Merge pull request #51235 from cheftako/aggregator

Automatic merge from submit-queue Fixed gke auth update wait condition. Lookup whoami on gke using gcloud auth list. Make sure we do not run the test on any cluster older than 1.7. **What this PR does / why we need it**: Fixes issue with aggregator e2e test on GKE **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #50945 **Special notes for your reviewer**: There is a TODO, follow up will be provided when the immediate problem is resolved. **Release note**: ```release-note NONE ```
2025-07-24 20:24:09 +00:00 · 2017-08-25 18:52:46 -07:00 · 2017-08-25 18:52:46 -07:00 · 65da3ce246
commit 65da3ce246
parent a235ba4e49 3b9485bba3
2 changed files with 24 additions and 18 deletions
--- a/test/e2e/apimachinery/BUILD
+++ b/test/e2e/apimachinery/BUILD
@ -51,7 +51,7 @@ go_library(
        "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
        "//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",
        "//vendor/k8s.io/client-go/discovery:go_default_library",
        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
--- a/test/e2e/apimachinery/aggregator.go
+++ b/test/e2e/apimachinery/aggregator.go
@ -33,11 +33,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/util/cert"
 	apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
 	rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
+	utilversion "k8s.io/kubernetes/pkg/util/version"
 	"k8s.io/kubernetes/test/e2e/framework"
 	samplev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"

@ -50,6 +51,8 @@ type aggregatorContext struct {
 	apiserverSigningCert []byte
 }

+var serverAggregatorVersion = utilversion.MustParseSemantic("v1.7.0")
+
 var _ = SIGDescribe("Aggregator", func() {
 	f := framework.NewDefaultFramework("aggregator")
 	framework.AddCleanupAction(func() {
@ -58,6 +61,7 @@ var _ = SIGDescribe("Aggregator", func() {

 	It("Should be able to support the 1.7 Sample API Server using the current Aggregator", func() {
 		// Make sure the relevant provider supports Agggregator
+		framework.SkipUnlessServerVersionGTE(serverAggregatorVersion, f.ClientSet.Discovery())
 		framework.SkipUnlessProviderIs("gce", "gke")

 		// Testing a 1.7 version of the sample-apiserver
@ -161,12 +165,8 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	ns := f.Namespace.Name
 	if framework.ProviderIs("gke") {
 		// kubectl create clusterrolebinding user-cluster-admin-binding --clusterrole=cluster-admin --user=user@domain.com
-		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns,
-			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
-		err := framework.WaitForAuthorizationUpdate(client.AuthorizationV1beta1(),
-			serviceaccount.MakeUsername(ns, "default"),
-			"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
-		framework.ExpectNoError(err, "Failed to update authorization: %v", err)
+		authenticated := rbacv1beta1.Subject{Kind: rbacv1beta1.GroupKind, Name: user.AllAuthenticated}
+		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns, authenticated)
 	}

 	// kubectl create -f namespace.yaml
@ -319,16 +319,22 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	framework.ExpectNoError(err, "creating cluster resource rule")
 	urlRule, err := rbacapi.NewRule("get").URLs("*").Rule()
 	framework.ExpectNoError(err, "creating cluster url rule")
-	roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
-	role := rbacapi.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:   "wardler",
-			Labels: roleLabels,
-		},
-		Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
-	}
-	_, err = iclient.Rbac().ClusterRoles().Create(&role)
-	framework.ExpectNoError(err, "creating cluster role %s", "wardler")
+	err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
+		roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
+		role := rbacapi.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "wardler",
+				Labels: roleLabels,
+			},
+			Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
+		}
+		_, err = iclient.Rbac().ClusterRoles().Create(&role)
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	})
+	framework.ExpectNoError(err, "creating cluster role wardler - may not have permissions")

 	// kubectl create -f auth-reader.yaml
 	_, err = client.RbacV1beta1().RoleBindings("kube-system").Create(&rbacv1beta1.RoleBinding{