WIP: do not merge - jacob's 1.36 tests#2654
Draft
jacobsee wants to merge 2928 commits intoopenshift:masterfrom
Draft
WIP: do not merge - jacob's 1.36 tests#2654jacobsee wants to merge 2928 commits intoopenshift:masterfrom
jacobsee wants to merge 2928 commits intoopenshift:masterfrom
Conversation
Implement the RPSR controller that watches ResourcePoolStatusRequest objects and aggregates pool status from DRA drivers. Add the API server registry (strategy, storage), handwritten validation, RBAC bootstrap policy for the controller, kube-controller-manager wiring, table printer columns, and storage factory registration.
Add unit tests for handwritten and declarative validation, controller logic, metrics, table printer output, controller-manager registration, etcd storage round-trip, and an integration test for the full RPSR lifecycle. Also add an e2e test exercising the DRA test driver with RPSR and the example manifest.
…00, maxLength=128) for etcd safety, add Errors printer column Signed-off-by: Nour <nurmn3m@gmail.com>
Signed-off-by: Nour <nurmn3m@gmail.com>
Signed-off-by: Nour <nurmn3m@gmail.com>
…ify retry logic and metric tests Signed-off-by: Nour <nurmn3m@gmail.com>
…op unnecessary Feature:DynamicResourceAllocation tag, fix indentation Signed-off-by: Nour <nurmn3m@gmail.com>
…generate the code Signed-off-by: Nour <nurmn3m@gmail.com>
* Add admission for podGroup Signed-off-by: helayoty <heelayot@microsoft.com> * Create workload object before podgroup Signed-off-by: helayoty <heelayot@microsoft.com> --------- Signed-off-by: helayoty <heelayot@microsoft.com>
…econcile Remove reconcilePodMemoryProtection that resets pod cgroup values on systemd
…and container ID instead of StartTime The expectation that StartTime changes on kubelet restart for static pods is no longer reliable due to faked init container status logic. This change updates the tests to assert on the specific behavior introduced by that logic.
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
test: fix flaky static pod tests by asserting on termination message …
Remove PodGroupTemplateRef from the PodGroup e2e CRUD test. The PodGroupWorkloadExists admission plugin (introduced in kubernetes#137464) rejects PodGroups that reference a non-existent Workload, causing the test to fail. The workload reference is not needed to test basic PodGroup API CRUD operations.
Signed-off-by: Maciej Szulik <soltysh@gmail.com>
update google.golang.org/grpc to v1.79.3
…ist-default-to-false-for-1.36 Switch PLEGOnDemandRelist default to `false` for 1.36
…ure actuated pod-level resources are updated
…heduler-events scheduler: use contextual logging for event emission
…to ResourceSliceMaxDevicesWithAdvancedFeatures and add testcases with max devices with list attributes
KEP-961: demote maxUnavailable feature in statefulset to off by default
…oad-api test: Fix PodGroup CRUD test failing due to missing Workload reference
…ources that inherit changes due to pod-level modifications
…imary clusters Detect cluster's primary IP family by querying kubernetes.default service ClusterIP instead of using HasIPv4/HasIPv6 flags. The previous logic incorrectly returned ipv4 for dual-stack v6-primary clusters because both HasIPv4 and HasIPv6 were true. This matches the upstream approach in test/e2e/e2e.go and fixes DNS tests that were querying for A records instead of AAAA records in v6-primary environments.
After openshift/origin#30786 added ibmcloud to the provider switch in openshift-tests, the provider name is now correctly passed through to k8s-tests-ext. However, k8s-tests-ext only registers upstream Kubernetes providers (aws, azure, gce, kubemark, openstack, vsphere) via the test/e2e/providers.go import. OpenShift-specific providers like ibmcloud are not registered, causing framework.AfterReadingAllFlags to call SetupProviderConfig which fails with "Unknown provider" and Exit(1), crashing every test process. This registers all OpenShift-specific cloud providers (baremetal, ovirt, kubevirt, alibabacloud, nutanix, ibmcloud, external) as NullProviders in k8s-tests-ext. These providers don't require special setup for upstream kube e2e tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…e2e test Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
To be squashed with the following commit later:"UPSTREAM: <carry>: Add OpenShift tooling, images, configs and docs" Signed-off-by: jubittajohn <jujohn@redhat.com>
…er_manager_linux_test.go Squash into: UPSTREAM: <carry>: disable load balancing on created cgroups when managed is enabled
…s in flagz_test.go and statusz_test.go
Squash into: UPSTREAM: <carry>: apiserver: add system_client=kube-{apiserver,cm,s} to apiserver_request_total
Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
…e when claims.email is used in username expression Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
Signed-off-by: jubittajohn <jujohn@redhat.com>
…acheGC is enabled Squash into UPSTREAM: <carry>: create termination events
jacobsee
force-pushed
the
rebase-1.36-jacob
branch
from
86a6356 to
2af6682
Compare
Member
Author
|
/test integration |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
♻️ Duplicate comments (1)
api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json (1)
273-281:⚠️ Potential issue | 🟠 MajorDon't require
stubPKCS10Requestunconditionally.This still makes the OpenAPI schema reject legacy-valid requests that send
pkixPublicKeyplusproofOfPossessionwithoutstubPKCS10Request. The contract needs an either/or constraint here, not a top-levelrequiredentry forstubPKCS10Request.Schema shape to target
"required": [ "signerName", "podName", "podUID", "serviceAccountName", "serviceAccountUID", "nodeName", - "nodeUID", - "stubPKCS10Request" + "nodeUID" ], + "oneOf": [ + { + "required": [ + "stubPKCS10Request" + ] + }, + { + "required": [ + "pkixPublicKey", + "proofOfPossession" + ] + } + ], "type": "object"#!/bin/bash set -euo pipefail echo "## Current validation logic" rg -n -C4 --type=go 'Validate.*PodCertificateRequest|validate.*PodCertificateRequest|stubPKCS10Request|pkixPublicKey|proofOfPossession' echo echo "## Type definitions / validation tags" rg -n -C4 --type=go 'type\s+PodCertificateRequestSpec\b|stubPKCS10Request|pkixPublicKey|proofOfPossession'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json` around lines 273 - 281, The OpenAPI schema erroneously lists "stubPKCS10Request" as a top-level required property which forces rejection of legitimate requests that supply "pkixPublicKey" + "proofOfPossession"; remove "stubPKCS10Request" from the required array and instead express the either/or constraint using an OpenAPI conditional (e.g. oneOf or anyOf with two schemas) on the PodCertificateRequest/PodCertificateRequestSpec schema so that either the stubPKCS10Request field is present OR the pair pkixPublicKey and proofOfPossession are present; update the schema definitions referencing "stubPKCS10Request", "pkixPublicKey", and "proofOfPossession" to match this oneOf/anyOf conditional.
🧹 Nitpick comments (1)
CHANGELOG/CHANGELOG-1.3.md (1)
395-428: 💤 Low valueOptional: Fix heading level increment for better document structure.
The subsections under "Known Issues and Important Steps before Upgrading" skip from h2 to h4. Markdown best practice recommends incrementing heading levels by one at a time.
📋 Suggested heading structure
-#### ThirdPartyResource +### ThirdPartyResource -#### kubectl +### kubectl -#### kubernetes Core Known Issues +### kubernetes Core Known Issues -#### Docker runtime Known Issues +### Docker runtime Known Issues -#### Rkt runtime Known Issues +### Rkt runtime Known Issues🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@CHANGELOG/CHANGELOG-1.3.md` around lines 395 - 428, The changelog jumps heading levels (subsections under "Known Issues and Important Steps before Upgrading" use ####), so adjust the markdown headings to increment by one level: change the section headings "ThirdPartyResource", "kubectl", "kubernetes Core Known Issues", "Docker runtime Known Issues", and "Rkt runtime Known Issues" from #### to ### (or otherwise ensure they are one level deeper than their parent) so the document structure is hierarchical and consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`:
- Around line 477-479: The description for the schema field
parameterNotFoundAction is using validation-specific wording; update its text to
use mutation-specific phrasing for MutatingAdmissionPolicyBinding (referencing
parameterNotFoundAction in the MutatingAdmissionPolicyBinding schema) so it
describes the behavior for mutation policies (e.g., explain how no matched
parameters affect mutation execution and failurePolicy) and replace "successful
validation" with appropriate mutation terminology; regenerate the openapi spec
from the corrected source comment so the public docs reflect the new wording.
- Around line 3374-3382: Remove the query parameter object named "shardSelector"
from the watch-by-name endpoints for mutatingadmissionpolicies and
mutatingadmissionpolicybindings (the GET paths ending with /watch/.../{name}) in
the generated OpenAPI spec; locate the parameter block with "name":
"shardSelector" / "in": "query" (the schema type "string" with "uniqueItems":
true) and ensure it is not emitted for endpoints whose path contains a {name}
path parameter, so single-object watch routes no longer include shardSelector in
their query params.
In `@api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json`:
- Around line 126-128: The OpenAPI schema marks spec.token as required but
there's no server-side validator; add a validation implementation under
pkg/apis/authentication/validation that enforces non-empty Token (e.g.,
implement ValidateTokenReview and/or ValidateTokenReviewSpec which check that
Token (pkg/apis/authentication/types.go) is not empty and return an appropriate
field.ErrorList), register these validators with the admission/validation entry
points for TokenReview resources, and/or add kubebuilder validation markers on
the Token field in types.go if you prefer code-gen'd OpenAPI + then regenerate
to keep schema and server-side checks in sync.
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json`:
- Around line 992-1000: Update the description for the query parameter
"shardSelector" (parameter name: shardSelector, schema type: string) to reflect
that this is used by deletecollection operations: replace the phrase "restricts
the list of returned objects" with wording that it "restricts which objects are
targeted for deletion" (or equivalent) and keep the rest of the explanation
about CEL shardRange syntax, supported field paths, hexStart/hexEnd bounds,
examples, and the note about the ShardedListAndWatch feature gate unchanged.
In `@api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json`:
- Around line 228-230: The OpenAPI schema made EndpointSlice.endpoints optional
while the Go type EndpointSlice.Endpoints (pkg/apis/discovery/types.go) remains
non-optional; to fix this, update the OpenAPI schema for the EndpointSlice
object by adding "endpoints" to its "required" array so the JSON contract
matches the Go model (or alternatively make the Go field optional/omitempty if
you intend the API to be optional) — ensure you modify the EndpointSlice
schema's "required" list in the OpenAPI file to include "endpoints" to restore
schema/type parity.
In `@CHANGELOG/CHANGELOG-1.2.md`:
- Line 270: Fix the typo in the changelog entry by replacing "recevied" with
"received" in the line that currently reads "* kubelet: send all recevied pods
in one update ([`#23141`], [`@yujuhong`])" so it becomes "* kubelet: send all
received pods in one update ([`#23141`], [`@yujuhong`])".
In `@CHANGELOG/CHANGELOG-1.3.md`:
- Line 948: Change the misspelled word "recevied" to "received" in the changelog
entry line that reads "* kubelet: send all recevied pods in one update
([`#23141`](https://github.com/kubernetes/kubernetes/pull/23141),
[`@yujuhong`](https://github.com/yujuhong))" so it reads "* kubelet: send all
received pods in one update (...)".
---
Duplicate comments:
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json`:
- Around line 273-281: The OpenAPI schema erroneously lists "stubPKCS10Request"
as a top-level required property which forces rejection of legitimate requests
that supply "pkixPublicKey" + "proofOfPossession"; remove "stubPKCS10Request"
from the required array and instead express the either/or constraint using an
OpenAPI conditional (e.g. oneOf or anyOf with two schemas) on the
PodCertificateRequest/PodCertificateRequestSpec schema so that either the
stubPKCS10Request field is present OR the pair pkixPublicKey and
proofOfPossession are present; update the schema definitions referencing
"stubPKCS10Request", "pkixPublicKey", and "proofOfPossession" to match this
oneOf/anyOf conditional.
---
Nitpick comments:
In `@CHANGELOG/CHANGELOG-1.3.md`:
- Around line 395-428: The changelog jumps heading levels (subsections under
"Known Issues and Important Steps before Upgrading" use ####), so adjust the
markdown headings to increment by one level: change the section headings
"ThirdPartyResource", "kubectl", "kubernetes Core Known Issues", "Docker runtime
Known Issues", and "Rkt runtime Known Issues" from #### to ### (or otherwise
ensure they are one level deeper than their parent) so the document structure is
hierarchical and consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 18c882ae-2c7a-44b4-b5cc-56e20fc591a1
⛔ Files ignored due to path filters (25)
