-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubectl create: enforce namespace during dry run #84343
Conversation
Welcome @busser! |
Hi @busser. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although kubernetes/kubectl#705 uses create role
as an example this problem applies to majority (if not all) of create commands. Can you please check all of them? Also don't forget to add tests ensuring that when run with --dry-run
the namespace is properly set.
/hold Putting this PR on hold while I fix the other |
/priority backlog |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: busser The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
When the TestConfigFlags.WithNamespace method is called, the ClientConfig is wrapped inside a namespacedClientConfig. Previously, calling the namespaceClientConfig.Namespace method would return that the namespace should not be enforced. This made testing namespace enforcement complicated. From now on, the method will return that the namespace should be enforced.
A change in the cmdtesting.TestFactory broke the TestSetLocalNamespace unit test. Calling the TestFactory.WithNamespace method now enforces the "test" namespace, which conflicts with how this test works. This unit tests works by loading a resource from a file with its namespace set to "existing-ns", which was overwritten by "test". This fix corrects this issue.
The create.RunCreateRole function now enforces namespace during dry runs. The TestCreateRole unit test has been updated to reflect that.
TestCreateClusterRole now runs as multiple subtests and uses the diff package to print differences between the expected and actual cluster roles.
If the namespace is to be enforced, make sure to always enforce it, even during dry runs.
TestCreateCronJob now uses the diff package to print differences between the expected and actual cron jobs.
The tests were renamed because there could not be a TestComplete function for both roles and cron jobs, for example. Same for TestValidate.
If the namespace is to be enforced, make sure to always enforce it, even during dry runs.
The TestCreateRoleValidation test was replaced by TestValidateCreateRole to match how other `kubectl create` commands are tested.
/test pull-kubernetes-node-e2e-containerd |
1 similar comment
/test pull-kubernetes-node-e2e-containerd |
The |
/unhold All |
/test pull-kubernetes-node-e2e-containerd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also please squash your changes into a single commit.
@@ -96,7 +96,7 @@ type namespacedClientConfig struct { | |||
} | |||
|
|||
func (c *namespacedClientConfig) Namespace() (string, bool, error) { | |||
return c.namespace, false, nil | |||
return c.namespace, true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we agreed this to be:
return c.namespace, len(c.namespace) > 0, nil
didn't we?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right.
return nil | ||
} | ||
|
||
func (o *CreateCronJobOptions) Run() error { | ||
var cronjob *batchv1beta1.CronJob | ||
cronjob = o.createCronJob() | ||
if o.EnforceNamespace { | ||
cronjob.Namespace = o.Namespace | ||
cronjob.Spec.JobTemplate.Namespace = o.Namespace |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed, namespace for the created job will be always inherited from the cronjob itself.
@@ -149,18 +150,28 @@ func (o *CreateCronJobOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, a | |||
} | |||
|
|||
func (o *CreateCronJobOptions) Validate() error { | |||
if o.Name == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
len(o.Name) == 0
is preferred, see below.
} | ||
} | ||
|
||
func TestRunCreateCronJob(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is mostly duplicating TestCreateCronJob
, if you look at what Run
in create_cronjob.go
does it's only creating the CJ itself and I don't think we need that much of testing of the printing and all the rest of the machinery. This test has more setup code than actual code, and one of the reasons we've went with *Options
struct was to get rid of those additional setup steps. The high level testing should happen in test-cmd, instead.
} | ||
} | ||
|
||
func TestCompleteCreateCronJob(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same argument as below, I don't think we need to test every single line of create commands, Complete
method is one of those which can be easily tested in test-cmd.
if test.resourceNames != "" { | ||
cmd.Flags().Set("resource-name", test.resourceNames) | ||
} | ||
cmd.Run(cmd, []string{clusterRoleName}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer we move with the testing towards the pattern from create cronjob, where you directly inject values into *Options
struct and focus testing on the "raw meat", which in here is RunCreateRole
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The less of the test factory magic, the easier this testing is for newcomers to understand it.
@@ -22,7 +22,7 @@ import ( | |||
|
|||
rbac "k8s.io/api/rbac/v1" | |||
"k8s.io/apimachinery/pkg/api/equality" | |||
"k8s.io/apimachinery/pkg/apis/meta/v1" | |||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
metav1
is the proffered alias for this, since you've touched this.
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@busser: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@busser Seems no updates from this PR? Could I take this bug and send my PR? |
Sorry, I haven't taken the time to finish this. Feel free to submit your solution :) |
Yes, it's already been fixed and we can close this :). |
@zhouya0: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
When creating a role with
kubectl create role
, any specified namespace is ignored if the command is a dry run. This is unexpected behavior.For example, the following command yields the following output:
This pull-request fixes this issue. The command above now provides the expected output:
Which issue(s) this PR fixes:
Fixes kubernetes/kubectl#705
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: