Replace the manual 3-retry loop (with no delay) in VerifyCgroupValue
with framework.Gomega().Eventually() + HandleRetry, matching the
pattern used for oom_score_adj deflake in #137329. This gives proper
polling with backoff when exec fails during container restarts.
Introduce support for specifying allowed TLS key exchange mechanisms
(IANA TLS Supported Groups) via a new --tls-curve-preferences flag,
following the same pattern as --tls-cipher-suites.
Curve preferences are specified as numeric IANA TLS Supported Group IDs
(e.g. 23,29,4588) rather than string names. This avoids maintaining a
hardcoded name-to-ID map that would become stale with each Go release,
and ensures new curves (such as Go 1.26's SecP256r1MLKEM768 and
SecP384r1MLKEM1024) work automatically when rebuilding with a newer Go
version -- no code changes required.
Changes:
- Add curves_flag.go in component-base/cli/flag with a simple
int-to-tls.CurveID cast function
- Add CurvePreferences field ([]int32) to SecureServingOptions, registered
via IntSliceVar, and wire it through to tls.Config
The order of the list is ignored; Go selects from the set using an
internal preference order. If omitted, Go defaults are used. The set of
accepted values depends on the Go version used to build the binary; see
https://pkg.go.dev/crypto/tls#CurveID for reference.
Limiting the tests to kubelet >= 1.36 was a stop-gap solution because the
version skew tests had to be updated to enable the feature on kubelet >= 1.34
first.
Some tests depend on a bug fix in 1.35 for implicit extended resource.
DeviceTaintRule is off by default because the corresponding v1beta2 API group
is off. When enabled, the potentially still disabled v1alpha3 API version was
used instead of the new v1beta2, causing the scheduler to fail while setting up
informers and then not scheduling pods.
The tests starting the eviction controller shouldn't run in parallel because we
want the one controller instance to be up-to-date with its informer caches when
it sees the new DeviceTaintRule. Worst case, a controller from one test would
have set the status of the DeviceTaintRule created by another.
That's not quite what happened here though:
Value for field 'Status.Conditions' failed to satisfy matcher.
Expected
<[]v1.Condition | len:1, cap:1>:
- lastTransitionTime: "2026-03-06T14:41:10Z"
message: 1000 published devices selected. 1001 allocated devices selected. 1000
pods would be evicted in 1 namespace if the effect was NoExecute. This information
will not be updated again. Recreate the DeviceTaintRule to trigger an update.
observedGeneration: 1
reason: NoEffect
status: "False"
type: EvictionInProgress
Note the "1001 allocated devices selected": the test only creates 1000
devices. It's not entirely clear where the extra one came from.
The test got stuck in the Eventually, which is useless because we know that
controller is not going to update the condition again. So now we wait for the
ObservedGeneration to increase, then check the full condition content once.
The fields become beta, enabled by default. DeviceTaintRule gets
added to the v1beta2 API, but support for it must remain off by default
because that API group is also off by default.
The v1beta1 API is left unchanged. No-one should be using it
anymore (deprecated in 1.33, could be removed now if it wasn't for
reading old objects and version emulation).
To achieve consistent validation, declarative validation must be enabled also
for v1alpha3 (was already enabled for other versions). Otherwise,
TestVersionedValidationByFuzzing fails:
--- FAIL: TestVersionedValidationByFuzzing (0.09s)
--- FAIL: TestVersionedValidationByFuzzing/resource.k8s.io/v1beta2,_Kind=DeviceTaintRule (0.00s)
validation_test.go:109: different error count (0 vs. 1)
resource.k8s.io/v1alpha3: <no errors>
resource.k8s.io/v1beta2: "spec.taint.effect: Unsupported value: \"幤HxÒQP¹¬永唂ȳ垞ş]嘨鶊\": supported values: \"NoExecute\", \"NoSchedule\", \"None\""
...
* Add <...> kuberc set --section=credentialplugin
The requirement that the `--command` option be provided is no longer
valid; a solution will need to be found.
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Remove required mark on `--command` flag
Move the validation logic to the Validate() function
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Remove requirement for `--command`
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Add cmd test cases for kuberc
- Verify all error messages added/changed by this PR
- Verify changes are effected by at least one valid `kubectl kuberc
set` invocation with --section=credentialplugin
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Add unit tests for --section=credentialplugin
Additionally:
- Update allowlist-entry validation logic to check for empty string in
value of k/v pairs
- Update kuberc cmd test with this case as well
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Address linter complaints
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Update staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set.go
Co-authored-by: Maciej Szulik <soltysh@gmail.com>
* Add two new test cases
Additionally:
- update error message when policy is invalid
- use utilerrors.NewAggregate instead of custom code
- add --section=credentialplugin example to cli help
- fix copypasted doc comments
- use more descriptive variable names in for loops
- avoid confusion due to variable shadowing
- fix capitalization typo
- check both validate and run errors in credentialplugin tests
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Improve cli help for policy flag
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
---------
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Co-authored-by: Maciej Szulik <soltysh@gmail.com>