LICENSES/vendor/github.com/armon/circbuf/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/cenkalti/backoff/v4/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/cenkalti/backoff/v5/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/gregjones/httpcache/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/grpc-ecosystem/go-grpc-prometheus/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/karrick/godirwalk/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/libopenstorage/openstorage/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/mistifyio/go-zfs/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/mohae/deepcopy/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/mrunalp/fileutils/LICENSEis excluded by!**/vendor/**LICENSES/vendor/github.com/pkg/errors/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/metric/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/sdk/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.opentelemetry.io/otel/trace/LICENSEis excluded by!**/vendor/**LICENSES/vendor/go.uber.org/zap/LICENSEis excluded by!**/vendor/**LICENSES/vendor/k8s.io/utils/third_party/forked/golang/LICENSEis excluded by!**/vendor/**LICENSES/vendor/k8s.io/utils/third_party/forked/golang/btree/LICENSEis excluded by!**/vendor/**cmd/kubeadm/app/discovery/token/testdata/ca-cert.pemis excluded by!**/*.pemcmd/kubeadm/app/util/config/testdata/mynode.pemis excluded by!**/*.pem
📒 Files selected for processing (275)
.ci-operator.yaml.github/PULL_REQUEST_TEMPLATE.md.gitignore.go-versionCHANGELOG/CHANGELOG-1.10.mdCHANGELOG/CHANGELOG-1.11.mdCHANGELOG/CHANGELOG-1.12.mdCHANGELOG/CHANGELOG-1.13.mdCHANGELOG/CHANGELOG-1.14.mdCHANGELOG/CHANGELOG-1.15.mdCHANGELOG/CHANGELOG-1.16.mdCHANGELOG/CHANGELOG-1.17.mdCHANGELOG/CHANGELOG-1.18.mdCHANGELOG/CHANGELOG-1.19.mdCHANGELOG/CHANGELOG-1.2.mdCHANGELOG/CHANGELOG-1.20.mdCHANGELOG/CHANGELOG-1.21.mdCHANGELOG/CHANGELOG-1.22.mdCHANGELOG/CHANGELOG-1.23.mdCHANGELOG/CHANGELOG-1.24.mdCHANGELOG/CHANGELOG-1.25.mdCHANGELOG/CHANGELOG-1.26.mdCHANGELOG/CHANGELOG-1.27.mdCHANGELOG/CHANGELOG-1.28.mdCHANGELOG/CHANGELOG-1.29.mdCHANGELOG/CHANGELOG-1.3.mdCHANGELOG/CHANGELOG-1.30.mdCHANGELOG/CHANGELOG-1.31.mdCHANGELOG/CHANGELOG-1.32.mdCHANGELOG/CHANGELOG-1.33.mdCHANGELOG/CHANGELOG-1.34.mdCHANGELOG/CHANGELOG-1.35.mdCHANGELOG/CHANGELOG-1.36.mdCHANGELOG/CHANGELOG-1.4.mdCHANGELOG/CHANGELOG-1.5.mdCHANGELOG/CHANGELOG-1.6.mdCHANGELOG/CHANGELOG-1.7.mdCHANGELOG/CHANGELOG-1.8.mdCHANGELOG/CHANGELOG-1.9.mdCHANGELOG/README.mdOWNERS_ALIASESapi/api-rules/sample_controller_violation_exceptions.listapi/api-rules/violation_exceptions.listapi/discovery/aggregated_v2.jsonapi/discovery/apis.jsonapi/discovery/apis__admissionregistration.k8s.io__v1.jsonapi/discovery/apis__resource.k8s.io__v1alpha3.jsonapi/discovery/apis__resource.k8s.io__v1beta2.jsonapi/discovery/apis__scheduling.k8s.io.jsonapi/discovery/apis__scheduling.k8s.io__v1alpha1.jsonapi/discovery/apis__scheduling.k8s.io__v1alpha2.jsonapi/discovery/apis__storage.k8s.io__v1.jsonapi/discovery/apis__storage.k8s.io__v1beta1.jsonapi/openapi-spec/README.mdapi/openapi-spec/swagger.jsonapi/openapi-spec/v3/api__v1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__apps__v1_openapi.jsonapi/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__autoscaling__v1_openapi.jsonapi/openapi-spec/v3/apis__autoscaling__v2_openapi.jsonapi/openapi-spec/v3/apis__batch__v1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.jsonapi/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__events.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__node.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__policy__v1_openapi.jsonapi/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha1_openapi.jsonapi/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha2_openapi.jsonapi/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.jsonapi/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.jsonapi/openapi-spec/v3/apis__storagemigration.k8s.io__v1beta1_openapi.jsonbuild/build-image/cross/VERSIONbuild/common.shbuild/dependencies.yamlbuild/lib/release.shbuild/nsswitch.confbuild/pause/CHANGELOG.mdbuild/pause/Dockerfile.Rhelbuild/pause/Makefilebuild/server-image/Dockerfilebuild/server-image/kube-apiserver/Dockerfilebuild/tools.gocluster/addons/dns/coredns/coredns.yaml.basecluster/addons/dns/coredns/coredns.yaml.incluster/addons/dns/coredns/coredns.yaml.sedcluster/addons/dns/kube-dns/kube-dns.yaml.basecluster/addons/dns/kube-dns/kube-dns.yaml.incluster/addons/dns/kube-dns/kube-dns.yaml.sedcluster/addons/dns/nodelocaldns/nodelocaldns.yamlcluster/addons/kube-proxy/OWNERScluster/addons/kube-proxy/kube-proxy-ds.yamlcluster/addons/kube-proxy/kube-proxy-rbac.yamlcluster/addons/volumesnapshots/volume-snapshot-controller/volume-snapshot-controller-deployment.yamlcluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yamlcluster/gce/config-common.shcluster/gce/config-default.shcluster/gce/config-test.shcluster/gce/gci/configure-helper.shcluster/gce/gci/configure.shcluster/gce/gci/master.yamlcluster/gce/gci/mounter/mounter.gocluster/gce/gci/node.yamlcluster/gce/manifests/cloud-controller-manager.manifestcluster/gce/manifests/etcd.manifestcluster/gce/manifests/konnectivity-server.yamlcluster/gce/manifests/kube-proxy.manifestcluster/gce/upgrade-aliases.shcluster/gce/util.shcluster/gce/windows/k8s-node-setup.psm1cluster/gce/windows/smoke-test.shcluster/images/etcd/Dockerfilecluster/images/etcd/Dockerfile.windowscluster/images/etcd/Makefilecluster/images/etcd/OWNERScluster/images/etcd/README.mdcluster/images/etcd/cloudbuild.yamlcluster/images/etcd/migrate-if-needed.batcluster/images/etcd/migrate-if-needed.shcluster/images/etcd/migrate/copy_file.gocluster/images/etcd/migrate/data_dir.gocluster/images/etcd/migrate/data_dir_test.gocluster/images/etcd/migrate/integration_test.gocluster/images/etcd/migrate/migrate.gocluster/images/etcd/migrate/migrate_client.gocluster/images/etcd/migrate/migrate_server.gocluster/images/etcd/migrate/migrator.gocluster/images/etcd/migrate/options.gocluster/images/etcd/migrate/options_test.gocluster/images/etcd/migrate/testdata/datadir_with_version/version.txtcluster/images/etcd/migrate/testdata/datadir_without_version/.placeholdercluster/images/etcd/migrate/util_others.gocluster/images/etcd/migrate/utils_windows.gocluster/images/etcd/migrate/versions.gocluster/images/etcd/migrate/versions_test.gocmd/cloud-controller-manager/.import-restrictionscmd/genfeaturegates/genfeaturegates.gocmd/kube-apiserver/OWNERScmd/kube-apiserver/app/aggregator.gocmd/kube-apiserver/app/testing/testserver.gocmd/kube-controller-manager/app/batch.gocmd/kube-controller-manager/app/controller_descriptor.gocmd/kube-controller-manager/app/controllermanager.gocmd/kube-controller-manager/app/controllermanager_test.gocmd/kube-controller-manager/app/core.gocmd/kube-controller-manager/app/options/options.gocmd/kube-controller-manager/app/options/options_test.gocmd/kube-controller-manager/app/options/resourceclaimcontroller.gocmd/kube-controller-manager/app/plugins.gocmd/kube-controller-manager/app/plugins_providers.gocmd/kube-controller-manager/app/plugins_test.gocmd/kube-controller-manager/app/resource.gocmd/kube-controller-manager/app/scheduling.gocmd/kube-controller-manager/app/scheduling_test.gocmd/kube-controller-manager/app/storageversionmigrator.gocmd/kube-controller-manager/app/testing/testserver.gocmd/kube-controller-manager/names/controller_names.gocmd/kube-proxy/app/conntrack.gocmd/kube-proxy/app/init_linux.gocmd/kube-proxy/app/init_other.gocmd/kube-proxy/app/init_windows.gocmd/kube-proxy/app/options.gocmd/kube-proxy/app/server.gocmd/kube-proxy/app/server_linux.gocmd/kube-proxy/app/server_linux_test.gocmd/kube-proxy/app/server_other.gocmd/kube-proxy/app/server_test.gocmd/kube-proxy/app/server_windows.gocmd/kube-scheduler/app/options/options.gocmd/kube-scheduler/app/options/options_test.gocmd/kube-scheduler/app/server.gocmd/kubeadm/app/apis/kubeadm/v1beta3/defaults_unix.gocmd/kubeadm/app/apis/kubeadm/v1beta3/defaults_windows.gocmd/kubeadm/app/apis/kubeadm/v1beta4/defaults_unix.gocmd/kubeadm/app/apis/kubeadm/v1beta4/defaults_windows.gocmd/kubeadm/app/apis/kubeadm/validation/util_unix.gocmd/kubeadm/app/apis/kubeadm/validation/util_windows.gocmd/kubeadm/app/cmd/certs_test.gocmd/kubeadm/app/cmd/config.gocmd/kubeadm/app/cmd/init.gocmd/kubeadm/app/cmd/options/constant.gocmd/kubeadm/app/cmd/phases/init/data.gocmd/kubeadm/app/cmd/phases/init/data_test.gocmd/kubeadm/app/cmd/phases/init/kubeletfinalize.gocmd/kubeadm/app/cmd/phases/init/uploadconfig.gocmd/kubeadm/app/cmd/phases/join/controlplanejoin.gocmd/kubeadm/app/cmd/phases/join/data.gocmd/kubeadm/app/cmd/phases/join/data_test.gocmd/kubeadm/app/cmd/phases/join/kubelet.gocmd/kubeadm/app/cmd/phases/reset/cleanupnode.gocmd/kubeadm/app/cmd/phases/reset/data.gocmd/kubeadm/app/cmd/phases/reset/data_test.gocmd/kubeadm/app/cmd/phases/reset/removeetcdmember_test.gocmd/kubeadm/app/cmd/phases/reset/testdata/etcd-pod-without-data-volume.yamlcmd/kubeadm/app/cmd/phases/reset/testdata/etcd-pod.yamlcmd/kubeadm/app/cmd/phases/reset/unmount.gocmd/kubeadm/app/cmd/phases/reset/unmount_linux.gocmd/kubeadm/app/cmd/phases/reset/unmount_linux_test.gocmd/kubeadm/app/cmd/phases/upgrade/apply/uploadconfig.gocmd/kubeadm/app/cmd/phases/upgrade/data.gocmd/kubeadm/app/cmd/phases/upgrade/data_test.gocmd/kubeadm/app/cmd/phases/upgrade/postupgrade.gocmd/kubeadm/app/cmd/reset.gocmd/kubeadm/app/cmd/testdata/token-config.yamlcmd/kubeadm/app/cmd/token_test.gocmd/kubeadm/app/cmd/upgrade/common_test.gocmd/kubeadm/app/cmd/upgrade/plan.gocmd/kubeadm/app/cmd/upgrade/testdata/config-token.yamlcmd/kubeadm/app/cmd/util_other_test.gocmd/kubeadm/app/cmd/util_windows_test.gocmd/kubeadm/app/componentconfigs/kubelet_unix.gocmd/kubeadm/app/componentconfigs/kubelet_unix_test.gocmd/kubeadm/app/componentconfigs/kubelet_windows.gocmd/kubeadm/app/componentconfigs/kubelet_windows_test.gocmd/kubeadm/app/constants/constants.gocmd/kubeadm/app/constants/constants_test.gocmd/kubeadm/app/constants/constants_unix.gocmd/kubeadm/app/constants/constants_windows.gocmd/kubeadm/app/discovery/discovery.gocmd/kubeadm/app/discovery/discovery_test.gocmd/kubeadm/app/discovery/testdata/ca.crtcmd/kubeadm/app/discovery/token/testdata/expected-kubeconfig.yamlcmd/kubeadm/app/discovery/token/token_test.gocmd/kubeadm/app/features/features.gocmd/kubeadm/app/phases/addons/dns/dns_test.gocmd/kubeadm/app/phases/controlplane/manifests_test.gocmd/kubeadm/app/phases/controlplane/volumes.gocmd/kubeadm/app/phases/controlplane/volumes_test.gocmd/kubeadm/app/phases/copycerts/testutil_umask.gocmd/kubeadm/app/phases/copycerts/testutil_umask_noop.gocmd/kubeadm/app/phases/etcd/local.gocmd/kubeadm/app/phases/etcd/local_test.gocmd/kubeadm/app/phases/upgrade/health.gocmd/kubeadm/app/preflight/checks.gocmd/kubeadm/app/preflight/checks_darwin.gocmd/kubeadm/app/preflight/checks_linux.gocmd/kubeadm/app/preflight/checks_other.gocmd/kubeadm/app/preflight/checks_unix.gocmd/kubeadm/app/preflight/checks_windows.gocmd/kubeadm/app/util/apiclient/wait.gocmd/kubeadm/app/util/chroot_unix.gocmd/kubeadm/app/util/chroot_windows.gocmd/kubeadm/app/util/config/cluster_test.gocmd/kubeadm/app/util/config/common.gocmd/kubeadm/app/util/config/common_test.gocmd/kubeadm/app/util/config/testdata/kubelet-with-embedded-cert.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-invalid-context.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-invalid-user.yamlcmd/kubeadm/app/util/config/testdata/kubelet-with-linked-cert.yamlcmd/kubeadm/app/util/config/testdata/kubelet-without-cert.yamlcmd/kubeadm/app/util/config/upgradeconfiguration.gocmd/kubeadm/app/util/copy_unix.gocmd/kubeadm/app/util/copy_windows.gocmd/kubeadm/app/util/etcd/etcd.gocmd/kubeadm/app/util/initsystem/initsystem_unix.go
💤 Files with no reviewable changes (1)
- api/discovery/apis__scheduling.k8s.io__v1alpha1.json
✅ Files skipped from review due to trivial changes (14)
- .go-version
- .ci-operator.yaml
- api/discovery/apis__storage.k8s.io__v1beta1.json
- api/discovery/apis__scheduling.k8s.io__v1alpha2.json
- CHANGELOG/README.md
- .github/PULL_REQUEST_TEMPLATE.md
- .gitignore
- api/discovery/apis.json
- api/discovery/apis__scheduling.k8s.io.json
- api/discovery/apis__resource.k8s.io__v1alpha3.json
- api/api-rules/violation_exceptions.list
- CHANGELOG/CHANGELOG-1.35.md
- api/discovery/aggregated_v2.json
- api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json
🚧 Files skipped from review as they are similar to previous changes (13)
- api/discovery/apis__storage.k8s.io__v1.json
- api/openapi-spec/README.md
- api/discovery/apis__resource.k8s.io__v1beta2.json
- api/discovery/apis__admissionregistration.k8s.io__v1.json
- api/openapi-spec/v3/apis__authorization.k8s.io__v1_openapi.json
- api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
- api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
- api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
- api/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.json
- api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.json
- OWNERS_ALIASES
- api/openapi-spec/v3/apis__batch__v1_openapi.json
- api/openapi-spec/v3/apis__apps__v1_openapi.json
Comment on lines
477
to
479
| "parameterNotFoundAction": { | ||
| "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired", | ||
| "description": "parameterNotFoundAction controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired", | ||
| "type": "string" |
There was a problem hiding this comment.
Use mutation-specific wording for parameterNotFoundAction.
This schema is for MutatingAdmissionPolicyBinding, but the new description still says “successful validation by the binding”. That will publish incorrect public docs unless the source comment is fixed and the spec is regenerated.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`
around lines 477 - 479, The description for the schema field
parameterNotFoundAction is using validation-specific wording; update its text to
use mutation-specific phrasing for MutatingAdmissionPolicyBinding (referencing
parameterNotFoundAction in the MutatingAdmissionPolicyBinding schema) so it
describes the behavior for mutation policies (e.g., explain how no matched
parameters affect mutation execution and failurePolicy) and replace "successful
validation" with appropriate mutation terminology; regenerate the openapi spec
from the corrected source comment so the public docs reflect the new wording.
Comment on lines
+3374
to
+3382
| { | ||
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | ||
| "in": "query", | ||
| "name": "shardSelector", | ||
| "schema": { | ||
| "type": "string", | ||
| "uniqueItems": true | ||
| } | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
python3 <<'PY'
import json
from pathlib import Path
spec = json.loads(Path("api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json").read_text())
for path, item in spec["paths"].items():
if "{name}" not in path:
continue
for method, op in item.items():
if not isinstance(op, dict) or op.get("x-kubernetes-action") != "watch":
continue
params = [
p.get("name")
for p in (item.get("parameters", []) + op.get("parameters", []))
if isinstance(p, dict)
]
print(f"{method.upper()} {path} -> shardSelector={'shardSelector' in params}")
PYRepository: openshift/kubernetes
Length of output: 286
🏁 Script executed:
# Check file exists and get line count
wc -l "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json"
# Read lines around 3374-3382
echo "=== Lines 3374-3382 ==="
sed -n '3374,3382p' "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json"
# Read lines around 3724-3732
echo "=== Lines 3724-3732 ==="
sed -n '3724,3732p' "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json"
# Count all shardSelector occurrences
echo "=== Total shardSelector occurrences ==="
rg -c "shardSelector" "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json"Repository: openshift/kubernetes
Length of output: 3787
🏁 Script executed:
# Get context around line 3374
echo "=== Context around line 3374 (20 lines before) ==="
sed -n '3354,3374p' "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json" | grep -E '"(path|x-kubernetes-action|operationId)"'
# Get broader context
echo "=== Broader context around line 3374 (50 lines before) ==="
sed -n '3324,3374p' "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json" | tail -30
echo ""
echo "=== Context around line 3724 (50 lines before) ==="
sed -n '3674,3724p' "api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json" | tail -30Repository: openshift/kubernetes
Length of output: 5372
🏁 Script executed:
# Search for "watch" and "{name}" in the JSON to identify the paths
python3 <<'PY'
import json
from pathlib import Path
spec = json.loads(Path("api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json").read_text())
# Find which paths contain named watch and note their position in the file
line_num = 1
for path, item in spec["paths"].items():
if "{name}" not in path or "watch" not in path:
continue
for method, op in item.items():
if not isinstance(op, dict) or op.get("x-kubernetes-action") != "watch":
continue
params = [p.get("name") for p in (item.get("parameters", []) + op.get("parameters", [])) if isinstance(p, dict)]
has_shard = 'shardSelector' in params
print(f"Path: {path}")
print(f"Method: {method.upper()}")
print(f"Has shardSelector: {has_shard}")
print(f"All params: {params}")
print()
PYRepository: openshift/kubernetes
Length of output: 754
Drop shardSelector from watch-by-name endpoints.
