Make admission webhook e2e tests robust in non-aggregator-routing clusters

2025-07-23 11:50:44 +00:00 · 2019-08-30 22:43:42 -04:00 · 2019-08-30 22:43:42 -04:00 · 21a2951375
commit 21a2951375
parent 97ad87df02
1 changed files with 12 additions and 1 deletions
--- a/test/e2e/apimachinery/webhook.go
+++ b/test/e2e/apimachinery/webhook.go
@ -419,6 +419,7 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			},
 			Webhooks: []admissionregistrationv1.ValidatingWebhook{
 				newDenyConfigMapWebhookFixture(f, context, servicePort),
+				newValidatingIsReadyWebhookFixture(f, context, servicePort),
 			},
 		})
 		framework.ExpectNoError(err, "Creating validating webhook configuration")
@ -426,6 +427,8 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(hook.Name, nil)
 			framework.ExpectNoError(err, "Deleting validating webhook configuration")
 		}()
+		// ensure backend is ready before proceeding
+		waitWebhookConfigurationReady(f)
 		ginkgo.By("Creating a configMap that does not comply to the validation webhook rules")
 		err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) {
 			cm := namedNonCompliantConfigMap(string(uuid.NewUUID()), f)
@ -509,6 +512,7 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			},
 			Webhooks: []admissionregistrationv1.MutatingWebhook{
 				newMutateConfigMapWebhookFixture(f, context, 1, servicePort),
+				newMutatingIsReadyWebhookFixture(f, context, servicePort),
 			},
 		})
 		framework.ExpectNoError(err, "Creating mutating webhook configuration")
@ -516,7 +520,8 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(hook.Name, nil)
 			framework.ExpectNoError(err, "Deleting mutating webhook configuration")
 		}()
-
+		// ensure backend is ready before proceeding
+		waitWebhookConfigurationReady(f)
 		hook, err = admissionClient.MutatingWebhookConfigurations().Get(f.UniqueName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "Getting mutating webhook configuration")
 		ginkgo.By("Updating a mutating webhook configuration's rules to not include the create operation")
@ -2449,6 +2454,7 @@ func waitWebhookConfigurationReady(f *framework.Framework) error {
 // with "marker" requests via waitWebhookConfigurationReady to wait for a webhook configuration to be ready.
 func newValidatingIsReadyWebhookFixture(f *framework.Framework, context *certContext, servicePort int32) admissionregistrationv1.ValidatingWebhook {
 	sideEffectsNone := admissionregistrationv1.SideEffectClassNone
+	failOpen := admissionregistrationv1.Ignore
 	return admissionregistrationv1.ValidatingWebhook{
 		Name: "validating-is-webhook-configuration-ready.k8s.io",
 		Rules: []admissionregistrationv1.RuleWithOperations{{
@ -2468,6 +2474,8 @@ func newValidatingIsReadyWebhookFixture(f *framework.Framework, context *certCon
 			},
 			CABundle: context.signingCert,
 		},
+		// network failures while the service network routing is being set up should be ignored by the marker
+		FailurePolicy:           &failOpen,
 		SideEffects:             &sideEffectsNone,
 		AdmissionReviewVersions: []string{"v1", "v1beta1"},
 		// Scope the webhook to just the markers namespace
@ -2485,6 +2493,7 @@ func newValidatingIsReadyWebhookFixture(f *framework.Framework, context *certCon
 // with "marker" requests via waitWebhookConfigurationReady to wait for a webhook configuration to be ready.
 func newMutatingIsReadyWebhookFixture(f *framework.Framework, context *certContext, servicePort int32) admissionregistrationv1.MutatingWebhook {
 	sideEffectsNone := admissionregistrationv1.SideEffectClassNone
+	failOpen := admissionregistrationv1.Ignore
 	return admissionregistrationv1.MutatingWebhook{
 		Name: "mutating-is-webhook-configuration-ready.k8s.io",
 		Rules: []admissionregistrationv1.RuleWithOperations{{
@ -2504,6 +2513,8 @@ func newMutatingIsReadyWebhookFixture(f *framework.Framework, context *certConte
 			},
 			CABundle: context.signingCert,
 		},
+		// network failures while the service network routing is being set up should be ignored by the marker
+		FailurePolicy:           &failOpen,
 		SideEffects:             &sideEffectsNone,
 		AdmissionReviewVersions: []string{"v1", "v1beta1"},
 		// Scope the webhook to just the markers namespace