github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #130560 from stlaz/remote-uid-config-beta

Browse Source 
RemoteRequestHeaderUID: bump to beta, enabled by default
This commit is contained in:
Kubernetes Prow Robot 2025-03-18 06:31:49 -07:00 committed by GitHub
commit 8312d8e85e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 72 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/features/versioned_kube_features.go
View File

@ -299,6 +299,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
genericfeatures.RemoteRequestHeaderUID: { genericfeatures.RemoteRequestHeaderUID: {
{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
}, },
genericfeatures.ResilientWatchCacheInitialization: { genericfeatures.ResilientWatchCacheInitialization: {

1
staging/src/k8s.io/apiserver/pkg/features/kube_features.go
View File

@ -343,6 +343,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
RemoteRequestHeaderUID: { RemoteRequestHeaderUID: {
{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
}, },
ResilientWatchCacheInitialization: { ResilientWatchCacheInitialization: {

127
staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go
View File

@ -57,7 +57,6 @@ import (
utilflowcontrol "k8s.io/apiserver/pkg/util/flowcontrol" utilflowcontrol "k8s.io/apiserver/pkg/util/flowcontrol"
apiserverproxyutil "k8s.io/apiserver/pkg/util/proxy" apiserverproxyutil "k8s.io/apiserver/pkg/util/proxy"
"k8s.io/client-go/transport" "k8s.io/client-go/transport"
"k8s.io/component-base/featuregate"
featuregatetesting "k8s.io/component-base/featuregate/testing" featuregatetesting "k8s.io/component-base/featuregate/testing"
"k8s.io/component-base/metrics" "k8s.io/component-base/metrics"
"k8s.io/component-base/metrics/legacyregistry" "k8s.io/component-base/metrics/legacyregistry"
@ -134,10 +133,11 @@ func TestProxyHandler(t *testing.T) {
expectedCalled bool expectedCalled bool
expectedHeaders map[string][]string expectedHeaders map[string][]string
enableFeatureGates []featuregate.Feature remoteRequestHeaderUIDFeature bool
}{ }{
"no target": { "no target": {
expectedStatusCode: http.StatusNotFound, expectedStatusCode: http.StatusNotFound,
remoteRequestHeaderUIDFeature: true,
}, },
"no user": { "no user": {
apiService: &apiregistration.APIService{ apiService: &apiregistration.APIService{
@ -153,8 +153,43 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusInternalServerError, expectedStatusCode: http.StatusInternalServerError,
expectedBody: "missing user", expectedBody: "missing user",
remoteRequestHeaderUIDFeature: true,
},
"[-RemoteRequestHeaderUID] proxy with user, insecure": {
user: &user.DefaultInfo{
Name: "username",
UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78",
Groups: []string{"one", "two"},
},
path: "/request/path",
apiService: &apiregistration.APIService{
ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
Spec: apiregistration.APIServiceSpec{
Service: &apiregistration.ServiceReference{Port: ptr.To[int32](443)},
Group: "foo",
Version: "v1",
InsecureSkipTLSVerify: true,
},
Status: apiregistration.APIServiceStatus{
Conditions: []apiregistration.APIServiceCondition{
{Type: apiregistration.Available, Status: apiregistration.ConditionTrue},
},
},
},
remoteRequestHeaderUIDFeature: false,
expectedStatusCode: http.StatusOK,
expectedCalled: true,
expectedHeaders: map[string][]string{
"X-Forwarded-Proto": {"https"},
"X-Forwarded-Uri": {"/request/path"},
"X-Forwarded-For": {"127.0.0.1"},
"X-Remote-User": {"username"},
"User-Agent": {"Go-http-client/1.1"},
"Accept-Encoding": {"gzip"},
"X-Remote-Group": {"one", "two"},
},
}, },
"proxy with user, insecure": { "proxy with user, insecure": {
user: &user.DefaultInfo{ user: &user.DefaultInfo{
@ -177,19 +212,21 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusOK, remoteRequestHeaderUIDFeature: true,
expectedCalled: true, expectedStatusCode: http.StatusOK,
expectedCalled: true,
expectedHeaders: map[string][]string{ expectedHeaders: map[string][]string{
"X-Forwarded-Proto": {"https"}, "X-Forwarded-Proto": {"https"},
"X-Forwarded-Uri": {"/request/path"}, "X-Forwarded-Uri": {"/request/path"},
"X-Forwarded-For": {"127.0.0.1"}, "X-Forwarded-For": {"127.0.0.1"},
"X-Remote-User": {"username"}, "X-Remote-User": {"username"},
"X-Remote-Uid": {"6b60d791-1af9-4513-92e5-e4252a1e0a78"},
"User-Agent": {"Go-http-client/1.1"}, "User-Agent": {"Go-http-client/1.1"},
"Accept-Encoding": {"gzip"}, "Accept-Encoding": {"gzip"},
"X-Remote-Group": {"one", "two"}, "X-Remote-Group": {"one", "two"},
}, },
}, },
"[RemoteRequestHeaderUID] proxy with user, insecure": { "[-RemoteRequestHeaderUID] proxy with user, cabundle": {
user: &user.DefaultInfo{ user: &user.DefaultInfo{
Name: "username", Name: "username",
UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78", UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78",
@ -199,10 +236,10 @@ func TestProxyHandler(t *testing.T) {
apiService: &apiregistration.APIService{ apiService: &apiregistration.APIService{
ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"}, ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
Spec: apiregistration.APIServiceSpec{ Spec: apiregistration.APIServiceSpec{
Service: &apiregistration.ServiceReference{Port: ptr.To[int32](443)}, Service: &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)},
Group: "foo", Group: "foo",
Version: "v1", Version: "v1",
InsecureSkipTLSVerify: true, CABundle: testCACrt,
}, },
Status: apiregistration.APIServiceStatus{ Status: apiregistration.APIServiceStatus{
Conditions: []apiregistration.APIServiceCondition{ Conditions: []apiregistration.APIServiceCondition{
@ -210,15 +247,14 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID}, remoteRequestHeaderUIDFeature: false,
expectedStatusCode: http.StatusOK, expectedStatusCode: http.StatusOK,
expectedCalled: true, expectedCalled: true,
expectedHeaders: map[string][]string{ expectedHeaders: map[string][]string{
"X-Forwarded-Proto": {"https"}, "X-Forwarded-Proto": {"https"},
"X-Forwarded-Uri": {"/request/path"}, "X-Forwarded-Uri": {"/request/path"},
"X-Forwarded-For": {"127.0.0.1"}, "X-Forwarded-For": {"127.0.0.1"},
"X-Remote-User": {"username"}, "X-Remote-User": {"username"},
"X-Remote-Uid": {"6b60d791-1af9-4513-92e5-e4252a1e0a78"},
"User-Agent": {"Go-http-client/1.1"}, "User-Agent": {"Go-http-client/1.1"},
"Accept-Encoding": {"gzip"}, "Accept-Encoding": {"gzip"},
"X-Remote-Group": {"one", "two"}, "X-Remote-Group": {"one", "two"},
@ -245,42 +281,9 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusOK, remoteRequestHeaderUIDFeature: true,
expectedCalled: true, expectedStatusCode: http.StatusOK,
expectedHeaders: map[string][]string{ expectedCalled: true,
"X-Forwarded-Proto": {"https"},
"X-Forwarded-Uri": {"/request/path"},
"X-Forwarded-For": {"127.0.0.1"},
"X-Remote-User": {"username"},
"User-Agent": {"Go-http-client/1.1"},
"Accept-Encoding": {"gzip"},
"X-Remote-Group": {"one", "two"},
},
},
"[RemoteRequestHeaderUID] proxy with user, cabundle": {
user: &user.DefaultInfo{
Name: "username",
UID: "6b60d791-1af9-4513-92e5-e4252a1e0a78",
Groups: []string{"one", "two"},
},
path: "/request/path",
apiService: &apiregistration.APIService{
ObjectMeta: metav1.ObjectMeta{Name: "v1.foo"},
Spec: apiregistration.APIServiceSpec{
Service: &apiregistration.ServiceReference{Name: "test-service", Namespace: "test-ns", Port: ptr.To[int32](443)},
Group: "foo",
Version: "v1",
CABundle: testCACrt,
},
Status: apiregistration.APIServiceStatus{
Conditions: []apiregistration.APIServiceCondition{
{Type: apiregistration.Available, Status: apiregistration.ConditionTrue},
},
},
},
enableFeatureGates: []featuregate.Feature{features.RemoteRequestHeaderUID},
expectedStatusCode: http.StatusOK,
expectedCalled: true,
expectedHeaders: map[string][]string{ expectedHeaders: map[string][]string{
"X-Forwarded-Proto": {"https"}, "X-Forwarded-Proto": {"https"},
"X-Forwarded-Uri": {"/request/path"}, "X-Forwarded-Uri": {"/request/path"},
@ -313,7 +316,8 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusServiceUnavailable, remoteRequestHeaderUIDFeature: true,
expectedStatusCode: http.StatusServiceUnavailable,
}, },
"service unresolveable": { "service unresolveable": {
user: &user.DefaultInfo{ user: &user.DefaultInfo{
@ -337,7 +341,8 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusServiceUnavailable, remoteRequestHeaderUIDFeature: true,
expectedStatusCode: http.StatusServiceUnavailable,
}, },
"fail on bad serving cert": { "fail on bad serving cert": {
user: &user.DefaultInfo{ user: &user.DefaultInfo{
@ -359,7 +364,8 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
expectedStatusCode: http.StatusServiceUnavailable, remoteRequestHeaderUIDFeature: true,
expectedStatusCode: http.StatusServiceUnavailable,
}, },
"fail on bad serving cert w/o SAN and increase SAN error counter metrics": { "fail on bad serving cert w/o SAN and increase SAN error counter metrics": {
user: &user.DefaultInfo{ user: &user.DefaultInfo{
@ -382,9 +388,10 @@ func TestProxyHandler(t *testing.T) {
}, },
}, },
}, },
serviceCertOverride: svcCrtNoSAN, serviceCertOverride: svcCrtNoSAN,
increaseSANWarnCounter: true, increaseSANWarnCounter: true,
expectedStatusCode: http.StatusServiceUnavailable, remoteRequestHeaderUIDFeature: true,
expectedStatusCode: http.StatusServiceUnavailable,
}, },
} }
@ -394,9 +401,7 @@ func TestProxyHandler(t *testing.T) {
legacyregistry.Reset() legacyregistry.Reset()
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
for _, f := range tc.enableFeatureGates { featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RemoteRequestHeaderUID, tc.remoteRequestHeaderUIDFeature)
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, true)
}
targetServer := httptest.NewUnstartedServer(target) targetServer := httptest.NewUnstartedServer(target)
serviceCert := tc.serviceCertOverride serviceCert := tc.serviceCertOverride

4
test/compatibility_lifecycle/reference/versioned_feature_list.yaml
View File

@ -1117,6 +1117,10 @@
lockToDefault: false lockToDefault: false
preRelease: Alpha preRelease: Alpha
version: "1.32" version: "1.32"
- default: true
lockToDefault: false
preRelease: Beta
version: "1.33"
- name: ResilientWatchCacheInitialization - name: ResilientWatchCacheInitialization
versionedSpecs: versionedSpecs:
- default: true - default: true