When MutableSchedulingDirectivesForSuspendedJobs feature gate is
enabled, it overwrites the notStarted check with a stricter condition
requiring the JobSuspended=True condition. This rejects mutations on
suspended Jobs that have never started but whose JobSuspended condition
has not yet been set by the job controller, breaking external
controllers like MultiKueue that inject scheduling directives
immediately after creating a suspended Job.
Preserve the notStarted path as an OR condition alongside the
JobSuspended condition check, restoring pre-1.36 behavior for
not-yet-started Jobs while maintaining the new relaxation for
previously-started Jobs.
Kubernetes-issue: https://github.com/kubernetes/kubernetes/issues/139281
As with per-test feature gate overrides, scope overrides of test-only storage decode panics to the
test's duration. This also protects against accidental contamination of other tests, since callers
are no longer responsible for removing their own overrides.
The previous error message said the audience was "not found in pod
spec volume", which led users to mount a spurious projected service
account token volume in the pod spec to satisfy the check. That is
not the intended remedy: kubelets should be authorized via RBAC to
request tokens for the configured audience.
Reword the error to a generic "is not authorized to request tokens
for audience %q" so users are not pushed toward modifying pod specs.
The valid authorization paths (pod spec volume, CSIDriver tokenRequests,
or the request-serviceaccounts-token-audience verb) are documented
in the kubelet credential provider task page.
Update the unit and integration test expectations to match.
Replace lastErrBarFoo/lastErrFooBar with a single lastErr variable
reused by both PodCertificateRequest Create polls in
TestNodeAuthorizerNamespaceNameConfusion, matching the convention
used elsewhere in the file.
Signed-off-by: Nick Nikolakakis <nonicked@protonmail.com>
The endpoint-mappings.yaml file specifies which components use which
metrics. The case some, but not all core components (kube-controller-manager
and kube-scheduler in this case) sharing the same metrics was not
supported. This gets fixed by not returning early once the first file path
matches.
Not all metrics in pkg/controller/resourceclaim/metrics are shared. To make the
sharing clearer and fit into the file-path based component support in
endpoint-mappings.yaml, the shared metric gets moved to a new
pkg/resourceclaim/metrics package.
