diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go index de152df3afd..7fe22e61e92 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go @@ -529,7 +529,7 @@ func TestFilter(t *testing.T) { *simpleLabelSelector, }, }), - enableSelectors: true, + enableSelectors: false, compatibilityVersion: v130, }, { @@ -602,7 +602,7 @@ func TestFilter(t *testing.T) { attributes: newValidAttribute(&podObject, false), results: []EvaluationResult{ { - EvalResult: celtypes.True, + Error: fmt.Errorf("fieldSelector"), }, }, authorizer: newAuthzAllowMatch(authorizer.AttributesRecord{ @@ -615,6 +615,7 @@ func TestFilter(t *testing.T) { Verb: "create", APIVersion: "*", }), + enableSelectors: false, compatibilityVersion: v131, }, { @@ -871,6 +872,7 @@ func TestFilter(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { + environment.DisableBaseEnvSetCachingForTests() if tc.enableSelectors { featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) } @@ -896,6 +898,7 @@ func TestFilter(t *testing.T) { if f == nil { t.Fatalf("unexpected nil validator") } + validations := tc.validations CompilationResults := f.(*filter).compilationResults require.Equal(t, len(validations), len(CompilationResults)) @@ -913,8 +916,13 @@ func TestFilter(t *testing.T) { } require.Equal(t, len(evalResults), len(tc.results)) for i, result := range tc.results { + if result.Error != nil && evalResults[i].Error == nil { + t.Errorf("Expected error result containing '%v' but got non-error", result.Error) + continue + } if result.Error != nil && !strings.Contains(evalResults[i].Error.Error(), result.Error.Error()) { t.Errorf("Expected result '%v' but got '%v'", result.Error, evalResults[i].Error) + continue } if result.Error == nil && evalResults[i].Error != nil { t.Errorf("Expected result '%v' but got error '%v'", result.EvalResult, evalResults[i].Error) diff --git a/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go b/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go index 563d34e13f7..588173a26c5 100644 --- a/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go +++ b/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go @@ -191,6 +191,19 @@ var StrictCostOpt = VersionedOptions{ }, } +// cacheBaseEnvs controls whether calls to MustBaseEnvSet are cached. +// Defaults to true, may be disabled by calling DisableBaseEnvSetCachingForTests. +var cacheBaseEnvs = true + +// DisableBaseEnvSetCachingForTests clears and disables base env caching. +// This is only intended for unit tests exercising MustBaseEnvSet directly with different enablement options. +// It does not clear other initialization paths that may cache results of calling MustBaseEnvSet. +func DisableBaseEnvSetCachingForTests() { + cacheBaseEnvs = false + baseEnvs.Clear() + baseEnvsWithOption.Clear() +} + // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics // if the version is nil, or does not have major and minor components. // @@ -216,7 +229,9 @@ func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet { } entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) { entry := mustNewEnvSet(ver, baseOpts) - baseEnvs.Store(key, entry) + if cacheBaseEnvs { + baseEnvs.Store(key, entry) + } return entry, nil }) } else { @@ -225,7 +240,9 @@ func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet { } entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) { entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost) - baseEnvsWithOption.Store(key, entry) + if cacheBaseEnvs { + baseEnvsWithOption.Store(key, entry) + } return entry, nil }) }