Merge pull request #50537 from liggitt/kubefed-rbac

Automatic merge from submit-queue (batch tested with PRs 50537, 49699, 50160, 49025, 50205) select an RBAC version for kubefed it knows how to speak kubefed tries to speak whatever version of RBAC the server has, regardless of whether it knows about that version or not. the version discovery it does has to select a version both it and the server speak. related to https://github.com/kubernetes/kubernetes/issues/50534 ```release-note fixes kubefed's ability to create RBAC roles in version-skewed clusters ```
2025-07-23 19:56:01 +00:00 · 2017-08-11 19:43:54 -07:00 · 2017-08-11 19:43:54 -07:00 · c207dd5a90
commit c207dd5a90
parent bb67819ed1 7f1a617496
2 changed files with 28 additions and 2 deletions
--- a/federation/pkg/kubefed/util/BUILD
+++ b/federation/pkg/kubefed/util/BUILD
@ -14,6 +14,9 @@ go_library(
        "//federation/client/clientset_generated/federation_clientset:go_default_library",
        "//pkg/api:go_default_library",
        "//pkg/apis/rbac:go_default_library",
+        "//pkg/apis/rbac/v1:go_default_library",
+        "//pkg/apis/rbac/v1alpha1:go_default_library",
+        "//pkg/apis/rbac/v1beta1:go_default_library",
        "//pkg/client/clientset_generated/internalclientset:go_default_library",
        "//pkg/kubectl/cmd:go_default_library",
        "//pkg/kubectl/cmd/util:go_default_library",
--- a/federation/pkg/kubefed/util/util.go
+++ b/federation/pkg/kubefed/util/util.go
@ -32,6 +32,9 @@ import (
 	fedclient "k8s.io/kubernetes/federation/client/clientset_generated/federation_clientset"
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/rbac"
+	rbacv1 "k8s.io/kubernetes/pkg/apis/rbac/v1"
+	rbacv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
 	client "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kubectlcmd "k8s.io/kubernetes/pkg/kubectl/cmd"
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
@ -285,6 +288,16 @@ func getRBACVersion(discoveryclient discovery.CachedDiscoveryInterface) (*schema
 		return nil, fmt.Errorf("Couldn't get clientset to create RBAC roles in the host cluster: %v", err)
 	}

+	// These are the RBAC versions we can speak
+	knownVersions := map[schema.GroupVersion]bool{
+		rbacv1.SchemeGroupVersion:       true,
+		rbacv1alpha1.SchemeGroupVersion: true,
+		rbacv1beta1.SchemeGroupVersion:  true,
+	}
+
+	// This holds any RBAC versions listed in discovery we do not know how to speak
+	unknownVersions := []schema.GroupVersion{}
+
 	for _, g := range groupList.Groups {
 		if g.Name == rbac.GroupName {
 			if g.PreferredVersion.GroupVersion != "" {
@ -292,7 +305,9 @@ func getRBACVersion(discoveryclient discovery.CachedDiscoveryInterface) (*schema
 				if err != nil {
 					return nil, err
 				}
-				return &gv, nil
+				if knownVersions[gv] {
+					return &gv, nil
+				}
 			}
 			for _, version := range g.Versions {
 				if version.GroupVersion != "" {
@ -300,12 +315,20 @@ func getRBACVersion(discoveryclient discovery.CachedDiscoveryInterface) (*schema
 					if err != nil {
 						return nil, err
 					}
-					return &gv, nil
+					if knownVersions[gv] {
+						return &gv, nil
+					} else {
+						unknownVersions = append(unknownVersions, gv)
+					}
 				}
 			}
 		}
 	}

+	if len(unknownVersions) > 0 {
+		return nil, &NoRBACAPIError{fmt.Sprintf("%s\nUnknown RBAC API versions: %v", rbacAPINotAvailable, unknownVersions)}
+	}
+
 	return nil, &NoRBACAPIError{rbacAPINotAvailable}
 }