRef, _, err := fakeManager.imagePuller.EnsureImageExists(tCtx, nil, makeTestPod("testpod", "testpod-ns", "testpod-uid", []v1.Container{}), test.imageName, test.passedSecrets, podSandboxConfig, "", v1.PullAlways) assert.Error(t, err) assert.Equal(t, "", imageRef) diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go index 78b649786b9..b11ca2300fe 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go @@ -2847,6 +2847,14 @@ func TestGetImageVolumes(t *testing.T) { imageSpec1 := runtimeapi.ImageSpec{Image: image1, UserSpecifiedImage: image1} imageSpec2 := runtimeapi.ImageSpec{Image: image2, UserSpecifiedImage: image2} + podSandboxConfig := &runtimeapi.PodSandboxConfig{ + Metadata: &runtimeapi.PodSandboxMetadata{ + Name: "test-pod", + Namespace: "test-namespace", + Uid: "test-uid", + }, + } + for desc, tc := range map[string]struct { pod *v1.Pod expectedImageVolumePulls imageVolumePulls @@ -2883,7 +2891,8 @@ func TestGetImageVolumes(t *testing.T) { }, }, } { - imageVolumePulls, err := manager.getImageVolumes(tCtx, tc.pod, nil, nil) + + imageVolumePulls, err := manager.getImageVolumes(tCtx, tc.pod, podSandboxConfig, nil) if tc.expectedError != nil { require.EqualError(t, err, tc.expectedError.Error()) } else { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 47e80ef206d..fa04b6245b8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -1105,6 +1105,12 @@ items: - get - list - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index 9dd24a37e99..2c768ecf0b3 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -789,6 +789,10 @@ lockToDefault: false preRelease: Alpha version: "1.33" + - default: true + lockToDefault: false + preRelease: Beta + version: "1.34" - name: KubeletTracing versionedSpecs: - default: false