From 4ac8dfc3b674f65a4e5727b0b7e4ac46ad412368 Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 19 Apr 2021 10:05:43 -0400 Subject: [PATCH 1/2] update CLI helper finding CRDs to use CRD v1 --- staging/src/k8s.io/cli-runtime/pkg/resource/crd_finder.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/src/k8s.io/cli-runtime/pkg/resource/crd_finder.go b/staging/src/k8s.io/cli-runtime/pkg/resource/crd_finder.go index 5dab3e46df2..4694f7791a1 100644 --- a/staging/src/k8s.io/cli-runtime/pkg/resource/crd_finder.go +++ b/staging/src/k8s.io/cli-runtime/pkg/resource/crd_finder.go @@ -35,7 +35,7 @@ func CRDFromDynamic(client dynamic.Interface) CRDGetter { return func() ([]schema.GroupKind, error) { list, err := client.Resource(schema.GroupVersionResource{ Group: "apiextensions.k8s.io", - Version: "v1beta1", + Version: "v1", Resource: "customresourcedefinitions", }).List(context.TODO(), metav1.ListOptions{}) if err != nil { From 2fb84207560d527e0123b6c989a2f98e0ea4b2c8 Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 19 Apr 2021 10:06:37 -0400 Subject: [PATCH 2/2] update test-cmd to avoid removed beta APIs --- hack/testdata/csr.yml | 7 +- hack/testdata/multi-resource-4.yaml | 11 ++- test/cmd/apply.sh | 36 +++++++-- test/cmd/authorization.sh | 11 --- test/cmd/core.sh | 1 - test/cmd/crd.sh | 81 ++++++++++++++----- test/cmd/get.sh | 20 +++++ test/cmd/legacy-script.sh | 10 +++ test/cmd/rbac.sh | 8 -- .../pkg/kubectl/cmd/create/sar-v1beta1.json | 16 ---- .../cmd/create/tokenreview-v1beta1.json | 7 -- 11 files changed, 137 insertions(+), 71 deletions(-) delete mode 100644 test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json delete mode 100644 test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1beta1.json diff --git a/hack/testdata/csr.yml b/hack/testdata/csr.yml index b52f48c0ce6..dd096b73e24 100644 --- a/hack/testdata/csr.yml +++ b/hack/testdata/csr.yml @@ -1,6 +1,11 @@ -apiVersion: certificates.k8s.io/v1beta1 +apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: foo spec: request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2d6Q0NBV3NDQVFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlMxaFpHMXBiakNDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTlJ5dFhkcWV6ZTFBdXFjZkpWYlFBY1BJejZWY2pXSTZ5WmlQa3lrCjAzUW9GaHJGRXhUQXNPTGVFUHlrQXc1YndUOWZiajRXMzZmR2k4RGxsd1FzVGoyYzVUTnBnQkkwbElDbzI4aGcKbHYvTDJsMnRsWUVKdDdTbVhjblNvaGJ5S0h4TERRUHVmTVBBTkZsaEFmTUdCWEhRcmZMajhrTk1MUDA4UlBsbAp0N3V4RDVRdFA0cHlGL1Nhbm1XVEtRNU56WlJ4TC82UmhJMEpxSHJmNFFjQmg2dlR5bnFaRGVmMWVxNjBnQXllClNPRkpKYWRuK3h2VEFqLzgxZk1TbjdOSlNnaktDYkNEeXQ1eS9UZHd0SzZnVUQzM01paE5uNXhKTVF0MUZXUVAKRzY3eTA1QVh6b0pqTm5sWVA1MnJsTlhvNzh6aVMrN1E4RklxQzY0c05vWWhxeGNDQXdFQUFhQXBNQ2NHQ1NxRwpTSWIzRFFFSkRqRWFNQmd3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQU5CazlwaHpWYUJBci9xZHN4bXdPR1NQa094UkZlR1lyemRvaW5LTzVGUGZER2JkU0VWQ0o1K0wKeWJTNUtmaUZYU1EvNmk0RE9WRWtxcnFrVElIc1JNSlJwbTZ5Zjk1TU4zSWVLak9jQlV2b2VWVlpxMUNOUU8zagp2dklmK1A1NStLdXpvK0NIT1F5RWlvTlRPaUtGWTJseStEZEEwMXMxbU9FMTZSWGlWeFhGcFhGeGRJVmRPK0oxClZ1MW5yWG5ZVFJQRmtyaG80MTlpaDQzNjRPcGZqYXFXVCtmd20ySVZQSlBoaUJpYi9RRzRhUGJJcFh3amlCUUMKemV6WlM2L01nQkt1bUdMZ3Z5MitXNU9UWTJ5ZFFMZFVxbERFNEU2MFhmdVZ6bk5zWjZDS0tYY1pVaW1ZTkkwNgpKa0t4bGRjd0V2cmI0SmN3M2RFQjdOOUwvSW9ZNXFBPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K + signerName: kubernetes.io/kube-apiserver-client + usages: + - digital signature + - key encipherment + - client auth \ No newline at end of file diff --git a/hack/testdata/multi-resource-4.yaml b/hack/testdata/multi-resource-4.yaml index 1c0521dfb8c..6276632e72c 100644 --- a/hack/testdata/multi-resource-4.yaml +++ b/hack/testdata/multi-resource-4.yaml @@ -7,14 +7,21 @@ kind: Widget metadata: name: foo --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: widgets.example.com spec: group: example.com - version: v1 scope: Namespaced names: plural: widgets kind: Widget + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + x-kubernetes-preserve-unknown-fields: true + type: object diff --git a/test/cmd/apply.sh b/test/cmd/apply.sh index e1c26bf926a..86636197911 100755 --- a/test/cmd/apply.sh +++ b/test/cmd/apply.sh @@ -126,20 +126,32 @@ run_kubectl_apply_tests() { kubectl "${kube_flags_with_token[@]:?