New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: Extend coredns clusterrole with additional resource permissions #18104
test: Extend coredns clusterrole with additional resource permissions #18104
Conversation
test-only --focus="K8sServicesTest.*" --k8s_version=1.19 --kernel_version="49" Edit : Passed - https://jenkins.cilium.io/job/Cilium-PR-Tests-Kernel-Focus/374/console |
I've triggered |
All focused tests have passed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I think the commit description might be malformed as its missing a link to the commit it fixes after Fixes:
?
Commit 398d55c didn't add permissions for `endpointslices` resource to the coredns `cluterrole` on k8s < 1.20. As a result, core-dns deployments failed on the these versions with the error - `2021-11-30T14:09:43.349414540Z E1130 14:09:43.349292 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1beta1.EndpointSlice: failed to list *v1beta1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kube-system:coredns" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope` Fixes: 398d55c Signed-off-by: Aditi Ghag <aditi@cilium.io>
04cacdc
to
80f872f
Compare
Fixed. Only updated the commit description in the latest push, no need to re-run the tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI for generating the "fixes:" tag for commits, typically we will use this format:
git log -1 --pretty="%h (\"%s\")"
This way, if the sha is ambiguous (eg because it's too short and the first N characters are identical between two different git commit shas, which can happen over time as the number of commits grows), then we can clearly disambiguate which underlying commit is being referenced here.
^^ Given that the bug is only on master and we're not likely to track this down in future, I don't think it's necessary to fix this up in git history. Good to merge. |
Noted. I simply copied it from the IDE git window so it ended up copying just the first N characters. |
Commit didn't add permissions for
endpointslices
resource to thecoredns
cluterrole
on k8s < 1.20. As a result, core-dns deploymentsfailed on the these versions with the error -
2021-11-30T14:09:43.349414540Z E1130 14:09:43.349292 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1beta1.EndpointSlice: failed to list *v1beta1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kube-system:coredns" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
Note : Hold off onto enabling the feature gate on older versions. -
cilium/test/provision/k8s_install.sh
Line 302 in 7ed8a42
Fixes: 398d55c
Fixes: #18086
Signed-off-by: Aditi Ghag aditi@cilium.io