Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agnhost: resolve service account issuer URL before invoking oidc.NewProvider #99860

Merged
merged 1 commit into from
Mar 16, 2021
Merged

agnhost: resolve service account issuer URL before invoking oidc.NewProvider #99860

merged 1 commit into from
Mar 16, 2021

Conversation

chewong
Copy link
Member

@chewong chewong commented Mar 5, 2021
edited
Loading

Signed-off-by: Ernest Wong chuwon@microsoft.com

What type of PR is this?

/sig windows
/kind failing-test
/priority important-soon
/release-note-none
/assign @jsturtevant

Ref: #99470

DNS can be available sometime after the container starts due to the way networking is set up with docker. In containerd the setup steps are different so the network will be available when the container starts. In this case the test image does a lookup before the DNS is finished coming online and fails.

We need to ensure agnhost's ability to resolve the service account issuer before invoking oidc.NewProvider.

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 5, 2021
@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Mar 5, 2021
@chewong
Copy link
Member Author

chewong commented Mar 5, 2021

/release-note-none

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 5, 2021
@chewong
Copy link
Member Author

chewong commented Mar 5, 2021

Test result:

[sig-auth] ServiceAccounts
  ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer [Conformance]
  /Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:630
[BeforeEach] [sig-auth] ServiceAccounts
  /Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:185
STEP: Creating a kubernetes client
Mar  5 13:37:26.909: INFO: >>> kubeConfig: /Users/ernestwong/api-model/_output/chuwon-win-docker/kubeconfig/kubeconfig.westus2.json
STEP: Building a namespace api object, basename svcaccounts
W0305 13:37:27.046499   37824 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Mar  5 13:37:27.046: INFO: Found PodSecurityPolicies; testing pod creation to see if PodSecurityPolicy is enabled
Mar  5 13:37:27.082: INFO: PSP annotation exists on dry run pod: "e2e-test-privileged-psp"; assuming PodSecurityPolicy is enabled
W0305 13:37:27.107661   37824 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Mar  5 13:37:27.131: INFO: Found ClusterRoles; assuming RBAC is enabled.
STEP: Binding the e2e-test-privileged-psp PodSecurityPolicy to the default service account in svcaccounts-7597
STEP: Waiting for a default service account to be provisioned in namespace
[It] ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer [Conformance]
  /Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:630
Mar  5 13:37:27.382: INFO: created pod
Mar  5 13:37:27.382: INFO: Waiting up to 5m0s for pod "oidc-discovery-validator" in namespace "svcaccounts-7597" to be "Succeeded or Failed"
Mar  5 13:37:27.415: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 32.983545ms
Mar  5 13:37:29.443: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 2.061053196s
Mar  5 13:37:31.465: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 4.083535799s
Mar  5 13:37:33.498: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 6.115648986s
Mar  5 13:37:35.531: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 8.149222728s
Mar  5 13:37:37.551: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 10.169562416s
Mar  5 13:37:39.577: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 12.19523457s
Mar  5 13:37:41.601: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 14.218759709s
Mar  5 13:37:43.631: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 16.249002641s
Mar  5 13:37:45.658: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 18.27639084s
Mar  5 13:37:47.683: INFO: Pod "oidc-discovery-validator": Phase="Pending", Reason="", readiness=false. Elapsed: 20.300555055s
Mar  5 13:37:49.711: INFO: Pod "oidc-discovery-validator": Phase="Succeeded", Reason="", readiness=false. Elapsed: 22.328850735s
STEP: Saw pod success
Mar  5 13:37:49.711: INFO: Pod "oidc-discovery-validator" satisfied condition "Succeeded or Failed"
Mar  5 13:38:19.714: INFO: polling logs
Mar  5 13:38:19.783: INFO: Pod logs:
2021/03/05 21:37:44 OK: Got token
2021/03/05 21:37:45 OK: got issuer https://kubernetes.default.svc.cluster.local
2021/03/05 21:37:45 Full, not-validated claims:
openidmetadata.claims{Claims:jwt.Claims{Issuer:"https://kubernetes.default.svc.cluster.local", Subject:"system:serviceaccount:svcaccounts-7597:default", Audience:jwt.Audience{"oidc-discovery-test"}, Expiry:1614980847, NotBefore:1614980247, IssuedAt:1614980247, ID:""}, Kubernetes:openidmetadata.kubeClaims{Namespace:"svcaccounts-7597", ServiceAccount:openidmetadata.kubeName{Name:"default", UID:"da4f2ced-41b6-484a-b62d-9045a1dca8fc"}}}
2021/03/05 21:37:45 Ensuring Windows DNS availability
2021/03/05 21:37:45 lookup kubernetes.default.svc.cluster.local: no such host
2021/03/05 21:37:46 OK: Resolved host kubernetes.default.svc.cluster.local: [10.0.0.1]
2021/03/05 21:37:46 OK: Constructed OIDC provider for issuer https://kubernetes.default.svc.cluster.local
2021/03/05 21:37:46 OK: Validated signature on JWT
2021/03/05 21:37:46 OK: Got valid claims from token!
2021/03/05 21:37:46 Full, validated claims:
&openidmetadata.claims{Claims:jwt.Claims{Issuer:"https://kubernetes.default.svc.cluster.local", Subject:"system:serviceaccount:svcaccounts-7597:default", Audience:jwt.Audience{"oidc-discovery-test"}, Expiry:1614980847, NotBefore:1614980247, IssuedAt:1614980247, ID:""}, Kubernetes:openidmetadata.kubeClaims{Namespace:"svcaccounts-7597", ServiceAccount:openidmetadata.kubeName{Name:"default", UID:"da4f2ced-41b6-484a-b62d-9045a1dca8fc"}}}

