kubectl create: enforce namespace during dry run #84343
Conversation
|
Welcome @busser! |
k8s-ci-robot
added
release-note
|
Hi @busser. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
There was a problem hiding this comment.
Although kubernetes/kubectl#705 uses create role as an example this problem applies to majority (if not all) of create commands. Can you please check all of them? Also don't forget to add tests ensuring that when run with --dry-run the namespace is properly set.
|
/hold Putting this PR on hold while I fix the other |
k8s-ci-robot
added
do-not-merge/hold
busser
changed the title
|
/priority backlog |
k8s-ci-robot
added
priority/backlog
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: busser The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
When the TestConfigFlags.WithNamespace method is called, the ClientConfig is wrapped inside a namespacedClientConfig. Previously, calling the namespaceClientConfig.Namespace method would return that the namespace should not be enforced. This made testing namespace enforcement complicated. From now on, the method will return that the namespace should be enforced.
A change in the cmdtesting.TestFactory broke the TestSetLocalNamespace unit test. Calling the TestFactory.WithNamespace method now enforces the "test" namespace, which conflicts with how this test works. This unit tests works by loading a resource from a file with its namespace set to "existing-ns", which was overwritten by "test". This fix corrects this issue.
The create.RunCreateRole function now enforces namespace during dry runs. The TestCreateRole unit test has been updated to reflect that.
TestCreateClusterRole now runs as multiple subtests and uses the diff package to print differences between the expected and actual cluster roles.
If the namespace is to be enforced, make sure to always enforce it, even during dry runs.
TestCreateCronJob now uses the diff package to print differences between the expected and actual cron jobs.
The tests were renamed because there could not be a TestComplete function for both roles and cron jobs, for example. Same for TestValidate.
If the namespace is to be enforced, make sure to always enforce it, even during dry runs.
The TestCreateRoleValidation test was replaced by TestValidateCreateRole to match how other `kubectl create` commands are tested.
|
/test pull-kubernetes-node-e2e-containerd |
1 similar comment
|
/test pull-kubernetes-node-e2e-containerd |
|
The |
|
/unhold All |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/test pull-kubernetes-node-e2e-containerd |
| @@ -96,7 +96,7 @@ type namespacedClientConfig struct { | |||
| } | |||
|
|
|||
| func (c *namespacedClientConfig) Namespace() (string, bool, error) { | |||
| return c.namespace, false, nil | |||
| return c.namespace, true, nil | |||
There was a problem hiding this comment.
I thought we agreed this to be:
return c.namespace, len(c.namespace) > 0, nildidn't we?
| return nil | ||
| } | ||
|
|
||
| func (o *CreateCronJobOptions) Run() error { | ||
| var cronjob *batchv1beta1.CronJob | ||
| cronjob = o.createCronJob() | ||
| if o.EnforceNamespace { | ||
| cronjob.Namespace = o.Namespace | ||
| cronjob.Spec.JobTemplate.Namespace = o.Namespace |
There was a problem hiding this comment.
Not needed, namespace for the created job will be always inherited from the cronjob itself.
| @@ -149,18 +150,28 @@ func (o *CreateCronJobOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, a | |||
| } | |||
|
|
|||
| func (o *CreateCronJobOptions) Validate() error { | |||
| if o.Name == "" { | |||
There was a problem hiding this comment.
len(o.Name) == 0 is preferred, see below.
| } | ||
| } | ||
|
|
||
| func TestRunCreateCronJob(t *testing.T) { |
There was a problem hiding this comment.
This is mostly duplicating TestCreateCronJob, if you look at what Run in create_cronjob.go does it's only creating the CJ itself and I don't think we need that much of testing of the printing and all the rest of the machinery. This test has more setup code than actual code, and one of the reasons we've went with *Options struct was to get rid of those additional setup steps. The high level testing should happen in test-cmd, instead.
| } | ||
| } | ||
|
|
||
| func TestCompleteCreateCronJob(t *testing.T) { |
There was a problem hiding this comment.
The same argument as below, I don't think we need to test every single line of create commands, Complete method is one of those which can be easily tested in test-cmd.
| if test.resourceNames != "" { | ||
| cmd.Flags().Set("resource-name", test.resourceNames) | ||
| } | ||
| cmd.Run(cmd, []string{clusterRoleName}) |
There was a problem hiding this comment.
I'd prefer we move with the testing towards the pattern from create cronjob, where you directly inject values into *Options struct and focus testing on the "raw meat", which in here is RunCreateRole.
There was a problem hiding this comment.
The less of the test factory magic, the easier this testing is for newcomers to understand it.
| @@ -22,7 +22,7 @@ import ( | |||
|
|
|||
| rbac "k8s.io/api/rbac/v1" | |||
| "k8s.io/apimachinery/pkg/api/equality" | |||
| "k8s.io/apimachinery/pkg/apis/meta/v1" | |||
| v1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |||
There was a problem hiding this comment.
metav1 is the proffered alias for this, since you've touched this.
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
@busser: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
@busser Seems no updates from this PR? Could I take this bug and send my PR? |
Sorry, I haven't taken the time to finish this. Feel free to submit your solution :) |
Yes, it's already been fixed and we can close this :). |
|
@zhouya0: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
When creating a role with
kubectl create role, any specified namespace is ignored if the command is a dry run. This is unexpected behavior.For example, the following command yields the following output:
This pull-request fixes this issue. The command above now provides the expected output:
Which issue(s) this PR fixes:
Fixes kubernetes/kubectl#705
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: