Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CRD integration tests for ValidatingAdmissionPolicy #113795

Merged
merged 2 commits into from Dec 13, 2022
Merged

Add CRD integration tests for ValidatingAdmissionPolicy #113795

merged 2 commits into from Dec 13, 2022

Conversation

DangerOnTheRanger
Copy link
Contributor

@DangerOnTheRanger DangerOnTheRanger commented Nov 9, 2022
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds integration tests that check CRD parameter resources can be used with ValidatingAdmissionPolicy. This PR also adds an additional test (TestBindingRemoval) that was originally intended to merge as a part of #113314.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 9, 2022
@k8s-ci-robot
Copy link
Contributor

@DangerOnTheRanger: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Nov 9, 2022
@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 9, 2022
@DangerOnTheRanger DangerOnTheRanger force-pushed the validatingadmissionpolicy-crd-integration-tests branch from 19c0814 to a317a3a Compare November 10, 2022 17:27
@DangerOnTheRanger DangerOnTheRanger changed the title [WIP] Add CRD integration tests for ValidatingAdmissionPolicy Add CRD integration tests for ValidatingAdmissionPolicy Nov 10, 2022
@DangerOnTheRanger DangerOnTheRanger marked this pull request as ready for review November 10, 2022 17:28
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 10, 2022
@DangerOnTheRanger DangerOnTheRanger force-pushed the validatingadmissionpolicy-crd-integration-tests branch from b80dcaa to 646b71e Compare November 10, 2022 21:24
andrewsykim
andrewsykim reviewed Nov 10, 2022
View reviewed changes
test/integration/apiserver/cel/validatingadmissionpolicy_test.go Outdated
},
policy: withValidations([]admissionregistrationv1alpha1.Validation{
{
Expression: "params.spec.someNum == 2",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the expression use the param object to compare it against the object being validated in some way?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe compare someNum against a Deployment's replicaset or similar?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed it to use strings/a similar name check as with some of the other tests - it's a bit similar to the ConfigMap tests now, but I think the CRD codepaths are still being hit, so it should be fine.

test/integration/apiserver/cel/validatingadmissionpolicy_test.go Outdated Show resolved Hide resolved
test/integration/apiserver/cel/validatingadmissionpolicy_test.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 15, 2022
@DangerOnTheRanger DangerOnTheRanger force-pushed the validatingadmissionpolicy-crd-integration-tests branch from dcfd1f2 to 8fcd58f Compare November 15, 2022 20:16
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 15, 2022
@andrewsykim
Copy link
Member

Ran TestBindingRemoval locally a few times and I think it's flaky:

--- FAIL: TestBindingRemoval (4.72s)
    testserver.go:414: Resolved testserver package path to: "/home/andrewsy/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
    testserver.go:245: runtime-config=map[api/all:true]
    testserver.go:246: Starting kube-apiserver on port 32779...
    testserver.go:266: Waiting for /healthz to be ok...
    validatingadmissionpolicy_test.go:2042: expected namespace creation to succeed: namespaces "test-namespace" is forbidden: ValidatingAdmissionPolicy 'test-policy' with binding 'test-binding' denied request: policy still in effect
FAIL

@DangerOnTheRanger
Copy link
Contributor Author

/retest

andrewsykim
andrewsykim reviewed Nov 17, 2022
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, commits need to be cleaned up though (a commit per new test seems fine)

Not sure if release team is accepting new test PRs at this point (we're past test freeze I think). Putting the v1.26 milestone to put this on the release team's radar and will defer to them.

/milestone v1.26

@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Nov 17, 2022
@DangerOnTheRanger DangerOnTheRanger force-pushed the validatingadmissionpolicy-crd-integration-tests branch from 12eb052 to 19242ec Compare November 17, 2022 02:12
@DangerOnTheRanger
Copy link
Contributor Author

(force push to squash commits)

@cici37
Copy link
Contributor

cici37 commented Nov 17, 2022

/release-note none

@cici37
Copy link
Contributor

cici37 commented Nov 17, 2022

/release-note-none

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Nov 17, 2022
@andrewsykim
Copy link
Member

/milestone clear

(based on discussion with release team to defer this to v1.27)

@k8s-ci-robot k8s-ci-robot removed this from the v1.26 milestone Nov 17, 2022
andrewsykim
andrewsykim reviewed Dec 13, 2022
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 13, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, DangerOnTheRanger

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 13, 2022
@k8s-ci-robot k8s-ci-robot merged commit e6bc669 into kubernetes:master Dec 13, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.27 milestone Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewsykim andrewsykim andrewsykim left review comments

@aojea aojea Awaiting requested review from aojea

@lavalamp lavalamp Awaiting requested review from lavalamp

@liggitt liggitt Awaiting requested review from liggitt

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

Assignees

@andrewsykim andrewsykim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
[sig-release] Bug Triage
Archived in project
Milestone
v1.27
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@DangerOnTheRanger @k8s-ci-robot @andrewsykim @cici37