* Always for Immutable selector in Deployment Replicaset Daemonset
With extensions/v1beta1 removed there is no need of a special case
to check for Spec.Selector immutability.
The ValidateImmutableField is now moved into the
Validate[Resource]Update method, tests for v1beta1 are removed and test
for v1 are added.
Validation tests were updated to reflect the changes,
mostly decoupling other fields changes from selectors and creating a
dedicated case to test selector immutability.
* Move validation inside appropriate function
* Fix validation tests
* Change: Handling nil runtime.Object
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Return only if there is error in rollout_history
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Return the unknown revision error directly in rollout_history.go
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Remove unintended newline
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Using go idiomatic way for checking if historyInfo[o.Revision] exists
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Remove 'error:' from returned error message in rollout_history.go
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Check for printer.PrintObj returned err
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Add TestRolloutHistoryErrors test
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Simple typo fix on Complete() function description
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Checking for error on o.Complete in TestRolloutHistoryErrors
Signed-off-by: Taha Farahani <tahacodes@proton.me>
---------
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Introduce new boolean `cache{Una,A}uthorizedRequests` field
* Run `hack/update-codegen.sh`
* Respect legacy flags values for caching
With the legacy `--authorization-webhook-cache-{un}authorized-ttl`
flags, caching was disabled when the TTL was set to `0`, so let's
continue doing so when building the authz configuration struct.
* Pass TTL=0 to webhook authz plugin when cache disabled
With StreamingCollectionEncodingToJSON and
StreamingCollectionEncodingToProtobuf, the WatchList must re-justify its
necessity. To prevent an ecosystem from building around a feature that
may not be promoted, we will stop serving list-via-watch until
performance numbers can justify its inclusion.
This also stops the kube-controller-manager from using the
list-via-watch by default. The fallback is a regular list, so during
the skew during an upgrade the "right" thing will happen and the new
StreamingCollectionEncoding will be used.
This change modifies the validation logic for ServiceCIDR updates
(`ValidateServiceCIDRUpdate`) to specifically permit upgrading a
single-stack ServiceCIDR (either IPv4 or IPv6) to a dual-stack
configuration.
This reconfiguration path is considered safe because it only involves adding
a new CIDR range without altering the existing primary CIDR. This
ensures that existing Service IP allocations are not disrupted.
Other modifications, such as:
- Downgrading from dual-stack to single-stack
- Reordering CIDRs in a dual-stack configuration
- Changing the primary CIDR during a single-to-dual-stack
reconfiguration
remain disallowed by the validation. These operations carry a higher
risk of breaking existing Services or cluster networking
configurations. Preventing these updates automatically encourages
administrators to perform such changes manually after carefully
assessing the potential impact on their specific cluster environment.
The validation errors and controller logs provide guidance when such
disallowed changes are attempted.
Change-Id: I41dc09dfddb05f277925da2262f8114d6accbd1d
The controller is available only with SELinuxChangePolicy FG enabled.
Kubernetes e2e jobs do the right --focus & --skip explicitly in the SELinux
jobs, this just helps other test runners to figure out what FGs are needed
to run the tests.
When at it, I noticed SELinuxMountReadWriteOncePod tag is always required, so
add it on the common level and not in each test.