Extract audit validation into assertNoInvalidSVMControllerResponses helper
that each test calls explicitly with appropriate allowed codes. This removes
coupling between svmSetup and test-specific behavior.
Previously, the webhook transport was switched from HTTP/2 to HTTP/1.1 to work around HTTP/2's single-connection multiplexing, which prevented concurrent requests from load-balancing across multiple backend pods. However, under HTTP/1.1, connections are kept alive and cached as idle in the transport's pool.
Because Go's http.Transport keys its connection cache by the request's URL Host (in this case the service name) and we overrode the DialContext to perform dynamic endpoint resolution, when a new request is sent, if there is an idle connection in the pool matching the service hostname, the connection is reused and the dialer is skipped.
When MutableSchedulingDirectivesForSuspendedJobs feature gate is
enabled, it overwrites the notStarted check with a stricter condition
requiring the JobSuspended=True condition. This rejects mutations on
suspended Jobs that have never started but whose JobSuspended condition
has not yet been set by the job controller, breaking external
controllers like MultiKueue that inject scheduling directives
immediately after creating a suspended Job.
Preserve the notStarted path as an OR condition alongside the
JobSuspended condition check, restoring pre-1.36 behavior for
not-yet-started Jobs while maintaining the new relaxation for
previously-started Jobs.
Kubernetes-issue: https://github.com/kubernetes/kubernetes/issues/139281
As with per-test feature gate overrides, scope overrides of test-only storage decode panics to the
test's duration. This also protects against accidental contamination of other tests, since callers
are no longer responsible for removing their own overrides.
The previous error message said the audience was "not found in pod
spec volume", which led users to mount a spurious projected service
account token volume in the pod spec to satisfy the check. That is
not the intended remedy: kubelets should be authorized via RBAC to
request tokens for the configured audience.
Reword the error to a generic "is not authorized to request tokens
for audience %q" so users are not pushed toward modifying pod specs.
The valid authorization paths (pod spec volume, CSIDriver tokenRequests,
or the request-serviceaccounts-token-audience verb) are documented
in the kubelet credential provider task page.
Update the unit and integration test expectations to match.
Replace lastErrBarFoo/lastErrFooBar with a single lastErr variable
reused by both PodCertificateRequest Create polls in
TestNodeAuthorizerNamespaceNameConfusion, matching the convention
used elsewhere in the file.
Signed-off-by: Nick Nikolakakis <nonicked@protonmail.com>
