Extended.deploymentconfigs viewing rollout history [Conformance] should print the rollout history #15792
Comments
mfojtik
added
component/apps
kind/test-flake
|
This seem like an issue where new project/user is created by the testing framework and it manages to run the Describe func before that SA has appropriate permissions picked up. We might want to check that in testing framework before running describe or make sure the SA is ok other way. Doesn't seem specific to Deployments. |
|
@mfojtik @tnozicka This setup function looks incorrect (note that project request is always best effort - it tries for ~6 seconds to make sure you have your permissions, but it won't just hang there until you get your permissions): // SetupProject creates a new project and assign a random user to the project.
// All resources will be then created within this project and Kubernetes E2E
// suite will destroy the project after test case finish.
func (c *CLI) SetupProject(name string, kubeClient kclientset.Interface, _ map[string]string) (*kapiv1.Namespace, error) {
newNamespace := names.SimpleNameGenerator.GenerateName(fmt.Sprintf("extended-test-%s-", name))
c.SetNamespace(newNamespace).ChangeUser(fmt.Sprintf("%s-user", c.Namespace()))
e2e.Logf("The user is now %q", c.Username())
e2e.Logf("Creating project %q", c.Namespace())
_, err := c.Client().ProjectRequests().Create(&projectapi.ProjectRequest{
ObjectMeta: metav1.ObjectMeta{Name: c.Namespace()},
})
if err != nil {
e2e.Logf("Failed to create a project and namespace %q: %v", c.Namespace(), err)
return nil, err
}
if err := wait.ExponentialBackoff(retry.DefaultBackoff, func() (bool, error) {
if _, err := c.KubeClient().Core().Pods(c.Namespace()).List(metav1.ListOptions{}); err != nil {
if apierrs.IsForbidden(err) {
e2e.Logf("Waiting for user to have access to the namespace")
return false, nil
}
////////////////////// What about other errors??
////////////////////// Doing a self SAR against the namespace for an admin only permission seems more appropriate (create RBAC role binding perhaps?)
}
return true, nil
}); err != nil {
return nil, err
}
return &kapiv1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: c.Namespace()}}, err
} |
|
Ignoring other errors is wrong and I that can be fixed fairly easily. @enj or should we move this self SAR as you suggested? I didn't have the opportunity to meet that code yet so I would appreciate some pointers if this is the correct path or if you want to take it, it's yours :) |
|
I do not have cycles right now to take it, but this should help you get started: c.KubeClient().AuthorizationV1().SelfSubjectAccessReviews().Create(
&authorizationapi.SelfSubjectAccessReview{
Spec: authorizationapi.SelfSubjectAccessReviewSpec{
ResourceAttributes: &authorizationapi.ResourceAttributes{
Namespace: c.Namespace(),
Verb: "create",
Group: rbac.GroupName,
Resource: "roles",
},
},
},
) |
|
The response will tell you if the action is allowed (it should only ever error if the server is down or not healthy). |
|
@enj thx for the pointer |
…ovisioning Automatic merge from submit-queue (batch tested with PRs 16617, 16719). Fix extended test namespace provisioning - wait for SA using selfSAR Fixes #15792
Not sure if flake or something I broke in #15624 (likely not):
Logs: https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_conformance_gce/6053/testReport/junit/(root)/Extended/deploymentconfigs_viewing_rollout_history__Conformance__should_print_the_rollout_history/
The text was updated successfully, but these errors were encountered: