Better control plane tests for kube-apiserver entities #29432
Labels
area/CI
Continuous Integration testing issue or flake
kind/cleanup
This includes no functional changes.
sig/agent
Cilium agent related.
sig/policy
Impacts whether traffic is allowed or denied based on user-defined policies.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
The special
reserved:kube-apiserver
label has an complex interaction. The source of this data is the Endpoints / EndpointSlice watcher. Additionally, the presence of this label on a prefix can result in at least 4 different cases, depending on which IP has the label:reserved:kube-apiserver
label and the identity is mutated (fix).--policy-cidr-match-mode=nodes
, in which case that IP's identity changes from 6 (remote-node
) to 7 (`kube-apiserver)--policy-cidr-match-mode=nodes
, in which case that IP gains an additional label and the identity is recalculatedWhen the IP in question is not a cluster node, it can be in several states:
We need to write controlplane tests, using the black-box control plane simulator in
test/controlplane
, that exercise as many of these state transitions as possible. We should also consider backporting these tests, as older versions also need to support all of these transitions.The text was updated successfully, but these errors were encountered: