The feature gate enables mounting with -o context=XYZ mount option for all
volume types, not only ReadWriteOncePod.
All SELinux label tracking & error reporting infrastructure is already in
place from SELinuxMountReadWriteOncePod feature gate. This is just a
trivial extension to all access modes.
* Forensic Container Checkpointing as described in KEP 2008 moves from
Alpha to Beta. This is corresponding code change.
* Adapt e2e test to handle
'(rpc error: code = Unimplemented desc = unknown method CheckpointContainer'
and
'(rpc error: code = Unimplemented desc = method CheckpointContainer not implemented)'
and
'(rpc error: code = Unknown desc = checkpoint/restore support not available)'
One error message is if the CRI implementation does
not implement the CRI RPC (too old) and the second is
if the CRI implementation does explicitly not support the feature.
The third error message can be seen if the container engine
explicitly disabled the checkpoint/restore support,
* As described in the corresponding KEP 2008 explicitly test for
disabled functionality.
* Extended test to look for the checkpoint kubelet metric.
* Extended test to look for the CRI error metric.
* Add separate sub-resource permission to control permissions on
the checkpoint kubelet API endpoint
Signed-off-by: Adrian Reber <areber@redhat.com>
For some reason the CI didn't fail when we open the PR. But when you run
"go test" as root, with all the capabilities, tests that exercise
permission errors will never work. As the capabilities makes them always
bypass the permission checks.
For some reason it seems that:
* Not all our CI was run when the PR was open
* The CI was changed to run as root now
* _Some_ CI was added and it runs as root
If it wasn't one of that, or a combination, I don't see how this could
have happened. If any of that indeed happened, it can break more tests
outside the userns package too.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
When failing inside the `ginkgo.By` callback function, skipping intermediate
stack frames didn't work properly because `ginkgo.By` itself and other internal
code is also on the stack.
To fix this, the code which can fail now runs outside of such a
callback. That's not a big loss, the only advantage of the callback was getting
timing statistics from Ginkgo which weren't used in practice.
The idempotency.go (perhaps not so accurately named) contains
API calls that kubeadm does against an API server using client-go.
Some users seem to have unstable setups where for unknown reasons
the API server can be unavailable or refuse to respond as expected.
Use PollUntilContextTimeout in all exported functions to ensure
such API calls are all retry-able.
NOTE: The context passed to PollUntilContextTimeout is not propagated
in the polled function. Instead the poll function creates it's own
context 'ctx := context.Background()', this is to avoid
breaking expectations on the side of the callers, that expect
a certain type of error and not "context timeout" errors.
Additional changes:
- Make all context.TODO() -> context.Background()
- Update all unit tests and make sure during testing the retry
interval and timeout are short. Test coverage of idempotency.go
is at ~97%.
- Remove the TestMutateConfigMapWithConflict test. It does not
contribute much, because conflict handling is done at the API,
server side, not on the side of kubeadm. This simulating this is not
needed.
so the CRI runtime can report what features are supported by each
handler.
It is currently used to report support for the user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>