mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-05-28 04:04:39 -04:00
Merge pull request #136912 from dfajmon/selinux-ga
Promote SELinuxChangePolicy & SELinuxMountReadWriteOncePod to GA
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
5941fed3d6
12 changed files with 39 additions and 16 deletions
|
|
@ -4380,7 +4380,10 @@ func TestDropSELinuxChangePolicy(t *testing.T) {
|
|||
}
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
|
||||
// un-lock locked feature gates, if necessary
|
||||
if !sets.New(tc.gates...).Has(features.SELinuxChangePolicy) {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
}
|
||||
// Set feature gates for the test. *Disable* those that are not in tc.gates.
|
||||
allGates := []featuregate.Feature{features.SELinuxChangePolicy, features.SELinuxMount}
|
||||
enabledGates := sets.New(tc.gates...)
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import (
|
|||
"github.com/google/go-cmp/cmp"
|
||||
storagev1 "k8s.io/api/storage/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/version"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
|
|
@ -122,7 +123,6 @@ func TestSetDefaultCSIDriver(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
|
||||
driver := &storagev1.CSIDriver{}
|
||||
|
||||
// field should be defaulted
|
||||
|
|
@ -137,6 +137,7 @@ func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodDisabled(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, false)
|
||||
driver := &storagev1.CSIDriver{}
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import (
|
|||
"github.com/google/go-cmp/cmp"
|
||||
storagev1beta1 "k8s.io/api/storage/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/version"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
|
|
@ -152,7 +153,6 @@ func TestSetDefaultCSIDriver(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
|
||||
driver := &storagev1beta1.CSIDriver{}
|
||||
|
||||
// field should be defaulted
|
||||
|
|
@ -167,6 +167,7 @@ func TestSetDefaultSELinuxMountReadWriteOncePodEnabled(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestSetDefaultSELinuxMountReadWriteOncePodDisabled(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, false)
|
||||
driver := &storagev1beta1.CSIDriver{}
|
||||
|
||||
|
|
|
|||
|
|
@ -1504,8 +1504,6 @@ func TestCSINodeUpdateValidation(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestCSIDriverValidation(t *testing.T) {
|
||||
// assume this feature is on for this test, detailed enabled/disabled tests in TestCSIDriverValidationSELinuxMountEnabledDisabled
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
|
||||
// assume this feature is on for this test, detailed enabled/disabled tests in TestMutableCSINodeAllocatableCountEnabledDisabled
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, true)
|
||||
|
||||
|
|
@ -1842,8 +1840,6 @@ func TestCSIDriverValidation(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestCSIDriverValidationUpdate(t *testing.T) {
|
||||
// assume this feature is on for this test, detailed enabled/disabled tests in TestCSIDriverValidationSELinuxMountEnabledDisabled
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
|
||||
// assume this feature is on for this test, detailed enabled/disabled tests in TestMutableCSINodeAllocatableCountEnabledDisabled
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, true)
|
||||
|
||||
|
|
@ -2290,6 +2286,9 @@ func TestCSIDriverValidationSELinuxMountEnabledDisabled(t *testing.T) {
|
|||
}}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
if !test.featureEnabled {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
}
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.featureEnabled)
|
||||
csiDriver := &storage.CSIDriver{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "foo"},
|
||||
|
|
@ -2368,6 +2367,9 @@ func TestCSIDriverValidationSELinuxMountEnabledDisabled(t *testing.T) {
|
|||
}}
|
||||
for _, test := range updateTests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
if !test.featureEnabled {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
}
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.featureEnabled)
|
||||
oldCSIDriver := &storage.CSIDriver{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "foo", ResourceVersion: "1"},
|
||||
|
|
|
|||
|
|
@ -27,17 +27,14 @@ import (
|
|||
storagev1 "k8s.io/api/storage/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/tools/record"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
"k8s.io/klog/v2"
|
||||
"k8s.io/klog/v2/ktesting"
|
||||
"k8s.io/kubernetes/pkg/controller"
|
||||
volumecache "k8s.io/kubernetes/pkg/controller/volume/selinuxwarning/cache"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
volumetesting "k8s.io/kubernetes/pkg/volume/testing"
|
||||
"k8s.io/utils/ptr"
|
||||
|
|
@ -497,8 +494,6 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
|
|||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxChangePolicy, true)
|
||||
|
||||
var wg sync.WaitGroup
|
||||
defer wg.Wait()
|
||||
_, ctx := ktesting.NewTestContext(t)
|
||||
|
|
|
|||
|
|
@ -1727,6 +1727,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
|||
SELinuxChangePolicy: {
|
||||
{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.36"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.39, locked to default in 1.36
|
||||
},
|
||||
|
||||
SELinuxMount: {
|
||||
|
|
@ -1738,6 +1739,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
|||
{Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.27"), Default: false, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.28"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.36"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.39, locked to default in 1.36
|
||||
},
|
||||
|
||||
SchedulerAsyncAPICalls: {
|
||||
|
|
|
|||
|
|
@ -456,7 +456,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
|
|||
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
if !test.csiServiceAccountTokenSecretsEnabled {
|
||||
if !test.csiServiceAccountTokenSecretsEnabled || !test.seLinuxMountReadWriteOncePodEnabled {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
}
|
||||
if !test.mutableCSINodeAllocatableCountEnabled {
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ import (
|
|||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/version"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
fakeclient "k8s.io/client-go/kubernetes/fake"
|
||||
clitesting "k8s.io/client-go/testing"
|
||||
|
|
@ -218,6 +219,9 @@ func TestMounterSetUp(t *testing.T) {
|
|||
currentPodInfoMount := true
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
if !test.enableSELinuxFeatureGate {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
}
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.enableSELinuxFeatureGate)
|
||||
|
||||
modes := []storage.VolumeLifecycleMode{
|
||||
|
|
|
|||
|
|
@ -371,6 +371,9 @@ func TestPluginConstructVolumeSpec(t *testing.T) {
|
|||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if !tc.seLinuxMountEnabled {
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.35"))
|
||||
}
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, tc.seLinuxMountEnabled)
|
||||
|
||||
mounter, err := plug.NewMounter(
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import (
|
|||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/version"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/component-base/featuregate"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
|
|
@ -301,10 +302,13 @@ func TestGetMountSELinuxLabel(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
// Unlock GA feature gates (SELinuxChangePolicy, SELinuxMount) so they can be disabled in tests
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
// Arrange
|
||||
// Set feature gates for the test. *Disable* those that are not in tt.featureGates.
