Replace all imports of k8s.io/apimachinery/pkg/util/dump with
k8s.io/utils/dump across the repo. The apimachinery dump package
now contains deprecated wrapper functions that delegate to
k8s.io/utils/dump for backwards compatibility.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
- Moved sample device plugin constants and helper code to the
test/e2e/node/framework, so that both deviceplugin and DRA tests can
use it without creating e2e -> e2e_node dependency.
- Moved SampleDevsAmount constant from the
test/e2e_node/device_plugin_test.go
kubelet: defer the configurations flags (and the related fallback behavior) deprecation removal timeline from 1.36 to 1.37 to align with containerd v1.7 support
Change /etc/os-release to /etc/passwd in subPath test to avoid
symlink issues with Alpine 3.21 (kitten:1.8).
Add Feature:ImageVolume tag to properly categorize tests for CI.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Two test contexts were failing because their AfterEach blocks run even
when BeforeEach skips the test (standard Ginkgo behavior). This caused
resetCRIProxyInjector to fail with "CRI Proxy is undefined".
Switched to using DeferCleanup inside BeforeEach instead, which only
runs if BeforeEach succeeds. This is the same pattern the other test
contexts in this file already use.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Replace the TensorFlow-based wide-deep workload with the PyTorch
implementation. This change:
- Adds pytorchWideDeepWorkload using the new pytorch-wide-deep image (1.0.0)
- Removes tfWideDeepWorkload and tf-wide-deep image references
- Enables arm64 support (PyTorch image is multi-arch)
- Uses the same log parsing (time -p output format)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Updates the codebase to use the new glibc-dns-testing image which replaces
the deprecated jessie-dnsutils image.
This PR depends on the glibc-dns-testing image being available in the
registry (registry.k8s.io/e2e-test-images/glibc-dns-testing:2.0.0).
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Skip the memory pressure PSI test when running with CRI-O until automatic
memory.high configuration is available in the runtime. The test fails on
Fedora CoreOS due to different page cache reclaim behavior, and CRI-O is
implementing a fix to automatically set memory.high to 95% of memory.max
for cgroup v2 containers.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
The test expects unauthorized pods to be blocked from accessing cached
private images, but the default policy (NeverVerifyPreloadedImages)
allows access to any image previously pulled by the kubelet.
Configure the kubelet to use AlwaysVerify policy for this test, which
enforces credential checks for all images regardless of pull history.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
When a container restarts before kubelet restarts, containerMap has
multiple entries (old exited + new running). GetContainerID() may
return the exited container, causing the running check to fail. Fixed
by checking if ANY container for the pod/name is running.
Also filter terminal pods from podresources since they no longer
consume resources, and fix test error handling to avoid exiting
Eventually immediately on transient errors.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
The spaces are unnecessary because Ginkgo adds spaces automatically.
This was detected before only for tests using the wrapper functions,
now it also gets detected for ginkgo methods.
This has been replaced by `//build:...` for a long time now.
Removal of the old build tag was automated with:
for i in $(git grep -l '^// +build' | grep -v -e '^vendor/'); do if ! grep -q '^// Code generated' "$i"; then sed -i -e '/^\/\/ +build/d' "$i"; fi; done
properly support the resource metrics endpoint when `PodAndContainerStatsFromCRI` is enabled and fix the related e2e tests.
Stats Provider:
- add container-level CPU and memory stats to `ListPodCPUAndMemoryStats` so the resource metrics endpoint has complete data
- add `aggregatePodSwapStats` to compute pod-level swap from container stats (CRI doesn't provide pod-level swap directly)
- add missing memory stats fields: `AvailableBytes`, `PageFaults`, and `MajorPageFaults`
- add platform-specific implementations for Linux and Windows
Tests:
- skip cAdvisor metrics test when `PodAndContainerStatsFromCRI` is enabled (cAdvisor metrics aren't available in that mode)
- fix expected metrics in `ResourceMetricsAPI` test
- `node_swap_usage_bytes` is only available with cAdvisor (need to verify!)
- Add `dumpResourceMetricsForPods` helper to log actual metric values when tests fail, making debugging easier
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
- Replaced time.Sleep with gomega.Consistently to ensure reliable failure detection if a restart occurs during the wait
- Refactored createPodWith*Probes functions into a single helper to remove code duplication
Signed-off-by: KasimVali2207 <kasimvali2207@gmail.com>
This commit adds e2e stress tests to verify that liveness probes do not cause
unexpected container restarts under load. The tests create many containers
(50 per test) with liveness probes configured to run every 1 second.
Three test cases are included:
- HTTP liveness probe stress test
- TCP liveness probe stress test
- gRPC liveness probe stress test
Each test waits for all containers to be running, observes probe behavior for
2 minutes, and validates that no containers have restarted unexpectedly.
These tests address the bug fix from issue kubernetes#89898 and serve as a
replacement for the skipped unit test from PR kubernetes#115329.
This commit fixes the image credential pulls test by ensuring GetImageRef
and PullImage return the same digest reference format for credential validation.
The test was failing because:
1. PullImage returns a digest reference (e.g., localhost:5000/pause@sha256:abc...)
2. Pull records were stored under this digest
3. GetImageRef returned Image.Id (config hash) instead of a digest reference
4. Credential validation failed due to the lookup mismatch
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Currently, we set TLSConfig.Config.GetCertificate, but then also pass
certificate and key paths to http.Server.ListenAndServeTLS.
ListenAndServeTLS uses these paths to populate the TLS config Certificate
property. Then, when accepting connections, a non-nil Certificate is preferred
over GetCertificate if the ServerName is not set in ClientHelloInfo. Finally,
the Go TLS client doesn't set ServerName when connecting by IP. As a result,
when connecting to the kubelet by IP (e.g. to fetch pod logs), stale
certificates are served.
This patch passes empty certFile and keyFile arguments, to force the TLS
server to use the GetCertificate function.
This is done by clearing key/cert file config when setting GetCertificate as
suggested in PR review. This way, all downstream users of kubeDeps.TLSConfig
will do the right thing automatically.
Update the procMount test expectations to match the intentional PSA
policy relaxation introduced in commit e8bd3f629d.
As of Kubernetes 1.35+, Pod Security Admission Baseline policy
allows UnmaskedProcMount for pods with user namespaces (hostUsers:
false). This was an intentional change to support nested container
use cases while maintaining security through user namespace isolation.
The test "will fail to unmask proc mounts if not privileged" was
written before this relaxation and expected Baseline level to reject
UnmaskedProcMount. Since Baseline now allows it (for user namespace
pods), the test needs to use Restricted level instead, which
unconditionally blocks UnmaskedProcMount regardless of user namespace
settings.
Changes:
- Change PSA level from Baseline to Restricted
- Update test name to clarify it's testing Restricted level behavior
- Update framework name from "proc-mount-baseline-test" to
"proc-mount-restricted-test"
Fixes the ci-crio-userns-e2e-serial test failure that started occurring
when runtimes began reporting user namespace support.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