Mar  5 13:38:19.783: INFO: completed pod
[AfterEach] [sig-auth] ServiceAccounts
  /Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:186
Mar  5 13:38:19.808: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "svcaccounts-7597" for this suite.

• [SLOW TEST:52.974 seconds]
[sig-auth] ServiceAccounts
/Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/auth/framework.go:23
  ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer [Conformance]
  /Users/ernestwong/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:630

@jsturtevant
Copy link
Contributor

/triage accepted
/milestone v1.21
/sig windows

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Mar 5, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 5, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 5, 2021
@chewong chewong requested a review from jsturtevant March 6, 2021 00:16
@chewong
Copy link
Member Author

chewong commented Mar 8, 2021

Assigning agnhost's owner:
/assign @claudiubelu

assigning the test case owner:
/assign @mtaufen

Thanks!

@jsturtevant
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 12, 2021
@jsturtevant jsturtevant mentioned this pull request Mar 12, 2021
Closed
@mtaufen
Copy link
Contributor

mtaufen commented Mar 12, 2021

/lgtm

but want to confirm the timeout is enough

@dims
Copy link
Member

dims commented Mar 15, 2021

/approve

@chewong there's still one open question from @mtaufen

/assign @spiffxp

spiffxp
spiffxp reviewed Mar 16, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold
For question
/milestone v1.21
Targeting test freeze

build/dependencies.yaml Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2021
@chewong chewong mentioned this pull request Mar 16, 2021
Open
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 16, 2021
@dims
Copy link
Member

dims commented Mar 16, 2021

please see error in CI logs

INFO Validating zeitgeist options...              
ERRO /home/prow/go/src/k8s.io/kubernetes/build/dependencies.yaml indicates that agnhost should be at version 2.29, but the following files didn't match: test/images/agnhost/VERSION, test/images/agnhost/agnhost.go

agnhost: resolve service account issuer URL before invoking oidc.NewP…
5735356 
…rovider

Signed-off-by: Ernest Wong <chuwon@microsoft.com>
@k8s-ci-robot k8s-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 16, 2021
@chewong chewong requested a review from spiffxp March 16, 2021 16:10
spiffxp
spiffxp approved these changes Mar 16, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Mar 16, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chewong, dims, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 16, 2021
@k8s-ci-robot k8s-ci-robot merged commit 72cc3f2 into kubernetes:master Mar 16, 2021
@chewong chewong deleted the fix-99470 branch March 16, 2021 21:50
This was referenced Mar 18, 2021
Merged
Merged
@smira smira mentioned this pull request Mar 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtaufen mtaufen mtaufen left review comments

@spiffxp spiffxp spiffxp approved these changes

@dims dims Awaiting requested review from dims

@mkumatag mkumatag Awaiting requested review from mkumatag

@jsturtevant jsturtevant Awaiting requested review from jsturtevant

Assignees

@spiffxp spiffxp

@jsturtevant jsturtevant

@mtaufen mtaufen

@claudiubelu claudiubelu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/testing Categorizes an issue or PR as relevant to SIG Testing. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
7 participants
@chewong @jsturtevant @mtaufen @dims @k8s-ci-robot @spiffxp @claudiubelu