1.12 Running in-cluster e2es no longer respects service account RBAC rules. #69234
Comments
timothysc
added
the
priority/critical-urgent
k8s-ci-robot
added
sig/testing
|
One data point, the in-cluster-client-configuration example seems to work (but was missing RBAC step): |
|
is there a known time when it last worked? |
1.11 worked fine
Sonobuoy's legacy in-cluster config works as well. The e2e test suite relies on a single utility wrapper that seems to not be tested. I'm still digging through the e2e setup, I haven't touched it since 1.9-ish timeframe. |
needs a binary search bisect between 1.11 and 1.12. :\ |
|
I'm definitely interested in this as VMware runs e2e tests in cluster. We're still handing the tests a kubeconfig from the outside, but the plan is to move to the same model as used by Sonobuoy. |
|
The token field in /tmp/kubeconfig-xxx is missing. BearerToken in client-go is apparently empty. Probably caused by this: #67359 |
|
FYI, the following command can trick sonobuoy/e2e 0.12 into running the tests but beware it is a hack: kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous |
|
@timothysc i don't have proof, but looking through swathes of stuff, this one stood out - #66684 wanna try a local test in your environment with that removed? |
|
@liztio shared a possible solution in the sig-cluster-life chat, @timothysc can confirm if that was a fix for the same thing or perhaps something else. |
|
i'll take back my comment about #66684. trying to recreate the scenario i was able to print out the tmp file with the in-cluster config info. 1.11 - https://paste.fedoraproject.org/paste/8vHwWGJhgzrUkSlccBmVMg/raw Looks like the |
|
/reopen |
|
@dims: Reopening this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@timothysc @chuckha What should we do with Sonobuoy now that this is merged and cherry-picked? |
|
Closing, I've been verifying with release-1.12 and with latest patches is works now. |
|
/close |
|
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a BUG REPORT:
Sonobuoy runs the kubernetes e2e's differently then test-infra. It constructs an in-cluster config vs. being handed a kubeconfig from the infra.
In 1.12 something has broken this behavior, I'm still digging into the details.
What happened:
Run tests from within the cluster error occurs -
https://paste.fedoraproject.org/paste/D559nyX6SlGhA3tLPtWt5A
What you expected to happen:
Works fine, just like it had in 1.11
How to reproduce it (as minimally and precisely as possible):
Run tests from within the cluster given proper RBAC rules.
Anything else we need to know?:
Discovered when updating sonobuoy for 1.12.
/sig testing
/kind bug
/cc @kubernetes/sig-cluster-lifecycle @dims @BenTheElder @kubernetes/cncf-conformance-wg
The text was updated successfully, but these errors were encountered: