Replace the manual 3-retry loop (with no delay) in VerifyCgroupValue
with framework.Gomega().Eventually() + HandleRetry, matching the
pattern used for oom_score_adj deflake in #137329. This gives proper
polling with backoff when exec fails during container restarts.
Introduce support for specifying allowed TLS key exchange mechanisms
(IANA TLS Supported Groups) via a new --tls-curve-preferences flag,
following the same pattern as --tls-cipher-suites.
Curve preferences are specified as numeric IANA TLS Supported Group IDs
(e.g. 23,29,4588) rather than string names. This avoids maintaining a
hardcoded name-to-ID map that would become stale with each Go release,
and ensures new curves (such as Go 1.26's SecP256r1MLKEM768 and
SecP384r1MLKEM1024) work automatically when rebuilding with a newer Go
version -- no code changes required.
Changes:
- Add curves_flag.go in component-base/cli/flag with a simple
int-to-tls.CurveID cast function
- Add CurvePreferences field ([]int32) to SecureServingOptions, registered
via IntSliceVar, and wire it through to tls.Config
The order of the list is ignored; Go selects from the set using an
internal preference order. If omitted, Go defaults are used. The set of
accepted values depends on the Go version used to build the binary; see
https://pkg.go.dev/crypto/tls#CurveID for reference.
Limiting the tests to kubelet >= 1.36 was a stop-gap solution because the
version skew tests had to be updated to enable the feature on kubelet >= 1.34
first.
Some tests depend on a bug fix in 1.35 for implicit extended resource.
DeviceTaintRule is off by default because the corresponding v1beta2 API group
is off. When enabled, the potentially still disabled v1alpha3 API version was
used instead of the new v1beta2, causing the scheduler to fail while setting up
informers and then not scheduling pods.
The tests starting the eviction controller shouldn't run in parallel because we
want the one controller instance to be up-to-date with its informer caches when
it sees the new DeviceTaintRule. Worst case, a controller from one test would
have set the status of the DeviceTaintRule created by another.
That's not quite what happened here though:
Value for field 'Status.Conditions' failed to satisfy matcher.
Expected
<[]v1.Condition | len:1, cap:1>:
- lastTransitionTime: "2026-03-06T14:41:10Z"
message: 1000 published devices selected. 1001 allocated devices selected. 1000
pods would be evicted in 1 namespace if the effect was NoExecute. This information
will not be updated again. Recreate the DeviceTaintRule to trigger an update.
observedGeneration: 1
reason: NoEffect
status: "False"
type: EvictionInProgress
Note the "1001 allocated devices selected": the test only creates 1000
devices. It's not entirely clear where the extra one came from.
The test got stuck in the Eventually, which is useless because we know that
controller is not going to update the condition again. So now we wait for the
ObservedGeneration to increase, then check the full condition content once.
The fields become beta, enabled by default. DeviceTaintRule gets
added to the v1beta2 API, but support for it must remain off by default
because that API group is also off by default.
The v1beta1 API is left unchanged. No-one should be using it
anymore (deprecated in 1.33, could be removed now if it wasn't for
reading old objects and version emulation).
To achieve consistent validation, declarative validation must be enabled also
for v1alpha3 (was already enabled for other versions). Otherwise,
TestVersionedValidationByFuzzing fails:
--- FAIL: TestVersionedValidationByFuzzing (0.09s)
--- FAIL: TestVersionedValidationByFuzzing/resource.k8s.io/v1beta2,_Kind=DeviceTaintRule (0.00s)
validation_test.go:109: different error count (0 vs. 1)
resource.k8s.io/v1alpha3: <no errors>
resource.k8s.io/v1beta2: "spec.taint.effect: Unsupported value: \"幤HxÒQP¹¬永唂ȳ垞ş]嘨鶊\": supported values: \"NoExecute\", \"NoSchedule\", \"None\""
...
* Add <...> kuberc set --section=credentialplugin
The requirement that the `--command` option be provided is no longer
valid; a solution will need to be found.
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Remove required mark on `--command` flag
Move the validation logic to the Validate() function
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Remove requirement for `--command`
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Add cmd test cases for kuberc
- Verify all error messages added/changed by this PR
- Verify changes are effected by at least one valid `kubectl kuberc
set` invocation with --section=credentialplugin
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Add unit tests for --section=credentialplugin
Additionally:
- Update allowlist-entry validation logic to check for empty string in
value of k/v pairs
- Update kuberc cmd test with this case as well
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Address linter complaints
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Update staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set.go
Co-authored-by: Maciej Szulik <soltysh@gmail.com>
* Add two new test cases
Additionally:
- update error message when policy is invalid
- use utilerrors.NewAggregate instead of custom code
- add --section=credentialplugin example to cli help
- fix copypasted doc comments
- use more descriptive variable names in for loops
- avoid confusion due to variable shadowing
- fix capitalization typo
- check both validate and run errors in credentialplugin tests
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* Improve cli help for policy flag
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
---------
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Co-authored-by: Maciej Szulik <soltysh@gmail.com>
This test framework feature is used in the test-infra that runs with
container runtimes that have support for user namespaces.
Signed-off-by: Rodrigo Campos <rodrigo@amutable.com>
Extract streaming code into dedicated staging modules while keeping stable
compatibility APIs for external client-go consumers.
This commit:
- adds `k8s.io/cri-streaming` for CRI exec/attach/portforward server code
- adds `k8s.io/streaming` as the canonical home for shared transport
primitives (`httpstream`, `spdy`, `wsstream`, runtime helpers)
- switches in-tree transport consumers to `k8s.io/streaming`
- removes in-tree kubelet CRI streaming package
- preserves NO_PROXY/no_proxy CIDR handling in extracted SPDY proxier logic
- adds deprecated `k8s.io/apimachinery/pkg/util/httpstream` compatibility
wrappers (`httpstream`, `spdy`, `wsstream`) backed by `k8s.io/streaming`
- restores exported client-go SPDY/portforward API signatures to
apimachinery `httpstream` types for downstream compatibility
- adds streaming-native client-go adapters/constructors so in-tree callers
can use `k8s.io/streaming` without changing external compatibility APIs
- deduplicates SPDY-over-websocket dial negotiation shared by compat and
streaming tunneling dialers
- logs dropped unknown stream types in `RemoveStreams` adapter fallbacks to
improve compatibility-path debuggability
- adds integration coverage for the streaming-upgrader-to-client-go-compat
adapter path against a real cri-streaming exec endpoint
- clarifies kubectl streaming import aliasing to avoid `httpstream` package
ambiguity
- updates tests, import restrictions, publishing metadata, and vendor/module
metadata for the new staging modules
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
add integration test
Use proper test header, change to etcdMain to recognize test flags
fix goroutine leak in integration test
redo integration test with kubeapiserverapptesting
fix comment capitalization, use existing client libraries
fix comment capitalization, use existing client libraries
consolidate http connect handler logic from odic and tls_server-name into helper
add expected SNI, remove unused test
move oidc helpers.go to right dir, remove copyright year
split helpers.go into descriptive file names
use atomic ptr for SNI, refactor generateTestCerts, remove errors from runTLSEgressProxy, explain jwksHandler in comment
use testify, add back context messages
Clean up tests
Signed-off-by: Monis Khan <mok@microsoft.com>
