so that configured liveness probes will fail
if the loopback certificate has expired,
forcing a restart.
Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
The verbs parameter slice might be shared between different rule instances and
gets sorted (= written), so we have to make a copy or (even better) also
de-duplicate as in pkg/apis/rbac/helpers.go.
More specifically, plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
shares the Read and ReadWrite slices, causing:
WARNING: DATA RACE
Read at 0x000008e5e5b0 by goroutine 124:
slices.insertionSortOrdered[go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/zsortordered.go:14 +0x126
slices.pdqsortOrdered[go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/zsortordered.go:75 +0x6c4
slices.Sort[go.shape.[]string,go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/sort.go:18 +0x64
sort.Strings()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/sort/sort.go:181 +0xe
k8s.io/kubernetes/pkg/apis/rbac/v1.(*PolicyRuleBuilder).Rule()
/home/prow/go/src/k8s.io/kubernetes/pkg/apis/rbac/v1/helpers.go:98 +0x2c9
k8s.io/kubernetes/pkg/apis/rbac/v1.(*PolicyRuleBuilder).RuleOrDie()
/home/prow/go/src/k8s.io/kubernetes/pkg/apis/rbac/v1/helpers.go:65 +0x2f44
k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy.ClusterRoles()
/home/prow/go/src/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go:404 +0x2c13
...
Previous write at 0x000008e5e5b0 by goroutine 123:
slices.insertionSortOrdered[go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/zsortordered.go:15 +0x2f9
slices.pdqsortOrdered[go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/zsortordered.go:75 +0x6c4
slices.Sort[go.shape.[]string,go.shape.string]()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/slices/sort.go:18 +0x64
sort.Strings()
/home/prow/go/src/k8s.io/kubernetes/_output/local/go/cache/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/sort/sort.go:181 +0xe
k8s.io/kubernetes/pkg/apis/rbac/v1.(*PolicyRuleBuilder).Rule()
/home/prow/go/src/k8s.io/kubernetes/pkg/apis/rbac/v1/helpers.go:98 +0x2c9
k8s.io/kubernetes/pkg/apis/rbac/v1.(*PolicyRuleBuilder).RuleOrDie()
/home/prow/go/src/k8s.io/kubernetes/pkg/apis/rbac/v1/helpers.go:65 +0x2f44
k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy.ClusterRoles()
/home/prow/go/src/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go:404 +0x2c13
Seen in test/integration/apiserver/oidc.
The previous incubating becomes stable, experimental the new incubating. Now
experimental and incubating are identical until we merge more experimental
changes again.
Specifically, these commands where used:
rm -rf stable
mv incubating stable
mv stable/allocator_incubating.go stable/allocator_stable.go
mv stable/pools_incubating.go stable/pools_stable.go
sed -i -e 's/package incubating/package stable/' stable/*.go
cp -a experimental incubating
mv incubating/allocator_experimental.go incubating/allocator_incubating.go
mv incubating/pools_experimental.go incubating/pools_incubating.go
sed -i -e 's/package experimental/package incubating/' incubating/*.go
Some other packages then need to be adapted, in particular the
TestAllocatorSelection test.
Refactor TestVersionedValidationByFuzzing to use a declarative map,
subresourceOnly, for resources that must be validated via a specific
subresource path (like autoscaling/Scale).
GVKs not in this map default to root-level validation (""), which is
sufficient for resources that share validation logic between their root
and subresources. This replaces the previous ad-hoc special-casing
with a cleaner, extensible mapping.
Fuzzing must be performed on the internal version of objects because
custom fuzzing functions are typically registered for internal types.
This ensures that all fields are properly initialized with random values
before being converted to various API versions for validation.
Move fuzzing logic into VerifyVersionedValidationEquivalence via a new
WithFuzzer option. This also fixes a panic that occurred when attempting
to fuzz types without an internal version (e.g., APIGroupList) by adding
a nil check after internal conversion.
This change graduates the 'DeclarativeValidation' feature gate to GA in v1.36.
The feature gate is now locked to 'true' by default.
Changes:
- Updated 'DeclarativeValidation' feature gate to GA in 'pkg/features/kube_features.go' and 'staging/src/k8s.io/apiserver/pkg/features/kube_features.go'.
- Updated feature gate documentation and versioned lists via 'hack/update-featuregates.sh'.
- Added feature gate emulation versioning to tests that explicitly disable 'DeclarativeValidation' to prevent panics now that the gate is locked to default.
Adds TestGetImageRefReturnsImageIdNotRepoDigest to verify that GetImageRef
returns Image.Id instead of RepoDigests. This ensures content-based
deduplication where the same image pulled from different registries is
treated as identical content rather than separate images.
The test prevents regression of the issue fixed in the revert of cb011623c8
where using RepoDigests[0] caused location-dependent identity
(registry.io/image@sha256:...) instead of content-based identity
(sha256:...), breaking deduplication and creating separate pull records
for identical image content.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
