Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump to k8s 1.10.4 and fix FVs to work with that #272

Merged
merged 1 commit into from
Jun 26, 2018
Merged

Bump to k8s 1.10.4 and fix FVs to work with that #272

merged 1 commit into from
Jun 26, 2018

Commits on Jun 26, 2018

  1. Get tests running with k8s 1.10.4 

    There are several steps needed here.

If we just bump K8S_VERSION to 1.10.4, simple pod creation fails with an
error indicating that the default service account is missing:

• Failure [22.916 seconds]
kube-controllers FV tests
/go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:45
  Pod FV tests
  /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:651
    should not overwrite a workload endpoint's container ID [It]
    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:652

    Expected error:
        <*errors.StatusError | 0xc42001eab0>: {
            ErrStatus: {
                TypeMeta: {Kind: "", APIVersion: ""},
                ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
                Status: "Failure",
                Message: "pods \"testpod\" is forbidden: error looking up service account default/default: serviceaccount \"default\" not found",
                Reason: "Forbidden",
                Details: {Name: "testpod", Group: "", Kind: "pods", UID: "", Causes: nil, RetryAfterSeconds: 0},
                Code: 403,
            },
        }
        pods "testpod" is forbidden: error looking up service account default/default: serviceaccount "default" not found
    not to have occurred

    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:679

Fix for that is to run the k8s controller manager, which in 1.10 is
responsible for creating default service accounts.  However, we then see
another failure, because we haven't configured a key for the controller
manager to use to sign an API token for the service account:

• Failure [37.584 seconds]
kube-controllers FV tests
/go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:45
  Pod FV tests
  /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:656
    should not overwrite a workload endpoint's container ID [It]
    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:657

    Expected error:
        <*errors.StatusError | 0xc420101560>: {
            ErrStatus: {
                TypeMeta: {Kind: "", APIVersion: ""},
                ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
                Status: "Failure",
                Message: "No API token found for service account \"default\", retry after the token is automatically created and added to the service account",
                Reason: "ServerTimeout",
                Details: {
                    Name: "create pod",
                    Group: "",
                    Kind: "serviceaccounts",
                    UID: "",
                    Causes: nil,
                    RetryAfterSeconds: 1,
                },
                Code: 500,
            },
        }
        No API token found for service account "default", retry after the token is automatically created and added to the service account
    not to have occurred

    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:684

Fix for that is to create a token signing key and configure it to the
API server and controller manager.  (Ref/thanks:
https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/)

Then we move on to:

• Failure [29.626 seconds]
kube-controllers FV tests
/go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:45
  Pod FV tests
  /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:656
    should not overwrite a workload endpoint's container ID [It]
    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:657

    Expected error:
        <*errors.StatusError | 0xc4205dafc0>: {
            ErrStatus: {
                TypeMeta: {Kind: "", APIVersion: ""},
                ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
                Status: "Failure",
                Message: "Pod \"testpod\" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)\n{\"Volumes\":\n\nA: null,\"InitContainers\":null,\"Containers\":[{\"Name\":\"container1\",\"Image\":\"busybox\",\"Command\":[\"sleep\",\"3600\"],\"Args\":null,\"WorkingDir\":\"\",\"Ports\":null,\"EnvFrom\":null,\"Env\":null,\"Resources\":{\"Limits\":null,\"Requests\":null},\"VolumeMounts\":null,\"VolumeDevices\":null,\"LivenessProbe\":null,\"ReadinessProbe\":null,\"Lifecycle\":null,\"TerminationMessagePath\":\"/dev/termination-log\",\"TerminationMessagePolicy\":\"File\",\"ImagePullPolicy\":\"Always\",\"SecurityContext\":null,\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Always\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"127.0.0.1\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"ShareProcessNamespace\":null,\"SELinuxOptions\":null,\"RunAsUser\":null,\"RunAsGroup\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":null,\"FSGroup\":null},\"ImagePullSecrets\":null,\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":[{\"Key\":\"node.kubernetes.io/not-ready\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300},{\"Key\":\"node.kubernetes.io/unreachable\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300}],\"HostAliases\":null,\"PriorityClassName\":\"\",\"Priority\":null,\"DNSConfig\":null}\n\nB: [{\"Name\":\"default-token-4f8z6\",\"HostPath\":null,\"EmptyDir\":null,\"GCEPersistentDisk\":null,\"AWSElasticBlockStore\":null,\"GitRepo\":null,\"Secret\":{\"SecretName\":\"default-token-4f8z6\",\"Items\":null,\"DefaultMode\":420,\"Optional\":null},\"NFS\":null,\"ISCSI\":null,\"Glusterfs\":null,\"PersistentVolumeClaim\":null,\"RBD\":null,\"Quobyte\":null,\"FlexVolume\":null,\"Cinder\":null,\"CephFS\":null,\"Flocker\":null,\"DownwardAPI\":null,\"FC\":null,\"AzureFile\":null,\"ConfigMap\":null,\"VsphereVolume\":null,\"AzureDisk\":null,\"PhotonPersistentDisk\":null,\"Projected\":null,\"PortworxVolume\":null,\"ScaleIO\":null,\"StorageOS\":null}],\"InitContainers\":null,\"Containers\":[{\"Name\":\"container1\",\"Image\":\"busybox\",\"Command\":[\"sleep\",\"3600\"],\"Args\":null,\"WorkingDir\":\"\",\"Ports\":null,\"EnvFrom\":null,\"Env\":null,\"Resources\":{\"Limits\":null,\"Requests\":null},\"VolumeMounts\":[{\"Name\":\"default-token-4f8z6\",\"ReadOnly\":true,\"MountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\",\"SubPath\":\"\",\"MountPropagation\":null}],\"VolumeDevices\":null,\"LivenessProbe\":null,\"ReadinessProbe\":null,\"Lifecycle\":null,\"TerminationMessagePath\":\"/dev/termination-log\",\"TerminationMessagePolicy\":\"File\",\"ImagePullPolicy\":\"Always\",\"SecurityContext\":null,\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Always\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"default\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"127.0.0.1\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"ShareProcessNamespace\":null,\"SELinuxOptions\":null,\"RunAsUser\":null,\"RunAsGroup\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":null,\"FSGroup\":null},\"ImagePullSecrets\":null,\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":[{\"Key\":\"node.kubernetes.io/not-ready\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300},{\"Key\":\"node.kubernetes.io/unreachable\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300}],\"HostAliases\":null,\"PriorityClassName\":\"\",\"Priority\":null,\"DNSConfig\":null}\n\n",
                Reason: "Invalid",
                Details: {
                    Name: "testpod",
                    Group: "",
                    Kind: "Pod",
                    UID: "",
                    Causes: [
                        {
                            Type: "FieldValueForbidden",
                            Message: "Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)\n{\"Volumes\":\n\nA: null,\"InitContainers\":null,\"Containers\":[{\"Name\":\"container1\",\"Image\":\"busybox\",\"Command\":[\"sleep\",\"3600\"],\"Args\":null,\"WorkingDir\":\"\",\"Ports\":null,\"EnvFrom\":null,\"Env\":null,\"Resources\":{\"Limits\":null,\"Requests\":null},\"VolumeMounts\":null,\"VolumeDevices\":null,\"LivenessProbe\":null,\"ReadinessProbe\":null,\"Lifecycle\":null,\"TerminationMessagePath\":\"/dev/termination-log\",\"TerminationMessagePolicy\":\"File\",\"ImagePullPolicy\":\"Always\",\"SecurityContext\":null,\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Always\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"127.0.0.1\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"ShareProcessNamespace\":null,\"SELinuxOptions\":null,\"RunAsUser\":null,\"RunAsGroup\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":null,\"FSGroup\":null},\"ImagePullSecrets\":null,\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":[{\"Key\":\"node.kubernetes.io/not-ready\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300},{\"Key\":\"node.kubernetes.io/unreachable\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300}],\"HostAliases\":null,\"PriorityClassName\":\"\",\"Priority\":null,\"DNSConfig\":null}\n\nB: [{\"Name\":\"default-token-4f8z6\",\"HostPath\":null,\"EmptyDir\":null,\"GCEPersistentDisk\":null,\"AWSElasticBlockStore\":null,\"GitRepo\":null,\"Secret\":{\"SecretName\":\"default-token-4f8z6\",\"Items\":null,\"DefaultMode\":420,\"Optional\":null},\"NFS\":null,\"ISCSI\":null,\"Glusterfs\":null,\"PersistentVolumeClaim\":null,\"RBD\":null,\"Quobyte\":null,\"FlexVolume\":null,\"Cinder\":null,\"CephFS\":null,\"Flocker\":null,\"DownwardAPI\":null,\"FC\":null,\"AzureFile\":null,\"ConfigMap\":null,\"VsphereVolume\":null,\"AzureDisk\":null,\"PhotonPersistentDisk\":null,\"Projected\":null,\"PortworxVolume\":null,\"ScaleIO\":null,\"StorageOS\":null}],\"InitContainers\":null,\"Containers\":[{\"Name\":\"container1\",\"Image\":\"busybox\",\"Command\":[\"sleep\",\"3600\"],\"Args\":null,\"WorkingDir\":\"\",\"Ports\":null,\"EnvFrom\":null,\"Env\":null,\"Resources\":{\"Limits\":null,\"Requests\":null},\"VolumeMounts\":[{\"Name\":\"default-token-4f8z6\",\"ReadOnly\":true,\"MountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\",\"SubPath\":\"\",\"MountPropagation\":null}],\"VolumeDevices\":null,\"LivenessProbe\":null,\"ReadinessProbe\":null,\"Lifecycle\":null,\"TerminationMessagePath\":\"/dev/termination-log\",\"TerminationMessagePolicy\":\"File\",\"ImagePullPolicy\":\"Always\",\"SecurityContext\":null,\"Stdin\":false,\"StdinOnce\":false,\"TTY\":false}],\"RestartPolicy\":\"Always\",\"TerminationGracePeriodSeconds\":30,\"ActiveDeadlineSeconds\":null,\"DNSPolicy\":\"ClusterFirst\",\"NodeSelector\":null,\"ServiceAccountName\":\"default\",\"AutomountServiceAccountToken\":null,\"NodeName\":\"127.0.0.1\",\"SecurityContext\":{\"HostNetwork\":false,\"HostPID\":false,\"HostIPC\":false,\"ShareProcessNamespace\":null,\"SELinuxOptions\":null,\"RunAsUser\":null,\"RunAsGroup\":null,\"RunAsNonRoot\":null,\"SupplementalGroups\":null,\"FSGroup\":null},\"ImagePullSecrets\":null,\"Hostname\":\"\",\"Subdomain\":\"\",\"Affinity\":null,\"SchedulerName\":\"default-scheduler\",\"Tolerations\":[{\"Key\":\"node.kubernetes.io/not-ready\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300},{\"Key\":\"node.kubernetes.io/unreachable\",\"Operator\":\"Exists\",\"Value\":\"\",\"Effect\":\"NoExecute\",\"TolerationSeconds\":300}],\"HostAliases\":null,\"PriorityClassName\":\"\",\"Priority\":null,\"DNSConfig\":null}\n\n",
                            Field: "spec",
                        },
                    ],
                    RetryAfterSeconds: 0,
                },
                Code: 422,
            },
        }
        Pod "testpod" is invalid: spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)
        {"Volumes":

        A: null,"InitContainers":null,"Containers":[{"Name":"container1","Image":"busybox","Command":["sleep","3600"],"Args":null,"WorkingDir":"","Ports":null,"EnvFrom":null,"Env":null,"Resources":{"Limits":null,"Requests":null},"VolumeMounts":null,"VolumeDevices":null,"LivenessProbe":null,"ReadinessProbe":null,"Lifecycle":null,"TerminationMessagePath":"/dev/termination-log","TerminationMessagePolicy":"File","ImagePullPolicy":"Always","SecurityContext":null,"Stdin":false,"StdinOnce":false,"TTY":false}],"RestartPolicy":"Always","TerminationGracePeriodSeconds":30,"ActiveDeadlineSeconds":null,"DNSPolicy":"ClusterFirst","NodeSelector":null,"ServiceAccountName":"","AutomountServiceAccountToken":null,"NodeName":"127.0.0.1","SecurityContext":{"HostNetwork":false,"HostPID":false,"HostIPC":false,"ShareProcessNamespace":null,"SELinuxOptions":null,"RunAsUser":null,"RunAsGroup":null,"RunAsNonRoot":null,"SupplementalGroups":null,"FSGroup":null},"ImagePullSecrets":null,"Hostname":"","Subdomain":"","Affinity":null,"SchedulerName":"default-scheduler","Tolerations":[{"Key":"node.kubernetes.io/not-ready","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300},{"Key":"node.kubernetes.io/unreachable","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300}],"HostAliases":null,"PriorityClassName":"","Priority":null,"DNSConfig":null}

