testify is used throughout the codebase; this switches mocks from
gomock to testify with the help of mockery for code generation.
Handlers and mocks in test/utils/oidc are moved to a new package:
mockery operates package by package, and requires packages to build
correctly; test/utils/oidc/testserver.go relies on the mocks and fails
to build when they are removed. Moving the interface and mocks to a
different package allows mockery to process that package without
having to build testserver.go.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
**Problem:** When a Pod fails to run due to kubelet-side admission checks, the
v1.Event objects emitted looks like these:
Reason="NodeAffinity" Message="Predicate NodeAffinity failed"
Reason="NodeName" Message="Predicate NodeName failed"
Reason="NodePorts" Message="Predicate NodePorts failed"
**Solution:** Expose human-readable predicate description in the failure
so that kubelet submits an Event with this description, such as:
Reason="NodeAffinity" Message="Predicate NodeAffinity failed: node(s) didn't match Pod's node affinity/selector"
Reason="NodeName" Message="Predicate NodeName failed: node(s) didn't match the requested node name"
Reason="NodePorts" Message="Predicate NodePorts failed: node(s) didn't have free ports for the requested pod ports"
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
Make validateKubeletOSConfiguration() show warnings instead of
returning errors on Windows for the fields "CgroupsPerQOS" and
"EnforceNodeAllocatable".
When --fail-swap-on=false kubelet CLI argument
is provided, but tmpfs noswap is not supported
by the kernel, warn about the risks of memory-backed
volumes being swapped into disk
Signed-off-by: Itamar Holder <iholder@redhat.com>
It's now possible to pass around the `*klog.Logger` which can also be
`nil` to disable logging at all.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
