update policy for pods/exec #3716
Conversation
| oc project test | ||
| oc whoami |
There was a problem hiding this comment.
you want to check output of this, or is it just for the test log?
There was a problem hiding this comment.
you want to check output of this, or is it just for the test log?
Just for the log.
|
@deads2k move the port forward test up too? |
done. |
| # Port forwarding | ||
| echo "[INFO] Validating port-forward" | ||
| oc port-forward -p ${frontend_pod} 10080:8080 &> "${LOG_DIR}/port-forward.log" & | ||
| wait_for_url_timed "http://localhost:10080" "[INFO] Frontend says: " $((10*TIME_SEC)) |
There was a problem hiding this comment.
was there something wrong with the healthz check?
There was a problem hiding this comment.
was there something wrong with the healthz check?
The /healthz check is for a registry, not a ruby frontend. Registry is in default where e2e-user doesn't have rights. e2e-user checks the ruby front-end.
|
@smarterclayton thinks we should keep our client using GET |
|
Isn't upstream going to move to require POST for exec? |
How would our client work against an external kube? Also, that would break our compatibility with kubectl. |
|
apparently upstream supports both now? |
|
Our clients have to work against 3.0 OpenShift servers. So we have to On Wed, Jul 15, 2015 at 10:40 AM, David Eads [email protected]
Clayton Coleman | Lead Engineer, OpenShift |
|
Yes but afaik they're going to remove GET support |
|
ah, the new-client, old server bit |
|
We need to carry the "post" first, then try "get" client patch. |
This doesn't make that problem better or worse, but it does allow the current origin code to work. This is necessary, but not sufficient. New issue for the command? |
|
On Jul 15, 2015, at 12:58 PM, David Eads [email protected] wrote: We need to carry the "post" first, then try "get" client patch. This doesn't make that problem better or worse, but it does allow the Not sure what you mean. This is necessary, but not sufficient. New issue for the command? For updating the default role assignments? Yes, new issue. — |
|
this PR allows both GET and POST for exec and portforward. new issue for the carried patch to try GET, then POST in exec and portforward (I would actually try in the reverse order... "correct" first, then fallback to legacy) |
That was my intent, but if this upstream patch suits (easy to carry and merge as opposed to nicely factored) then I guess I'm not picky |
| postErr := re.Execute(req, config, args, stdin, cmdOut, cmdErr, tty) | ||
|
|
||
| // if we don't have an error, return. If we did get an error, try a GET because v3.0.0 shipped with exec running as a GET. | ||
| if postErr == nil { |
There was a problem hiding this comment.
should we scope this to method not supported errors? if we get an error here when an exec times out or is terminated by the user and respond to it by opening a second request, that's not what we want.
There was a problem hiding this comment.
I guess against a 3.0 server you'd get access denied or method not supported
There was a problem hiding this comment.
should we scope this to method not supported errors?
It would have to include forbidden too since the old policy would forbid this for most users. I don't have strong feelings.
There was a problem hiding this comment.
It would have to include forbidden too since the old policy would forbid this for most users.
tightened
| } | ||
|
|
||
| // only try the get if the error is either a forbidden or method not supported, otherwise trying with a GET probably won't help | ||
| if !apierrors.IsForbidden(postErr) && !apierrors.IsMethodNotSupported(postErr) { |
There was a problem hiding this comment.
looks good... double check that Execute parses forbidden/notsupported statuses correctly?
There was a problem hiding this comment.
looks good... double check that Execute parses forbidden/notsupported statuses correctly?
Looks to be passed straight back through: https://github.com/openshift/origin/blob/master/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/client/request.go#L662-L665
There was a problem hiding this comment.
Looks to be passed straight back through: https://github.com/openshift/origin/blob/master/Godeps/_workspace/src/github.com/GoogleCloudPlatform/kubernetes/pkg/client/request.go#L662-L665
grrr.. nm
|
@liggitt now chaining back errors correctly |
|
LGTM |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/2750/) (Image: devenv-fedora_2007) |
|
Evaluated for origin up to 9b94ef6 |
|
[Test]ing while waiting on the merge queue |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/3653/) |
Merged by openshift-bot
Upstream pull: kubernetes/kubernetes#11333
Reacts to upstream changes for kubernetes/kubernetes#10654. Also refactors the test to make sure that project admins are able to run
pods/execby default.