        B: [{"Name":"default-token-4f8z6","HostPath":null,"EmptyDir":null,"GCEPersistentDisk":null,"AWSElasticBlockStore":null,"GitRepo":null,"Secret":{"SecretName":"default-token-4f8z6","Items":null,"DefaultMode":420,"Optional":null},"NFS":null,"ISCSI":null,"Glusterfs":null,"PersistentVolumeClaim":null,"RBD":null,"Quobyte":null,"FlexVolume":null,"Cinder":null,"CephFS":null,"Flocker":null,"DownwardAPI":null,"FC":null,"AzureFile":null,"ConfigMap":null,"VsphereVolume":null,"AzureDisk":null,"PhotonPersistentDisk":null,"Projected":null,"PortworxVolume":null,"ScaleIO":null,"StorageOS":null}],"InitContainers":null,"Containers":[{"Name":"container1","Image":"busybox","Command":["sleep","3600"],"Args":null,"WorkingDir":"","Ports":null,"EnvFrom":null,"Env":null,"Resources":{"Limits":null,"Requests":null},"VolumeMounts":[{"Name":"default-token-4f8z6","ReadOnly":true,"MountPath":"/var/run/secrets/kubernetes.io/serviceaccount","SubPath":"","MountPropagation":null}],"VolumeDevices":null,"LivenessProbe":null,"ReadinessProbe":null,"Lifecycle":null,"TerminationMessagePath":"/dev/termination-log","TerminationMessagePolicy":"File","ImagePullPolicy":"Always","SecurityContext":null,"Stdin":false,"StdinOnce":false,"TTY":false}],"RestartPolicy":"Always","TerminationGracePeriodSeconds":30,"ActiveDeadlineSeconds":null,"DNSPolicy":"ClusterFirst","NodeSelector":null,"ServiceAccountName":"default","AutomountServiceAccountToken":null,"NodeName":"127.0.0.1","SecurityContext":{"HostNetwork":false,"HostPID":false,"HostIPC":false,"ShareProcessNamespace":null,"SELinuxOptions":null,"RunAsUser":null,"RunAsGroup":null,"RunAsNonRoot":null,"SupplementalGroups":null,"FSGroup":null},"ImagePullSecrets":null,"Hostname":"","Subdomain":"","Affinity":null,"SchedulerName":"default-scheduler","Tolerations":[{"Key":"node.kubernetes.io/not-ready","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300},{"Key":"node.kubernetes.io/unreachable","Operator":"Exists","Value":"","Effect":"NoExecute","TolerationSeconds":300}],"HostAliases":null,"PriorityClassName":"","Priority":null,"DNSConfig":null}

    not to have occurred

    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:723

This is because Pod content has changed since first creation, and our
Update is invalid because it appears to be trying to change back bits
that it isn't allowed to.  Fix that by getting the current Pod content
before making the intended label change.

Then we see a second similar problem:

• Failure [28.069 seconds]
kube-controllers FV tests
/go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:45
  Pod FV tests
  /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:656
    should not overwrite a workload endpoint's container ID [It]
    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:657

    Expected error:
        <*errors.StatusError | 0xc42069a6c0>: {
            ErrStatus: {
                TypeMeta: {Kind: "", APIVersion: ""},
                ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
                Status: "Failure",
                Message: "Operation cannot be fulfilled on pods \"testpod\": the object has been modified; please apply your changes to the latest version and try again",
                Reason: "Conflict",
                Details: {Name: "testpod", Group: "", Kind: "pods", UID: "", Causes: nil, RetryAfterSeconds: 0},
                Code: 409,
            },
        }
        Operation cannot be fulfilled on pods "testpod": the object has been modified; please apply your changes to the latest version and try again
    not to have occurred

    /go/src/github.com/projectcalico/kube-controllers/tests/fv/fv_test.go:769

Similar fix here, and the "should not overwrite a workload endpoint's
container ID" FV now passes.

Finally a similar pod update fix is needed for the "should not create a
workload endpoint when one does not already exist" FV.
    Neil Jerram committed Jun 26, 2018
    Configuration menu
    Copy the full SHA
    b7a61a4 View commit details
    Browse the repository at this point in the history