|
||||
// Set feature gates for the test.
|
||||
allGates := []featuregate.Feature{features.SELinuxChangePolicy, features.SELinuxMount}
|
||||
enabledGates := sets.New(tt.featureGates...)
|
||||
for _, fg := range allGates {
|
||||
|
|
|
|||
|
|
@ -162,9 +162,9 @@
|
|||
| RetryGenerateName | :ballot_box_with_check: 1.31+ | :closed_lock_with_key: 1.32+ | 1.30 | 1.31 | 1.32– | | | [code](https://cs.k8s.io/?q=%5CbRetryGenerateName%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbRetryGenerateName%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| RotateKubeletServerCertificate | :ballot_box_with_check: 1.12+ | | 1.7–1.11 | 1.12– | | | | [code](https://cs.k8s.io/?q=%5CbRotateKubeletServerCertificate%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbRotateKubeletServerCertificate%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| RuntimeClassInImageCriApi | | | 1.29– | | | | | [code](https://cs.k8s.io/?q=%5CbRuntimeClassInImageCriApi%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbRuntimeClassInImageCriApi%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SELinuxChangePolicy | :ballot_box_with_check: 1.33+ | | 1.32 | 1.33– | | | | [code](https://cs.k8s.io/?q=%5CbSELinuxChangePolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSELinuxChangePolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SELinuxChangePolicy | :ballot_box_with_check: 1.33+ | :closed_lock_with_key: 1.36+ | 1.32 | 1.33–1.35 | 1.36– | | | [code](https://cs.k8s.io/?q=%5CbSELinuxChangePolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSELinuxChangePolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SELinuxMount | | | 1.30–1.32 | 1.33– | | | | [code](https://cs.k8s.io/?q=%5CbSELinuxMount%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSELinuxMount%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SELinuxMountReadWriteOncePod | :ballot_box_with_check: 1.28+ | | 1.25–1.26 | 1.27– | | | | [code](https://cs.k8s.io/?q=%5CbSELinuxMountReadWriteOncePod%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSELinuxMountReadWriteOncePod%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SELinuxMountReadWriteOncePod | :ballot_box_with_check: 1.28+ | :closed_lock_with_key: 1.36+ | 1.25–1.26 | 1.27–1.35 | 1.36– | | | [code](https://cs.k8s.io/?q=%5CbSELinuxMountReadWriteOncePod%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSELinuxMountReadWriteOncePod%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SchedulerAsyncAPICalls | | | | 1.34– | | | | [code](https://cs.k8s.io/?q=%5CbSchedulerAsyncAPICalls%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSchedulerAsyncAPICalls%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SchedulerAsyncPreemption | :ballot_box_with_check: 1.33+ | | 1.32 | 1.33– | | | | [code](https://cs.k8s.io/?q=%5CbSchedulerAsyncPreemption%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSchedulerAsyncPreemption%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SchedulerPopFromBackoffQ | :ballot_box_with_check: 1.33+ | | | 1.33– | | | | [code](https://cs.k8s.io/?q=%5CbSchedulerPopFromBackoffQ%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSchedulerPopFromBackoffQ%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
|
|
|
|||
|
|
@ -1599,6 +1599,10 @@
|
|||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.33"
|
||||
- default: true
|
||||
lockToDefault: true
|
||||
preRelease: GA
|
||||
version: "1.36"
|
||||
- name: SELinuxMount
|
||||
versionedSpecs:
|
||||
- default: false
|
||||
|
|
@ -1623,6 +1627,10 @@
|
|||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.28"
|
||||
- default: true
|
||||
lockToDefault: true
|
||||
preRelease: GA
|
||||
version: "1.36"
|
||||
- name: SeparateCacheWatchRPC
|
||||
versionedSpecs:
|
||||
- default: true
|
||||
|
|
|
|||
Loading…
Reference in a new issue