github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b51d68bb87
kubernetes/test/utils/apiserver/testapiserver.go
Monis Khan 6a6771b514
svm: set UID and RV on SSA patch to cause conflict on logical create 
When a resource gets deleted during migration, the SVM SSA patch
calls are interpreted as a logical create request.  Since the object
from storage is nil, the merged result is just a type meta object,
which lacks a name in the body.  This fails when the API server
checks that the name from the request URL and the body are the same.
Note that a create request is something that SVM controller should
never do.

Once the UID is set on the patch, the API server will fail the
request at a slightly earlier point with an "uid mismatch" conflict
error, which the SVM controller can handle gracefully.

Setting UID by itself is not sufficient.  When a resource gets
deleted and recreated, if RV is not set but UID is set, we would get
an immutable field validation error for attempting to update the
UID.  To address this, we set the resource version on the SSA patch
as well.  This will cause that update request to also fail with a
conflict error.

Added the create verb on all resources for SVM controller RBAC as
otherwise the API server will reject the request before it fails
with a conflict error.

The change addresses a host of other issues with the SVM controller:

1. Include failure message in SVM resource
2. Do not block forever on unsynced GC monitor
3. Do not immediately fail on GC monitor being missing, allow for
   a grace period since discovery may be out of sync
4. Set higher QPS and burst to handle large migrations

Test changes:

1. Clean up CRD webhook convertor logs
2. Allow SVM tests to be run multiple times to make finding flakes easier
3. Create and delete CRs during CRD test to force out any flakes
4. Add a stress test with multiple parallel migrations
5. Enable RBAC on KAS
6. Run KCM directly to exercise wiring and RBAC
7. Better logs during CRD migration
8. Scan audit logs to confirm SVM controller never creates

Signed-off-by: Monis Khan <mok@microsoft.com>
2024-07-18 17:19:11 -04:00

105 lines
3.6 KiB
Go
Raw Blame History

/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package apiserver
import (
"path"
"testing"
"github.com/google/uuid"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
etcdserver "k8s.io/apiserver/pkg/storage/etcd3/testserver"
"k8s.io/apiserver/pkg/storage/storagebackend"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/util/cert"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/test/utils/kubeconfig"
)
// TestAPIServer provides access to a running apiserver instance.
type TestAPIServer struct {
// ClientSet is already initialized to access the apiserver as admin.
ClientSet clientset.Interface
// KubeConfigFile is the absolute path for a kube.config file that
// grants admin access to the apiserver.
KubeConfigFile string
}
// StartAPIServer runs etcd and apiserver in the background in the same
// process. All resources get released automatically when the test
// completes. If startup fails, the test gets aborted.
func StartAPITestServer(t *testing.T) TestAPIServer {
cfg := etcdserver.NewTestConfig(t)
etcdClient := etcdserver.RunEtcd(t, cfg)
storageConfig := storagebackend.NewDefaultConfig(path.Join(uuid.New().String(), "registry"), nil)
storageConfig.Transport.ServerList = etcdClient.Endpoints()
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{}, storageConfig)
t.Cleanup(server.TearDownFn)
clientSet := clientset.NewForConfigOrDie(server.ClientConfig)
kubeConfigFile := writeKubeConfigForWardleServerToKASConnection(t, server.ClientConfig)
return TestAPIServer{
ClientSet: clientSet,
KubeConfigFile: kubeConfigFile,
}
}
func writeKubeConfigForWardleServerToKASConnection(t *testing.T, kubeClientConfig *rest.Config) string {
// write a kubeconfig out for starting other API servers with delegated auth. remember, no in-cluster config
// the loopback client config uses a loopback cert with different SNI. We need to use the "real"
// cert, so we'll hope we aren't hacked during a unit test and instead load it from the server we started.
wardleToKASKubeClientConfig := rest.CopyConfig(kubeClientConfig)
wardleToKASKubeClientConfig.ServerName = "" // reset SNI to use the "real" cert
servingCerts, _, err := cert.GetServingCertificatesForURL(wardleToKASKubeClientConfig.Host, "")
if err != nil {
t.Fatal(err)
}
encodedServing, err := cert.EncodeCertificates(servingCerts...)
if err != nil {
t.Fatal(err)
}
wardleToKASKubeClientConfig.CAData = encodedServing
for _, v := range servingCerts {
t.Logf("Client: Server public key is %v\n", dynamiccertificates.GetHumanCertDetail(v))
}
certs, err := cert.ParseCertsPEM(wardleToKASKubeClientConfig.CAData)
if err != nil {
t.Fatal(err)
}
for _, curr := range certs {
t.Logf("CA bundle %v\n", dynamiccertificates.GetHumanCertDetail(curr))
}
adminKubeConfig := kubeconfig.CreateKubeConfig(wardleToKASKubeClientConfig)
tmpDir := t.TempDir()
kubeConfigFile := path.Join(tmpDir, "kube.config")
if err := clientcmd.WriteToFile(*adminKubeConfig, kubeConfigFile); err != nil {
t.Fatal(err)
}
return kubeConfigFile
}
Reference in New Issue View Git Blame Copy Permalink