}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "resources.mygroup.example.com" }, "spec": { "group": "mygroup.example.com", - "version": "v1alpha1", "scope": "Namespaced", "names": { "plural": "resources", "singular": "resource", "kind": "Kind", "listKind": "KindList" - } + }, + "versions": [ + { + "name": "v1alpha1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "x-kubernetes-preserve-unknown-fields": true, + "type": "object" + } + } + } + ] } } __EOF__ @@ -431,20 +443,32 @@ run_kubectl_server_side_apply_tests() { kubectl "${kube_flags_with_token[@]}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "resources.mygroup.example.com" }, "spec": { "group": "mygroup.example.com", - "version": "v1alpha1", "scope": "Namespaced", "names": { "plural": "resources", "singular": "resource", "kind": "Kind", "listKind": "KindList" - } + }, + "versions": [ + { + "name": "v1alpha1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "x-kubernetes-preserve-unknown-fields": true, + "type": "object" + } + } + } + ] } } __EOF__ diff --git a/test/cmd/authorization.sh b/test/cmd/authorization.sh index dc0ae9e09be..d907cdb13f2 100755 --- a/test/cmd/authorization.sh +++ b/test/cmd/authorization.sh @@ -27,17 +27,6 @@ run_authorization_tests() { # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful # but it proves that works kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false - kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false - - SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" - curl -kfsS -H "Content-Type:" -H 'Authorization: Bearer admin-token' "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1beta1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}" - if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then - kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" - else - kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")" - exit 1 - fi - rm "${SAR_RESULT_FILE}" SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" curl -kfsS -H "Content-Type:" -H 'Authorization: Bearer admin-token' "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}" diff --git a/test/cmd/core.sh b/test/cmd/core.sh index 4bf50f40ad3..c7910a107fb 100755 --- a/test/cmd/core.sh +++ b/test/cmd/core.sh @@ -1558,7 +1558,6 @@ run_nodes_tests() { # check webhook token authentication endpoint, kubectl doesn't actually display the returned object so this isn't super useful # but it proves that works - kubectl create -f test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1beta1.json --validate=false kubectl create -f test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1.json --validate=false set +o nounset diff --git a/test/cmd/crd.sh b/test/cmd/crd.sh index 52e72293e3b..2c9f75afbf0 100755 --- a/test/cmd/crd.sh +++ b/test/cmd/crd.sh @@ -27,18 +27,30 @@ run_crd_tests() { kubectl "${kube_flags_with_token[@]:?}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "foos.company.com" }, "spec": { "group": "company.com", - "version": "v1", "scope": "Namespaced", "names": { "plural": "foos", "kind": "Foo" - } + }, + "versions": [ + { + "name": "v1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "x-kubernetes-preserve-unknown-fields": true, + "type": "object" + } + } + } + ] } } __EOF__ @@ -49,18 +61,30 @@ __EOF__ kubectl "${kube_flags_with_token[@]}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "bars.company.com" }, "spec": { "group": "company.com", - "version": "v1", "scope": "Namespaced", "names": { "plural": "bars", "kind": "Bar" - } + }, + "versions": [ + { + "name": "v1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "x-kubernetes-preserve-unknown-fields": true, + "type": "object" + } + } + } + ] } } __EOF__ @@ -74,20 +98,32 @@ __EOF__ kubectl "${kube_flags_with_token[@]}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "resources.mygroup.example.com" }, "spec": { "group": "mygroup.example.com", - "version": "v1alpha1", "scope": "Namespaced", "names": { "plural": "resources", "singular": "resource", "kind": "Kind", "listKind": "KindList" - } + }, + "versions": [ + { + "name": "v1alpha1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "x-kubernetes-preserve-unknown-fields": true, + "type": "object" + } + } + } + ] } } __EOF__ @@ -99,30 +135,37 @@ __EOF__ kubectl "${kube_flags_with_token[@]}" create -f - << __EOF__ { "kind": "CustomResourceDefinition", - "apiVersion": "apiextensions.k8s.io/v1beta1", + "apiVersion": "apiextensions.k8s.io/v1", "metadata": { "name": "validfoos.company.com" }, "spec": { "group": "company.com", - "version": "v1", "scope": "Namespaced", "names": { "plural": "validfoos", "kind": "ValidFoo" }, - "validation": { - "openAPIV3Schema": { - "properties": { - "spec": { - "type": "array", - "items": { - "type": "number" + "versions": [ + { + "name": "v1", + "served": true, + "storage": true, + "schema": { + "openAPIV3Schema": { + "type": "object", + "properties": { + "spec": { + "type": "array", + "items": { + "type": "number" + } + } } } } } - } + ] } } __EOF__ diff --git a/test/cmd/get.sh b/test/cmd/get.sh index de0917d7281..4469d9187a5 100755 --- a/test/cmd/get.sh +++ b/test/cmd/get.sh @@ -390,3 +390,23 @@ run_kubectl_all_namespace_tests() { set +o nounset set +o errexit } + + +run_deprecated_api_tests() { + set -o nounset + set -o errexit + + create_and_use_new_namespace + kube::log::status "Testing deprecated APIs" + + # Test deprecated API request output + # TODO(liggitt): switch this to a custom deprecated resource once CRDs support marking versions as deprecated + output_message=$(kubectl get podsecuritypolicies.v1beta1.policy 2>&1 "${kube_flags[@]}") + kube::test::if_has_string "${output_message}" 'PodSecurityPolicy is deprecated' + output_message=$(! kubectl get podsecuritypolicies.v1beta1.policy --warnings-as-errors 2>&1 "${kube_flags[@]}") + kube::test::if_has_string "${output_message}" 'PodSecurityPolicy is deprecated' + kube::test::if_has_string "${output_message}" 'Error: 1 warning received' + + set +o nounset + set +o errexit +} diff --git a/test/cmd/legacy-script.sh b/test/cmd/legacy-script.sh index e5e4249b474..3dd3ed3d017 100755 --- a/test/cmd/legacy-script.sh +++ b/test/cmd/legacy-script.sh @@ -89,6 +89,7 @@ nodes="nodes" persistentvolumeclaims="persistentvolumeclaims" persistentvolumes="persistentvolumes" pods="pods" +podsecuritypolicies="podsecuritypolicies" podtemplates="podtemplates" replicasets="replicasets" replicationcontrollers="replicationcontrollers" @@ -908,6 +909,15 @@ runTests() { fi fi + ############################ + # Kubectl deprecated APIs # + ############################ + + if kube::test::if_supports_resource "${podsecuritypolicies}" ; then + run_deprecated_api_tests + fi + + ###################### # kubectl --template # ###################### diff --git a/test/cmd/rbac.sh b/test/cmd/rbac.sh index c9145f7bdc4..02e304bb791 100755 --- a/test/cmd/rbac.sh +++ b/test/cmd/rbac.sh @@ -145,14 +145,6 @@ run_role_tests() { create_and_use_new_namespace kube::log::status "Testing role" - # Test deprecated API request output - # TODO(liggitt): switch this to a custom deprecated resource once CRDs support marking versions as deprecated - output_message=$(kubectl get roles.v1beta1.rbac.authorization.k8s.io 2>&1 "${kube_flags[@]}") - kube::test::if_has_string "${output_message}" 'Role is deprecated' - output_message=$(! kubectl get roles.v1beta1.rbac.authorization.k8s.io --warnings-as-errors 2>&1 "${kube_flags[@]}") - kube::test::if_has_string "${output_message}" 'Role is deprecated' - kube::test::if_has_string "${output_message}" 'Error: 1 warning received' - # Dry-run create kubectl create "${kube_flags[@]}" role pod-admin --dry-run=client --verb=* --resource=pods kubectl create "${kube_flags[@]}" role pod-admin --dry-run=server --verb=* --resource=pods diff --git a/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json b/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json deleted file mode 100644 index 5291a021a73..00000000000 --- a/test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "apiVersion": "authorization.k8s.io/v1beta1", - "kind": "SubjectAccessReview", - "spec": { - "user": "bob", - "group": [ - "the-group" - ], - "resourceAttributes": { - "namespace": "ns", - "verb": "create", - "group": "autoscaling", - "resource": "horizontalpodautoscalers" - } - } -} \ No newline at end of file diff --git a/test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1beta1.json b/test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1beta1.json deleted file mode 100644 index 0a4e60ca773..00000000000 --- a/test/fixtures/pkg/kubectl/cmd/create/tokenreview-v1beta1.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "apiVersion": "authentication.k8s.io/v1beta1", - "kind": "TokenReview", - "spec": { - "token": "test-token" - } -} \ No newline at end of file