-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove abac #39092
remove abac #39092
Conversation
3fb5958
to
610df0b
Compare
rebased on #39094 I'd like to merge this on January 3. |
@cjcullen @kubernetes/sig-auth-misc @sttts @ncdc @liggitt @smarterclayton This pull disabled the ABAC authorizer, ran with RBAC instead and passed all e2e. I'd like to merge prereqs this week and merge this January 3. |
610df0b
to
b82d864
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd love to see ABAC gone. But as we shipped ABAC (and not in alpha AFAICT), we need to keep supporting it right? So we should keep testing it...
Is it possible to create a separate e2e job instead?
The abac policy being tested is "allow all", so there's not really value in keeping it in the test. |
An integration test for abac would be more appropriate than a new e2e suite. |
@k8s-bot test this |
b82d864
to
3e53492
Compare
@sttts you're probably up, can you take a look? Had to add some more permissions for a kubectl test. Went ahead and tidied up the implementation. |
3e53492
to
c4dec12
Compare
return | ||
} | ||
framework.ExpectNoError(err) | ||
framework.BindClusterRole(f.ClientSet.Rbac(), "cluster-admin", f.Namespace.Name, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether it wouldn't be cleaner to ignore the error here on the test level, no inside BindClusterRole
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether it wouldn't be cleaner to ignore the error here on the test level, no inside BindClusterRole
That's going to mean boiler plate everywhere and an error that's effectively always ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then make it clear in the name of the func that errors are ignored.
5d13e71
to
997e01f
Compare
comments addressed. |
Tagged this as multiple rebases. Every time someone writes an e2e test or a controller which needs more permissions, I keep having to update on non-conflicting conflicts. |
Just the func name comment left. Otherwise, lgtm |
Jenkins GCI GKE smoke e2e failed for commit 997e01f35a3e1ba9c506247baddca6fb282f4d58. Full PR test history. The magic incantation to run this job again is |
@k8s-bot gci gke e2e test this |
997e01f
to
3a265d0
Compare
Jenkins GCE e2e failed for commit 997e01f35a3e1ba9c506247baddca6fb282f4d58. Full PR test history. The magic incantation to run this job again is |
Jenkins GCE etcd3 e2e failed for commit 997e01f35a3e1ba9c506247baddca6fb282f4d58. Full PR test history. The magic incantation to run this job again is |
Jenkins GCI GCE e2e failed for commit 997e01f35a3e1ba9c506247baddca6fb282f4d58. Full PR test history. The magic incantation to run this job again is |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
See kubernetes#39092 We based off of GCI in the brief time where it was using abac.
See kubernetes#39092 We based off of GCI in the brief time where it was using abac.
Remove the abac authorizer as an authorizer for e2e.