Merge pull request #121609 from neolit123/1.29-super-admin-conf

kubeadm: poll additional CRB create calls for kubeadm:cluster-admins
2025-07-31 15:25:57 +00:00 · 2023-10-30 21:12:00 +01:00 · 2023-10-30 21:12:00 +01:00 · 5cb83d1cd2
commit 5cb83d1cd2
parent 05765a851c 05076de57f
2 changed files with 40 additions and 6 deletions
--- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
+++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
@ -683,13 +683,31 @@ func EnsureAdminClusterRoleBindingImpl(ctx context.Context, adminClient, superAd
 		kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding,
 		kubeadmconstants.SuperAdminKubeConfigFileName)

-	if _, err := superAdminClient.RbacV1().ClusterRoleBindings().Create(
+	err = wait.PollUntilContextTimeout(
 		ctx,
-		clusterRoleBinding,
-		metav1.CreateOptions{},
-	); err != nil {
-		return nil, errors.Wrapf(err, "unable to create the %s ClusterRoleBinding",
-			kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding)
+		retryInterval,
+		retryTimeout,
+		true, func(ctx context.Context) (bool, error) {
+			if _, err := superAdminClient.RbacV1().ClusterRoleBindings().Create(
+				ctx,
+				clusterRoleBinding,
+				metav1.CreateOptions{},
+			); err != nil {
+				lastError = err
+				if apierrors.IsAlreadyExists(err) {
+					// This should not happen, as the previous "create" call that uses
+					// the admin.conf should have passed. Return the error.
+					return true, err
+				}
+				// Retry on any other type of error.
+				return false, nil
+			}
+			return true, nil
+		})
+	if err != nil {
+		return nil, errors.Wrapf(lastError, "unable to create the %s ClusterRoleBinding by using %s",
+			kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding,
+			kubeadmconstants.SuperAdminKubeConfigFileName)
 	}

 	// Once the CRB is in place, start using the admin.conf client.
--- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
+++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
@ -902,6 +902,22 @@ func TestEnsureAdminClusterRoleBindingImpl(t *testing.T) {
 			},
 			expectedError: false,
 		},
+		{
+			name: "super-admin.conf: admin.conf cannot create CRB, try to create CRB with super-admin.conf, encounter 'already exists' error",
+			setupAdminClient: func(client *clientsetfake.Clientset) {
+				client.PrependReactor("create", "clusterrolebindings", func(action clientgotesting.Action) (bool, runtime.Object, error) {
+					return true, nil, apierrors.NewForbidden(
+						schema.GroupResource{}, "name", errors.New(""))
+				})
+			},
+			setupSuperAdminClient: func(client *clientsetfake.Clientset) {
+				client.PrependReactor("create", "clusterrolebindings", func(action clientgotesting.Action) (bool, runtime.Object, error) {
+					return true, nil, apierrors.NewAlreadyExists(
+						schema.GroupResource{}, "name")
+				})
+			},
+			expectedError: true,
+		},
 	}

 	for _, tc := range tests {