Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34999

AdmissionWebhook [Privileged:ClusterAdmin] listing mutating webhooks should work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 4.13.z
    • kube-apiserver
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem: 

      e2e test "[sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] listing mutating webhooks should work [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]" fail

      Affects Version/s:

      4.13.0-0.nightly-2024-06-01-031656

      How reproducible:

      Always

      Steps to Reproduce:

      $ TESTS_IMAGE=$(oc adm release info --image-for=tests registry.ci.openshift.org/ocp/release:4.13.0-0.nightly-2024-06-01-031656)# oc image extract -a ./.dockerconfigjson "$TESTS_IMAGE" --file=/usr/bin/openshift-tests


$ chmod a+x openshift-tests

$ ./openshift-tests run all --dry-run | grep 'listing mutating webhooks should work'
"[sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] listing mutating webhooks should work [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]"


$ export DELETE_NAMESPACE=true

$ ./openshift-tests run-test "[sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] listing mutating webhooks should work [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]"
Jun  4 14:28:21.393: INFO: Enabling in-tree volume drivers
[BeforeEach] TOP-LEVEL
  github.com/openshift/origin/test/extended/util/framework.go:1496
[BeforeEach] TOP-LEVEL
  github.com/openshift/origin/test/extended/util/framework.go:1496
[BeforeEach] TOP-LEVEL
  github.com/openshift/origin/test/extended/util/framework.go:1496
[BeforeEach] TOP-LEVEL
  github.com/openshift/origin/test/extended/util/framework.go:1496
[BeforeEach] TOP-LEVEL
  github.com/openshift/origin/test/extended/util/test.go:56
[BeforeEach] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  set up framework | framework.go:178
STEP: Creating a kubernetes client 06/04/24 14:28:21.897
STEP: Building a namespace api object, basename webhook 06/04/24 14:28:21.899
Jun  4 14:28:22.658: INFO: About to run a Kube e2e test, ensuring namespace is privileged
STEP: Waiting for a default service account to be provisioned in namespace 06/04/24 14:28:24.108
STEP: Waiting for kube-root-ca.crt to be provisioned in namespace 06/04/24 14:28:24.56
[BeforeEach] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  k8s.io/kubernetes@v1.26.1/test/e2e/framework/metrics/init/init.go:31
[BeforeEach] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  k8s.io/kubernetes@v1.26.1/test/e2e/apimachinery/webhook.go:90
STEP: Setting up server cert 06/04/24 14:28:25.681
STEP: Create role binding to let webhook read extension-apiserver-authentication 06/04/24 14:28:26.042
STEP: Deploying the webhook pod 06/04/24 14:28:26.312
W0604 14:28:26.821295   24669 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "sample-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sample-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sample-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sample-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
STEP: Wait for the deployment to be ready 06/04/24 14:28:26.821
Jun  4 14:28:27.568: INFO: deployment status: v1.DeploymentStatus{ObservedGeneration:1, Replicas:1, UpdatedReplicas:1, ReadyReplicas:0, AvailableReplicas:0, UnavailableReplicas:1, Conditions:[]v1.DeploymentCondition{v1.DeploymentCondition{Type:"Available", Status:"False", LastUpdateTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), LastTransitionTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), Reason:"MinimumReplicasUnavailable", Message:"Deployment does not have minimum availability."}, v1.DeploymentCondition{Type:"Progressing", Status:"True", LastUpdateTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), LastTransitionTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), Reason:"ReplicaSetUpdated", Message:"ReplicaSet \"sample-webhook-deployment-865554f4d9\" is progressing."}}, CollisionCount:(*int32)(nil)}
Jun  4 14:28:29.797: INFO: deployment status: v1.DeploymentStatus{ObservedGeneration:1, Replicas:1, UpdatedReplicas:1, ReadyReplicas:0, AvailableReplicas:0, UnavailableReplicas:1, Conditions:[]v1.DeploymentCondition{v1.DeploymentCondition{Type:"Available", Status:"False", LastUpdateTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), LastTransitionTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), Reason:"MinimumReplicasUnavailable", Message:"Deployment does not have minimum availability."}, v1.DeploymentCondition{Type:"Progressing", Status:"True", LastUpdateTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), LastTransitionTime:time.Date(2024, time.June, 4, 14, 28, 26, 0, time.Local), Reason:"ReplicaSetUpdated", Message:"ReplicaSet \"sample-webhook-deployment-865554f4d9\" is progressing."}}, CollisionCount:(*int32)(nil)}
STEP: Deploying the webhook service 06/04/24 14:28:31.819
STEP: Verifying the service has paired with the endpoint 06/04/24 14:28:32.133
Jun  4 14:28:33.134: INFO: Waiting for amount of service:e2e-test-webhook endpoints to be 1
[It] listing mutating webhooks should work [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]
  k8s.io/kubernetes@v1.26.1/test/e2e/apimachinery/webhook.go:656
STEP: Listing all of the created validation webhooks 06/04/24 14:28:36.177
STEP: Creating a configMap that should be mutated 06/04/24 14:28:36.938
STEP: Deleting the collection of validation webhooks 06/04/24 14:28:37.457
STEP: Creating a configMap that should not be mutated 06/04/24 14:28:37.766
[AfterEach] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  k8s.io/kubernetes@v1.26.1/test/e2e/apimachinery/webhook.go:105
[DeferCleanup (Each)] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  k8s.io/kubernetes@v1.26.1/test/e2e/framework/metrics/init/init.go:33
[DeferCleanup (Each)] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  dump namespaces | framework.go:196
[DeferCleanup (Each)] [sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin]
  tear down framework | framework.go:193
Jun  4 14:28:39.467: INFO: Found DeleteNamespace=false, skipping namespace deletion!

      Actual results:

      e2e test "[sig-api-machinery] AdmissionWebhook [Privileged:ClusterAdmin] listing mutating webhooks should work [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]" execution fail

      Expected results:

      listing mutating webhooks should work e2e test should work

              Unassigned Unassigned
              rhn-support-dpunia Deepak Punia (Inactive)
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: