-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promote admission webhook e2e tests to conformance #81857
Conversation
626659d
to
7f5b08d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to dig into the actual test functionality, but here's a quick couple comments that need addressing.
/assign
/retest |
/test pull-kubernetes-e2e-aks-engine-azure-windows |
Thanks for the quick first pass on syntactical issues @johnbelamaric. Feedback is applied. |
/test pull-kubernetes-conformance-image-test |
/test pull-kubernetes-e2e-kind |
hmm 🤔 EDIT: one of these flaked once in |
6cdef31
to
8af7625
Compare
thanks @liggitt @johnbelamaric. I'm adding the [Privileged:ClusterAdmin] tag |
3a989b6
to
344971c
Compare
344971c
to
4254b70
Compare
mutation results
4254b70
to
b9674fa
Compare
b9674fa
to
68bafe4
Compare
rebased and promoted the discovery doc test #82019, to cover all endpoints for conformance |
/retest |
Originally conformance was "make sure apps run on kube clusters the same". We limited privilege because lots of clusters won't allow those privileges. We want conformance to apply to more than just app function (to cover extension function and admin function). We really, really, really need either profiles or to drop the requirements around non-privilege in the short term. Edited for clarity |
/retest |
/lgtm Note for conformance approvers: These tests require clusterAdmin, because this functionality is inherently privileged. To mitigate this in environments where the tests cannot be run as clusterAdmin, we added a [Privileged:ClusterAdmin] tag to that they can be easily excluded. This is a new tag and I will propose an update to the docs to cover this case. |
/assign @bgrant0607 @smarterclayton |
/approve This is such a fundamental part of Kube that I think we should get it in conformance, then use this as a focus to sort out profiles. You can be conformant for apps without allowing webhook registration, but you can't be conformant for extension without it. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jpbetz, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
@jpbetz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/area admission-control |
Test stability status: https://k8s-testgrid.appspot.com/sig-release-master-blocking#gce-cos-master-default&width=5&sort-by-flakiness=&include-filter-by-regex=.*AdmissionWebhook.*
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Admission webhoooks graduate to GA in 1.16. Conformance tests are now required for graduation to GA.
Which issue(s) this PR fixes:
Fixes #80767
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/area conformance
@kubernetes/sig-architecture-pr-reviews @kubernetes/sig-api-machinery-pr-reviews @kubernetes/cncf-conformance-wg
/cc @liggitt @roycaihw @sttts @caesarxuchao
/priority important-soon