These routes are already scoped by {name}, so a collection shard selector has no useful meaning here. Leaving it in the generated spec widens the public API with a parameter clients cannot meaningfully use on single-object watches.
The named watch endpoints currently expose shardSelector:
- GET /apis/admissionregistration.k8s.io/v1beta1/watch/mutatingadmissionpolicies/{name}
- GET /apis/admissionregistration.k8s.io/v1beta1/watch/mutatingadmissionpolicybindings/{name}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json`
around lines 3374 - 3382, Remove the query parameter object named
"shardSelector" from the watch-by-name endpoints for mutatingadmissionpolicies
and mutatingadmissionpolicybindings (the GET paths ending with
/watch/.../{name}) in the generated OpenAPI spec; locate the parameter block
with "name": "shardSelector" / "in": "query" (the schema type "string" with
"uniqueItems": true) and ensure it is not emitted for endpoints whose path
contains a {name} path parameter, so single-object watch routes no longer
include shardSelector in their query params.
Comment on lines
+126
to
+128
| "required": [ | ||
| "token" | ||
| ], |
There was a problem hiding this comment.
❓ Verification inconclusive
Script executed:
#!/bin/bash
set -euo pipefail
echo "== TokenReviewSpec type and markers =="
rg -n -C3 'type TokenReviewSpec struct|Token string|\\+optional|\\+required|datapolicy:"token"' pkg/apis/authentication/types.go
echo
echo "== TokenReview validation paths =="
rg -n -C4 'func ValidateTokenReview|func ValidateTokenReviewSpec|spec\.Token|len\(.*Token' pkg/apis/authentication
echo
echo "== OpenAPI/swagger generation sources touching TokenReviewSpec token requiredness =="
rg -n -C3 'TokenReviewSpec|required|token' pkg/apis/authenticationRepository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 1
stdout:
== TokenReviewSpec type and markers ==
56-}
57-
58-// TokenReviewSpec is a description of the token authentication request.
59:type TokenReviewSpec struct {
60- // Token is the opaque bearer token.
61: Token string `datapolicy:"token"`
62- // Audiences is a list of the identifiers that the resource server presented
63- // with the token identifies as. Audience-aware token authenticators will
64- // verify that the token was intended for at least one of the audiences in
--
145-// TokenRequestStatus is the result of a token request.
146-type TokenRequestStatus struct {
147- // Token is the opaque bearer token.
148: Token string `datapolicy:"token"`
149- // ExpirationTimestamp is the time of expiration of the returned token.
150- ExpirationTimestamp metav1.Time
151-}
== TokenReview validation paths ==
Script executed:
# Check if the file is auto-generated or manually maintained
head -30 api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json | grep -i "generated\|auto\|do not edit"Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 1
Script executed:
# Search for OpenAPI schema generation tooling
fd -e 'go' -e 'sh' -e 'py' | xargs rg -l 'openapi|swagger.*gen|gen.*spec' | head -20Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
vendor/go.etcd.io/etcd/api/v3/etcdserverpb/rpc.pb.go
vendor/go.etcd.io/etcd/server/v3/embed/config.go
vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go
vendor/go.opentelemetry.io/otel/semconv/v1.17.0/event.go
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/otelconv/metric.go
vendor/go.opentelemetry.io/otel/semconv/v1.17.0/trace.go
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/httpconv/metric.go
vendor/go.opentelemetry.io/otel/semconv/v1.17.0/resource.go
vendor/go.opentelemetry.io/otel/semconv/v1.12.0/resource.go
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/rpcconv/metric.go
vendor/go.opentelemetry.io/otel/semconv/v1.12.0/trace.go
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go
vendor/google.golang.org/grpc/dialoptions.go
vendor/google.golang.org/protobuf/internal/impl/codec_map.go
vendor/golang.org/x/net/html/parse.go
vendor/golang.org/x/net/html/const.go
vendor/golang.org/x/net/http2/frame.go
vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
vendor/golang.org/x/tools/go/ast/astutil/imports.go
vendor/k8s.io/kube-openapi/pkg/common/doc.go
Script executed:
# Check if TokenReviewSpec validation happens via CEL rules or other mechanisms
rg -n 'TokenReviewSpec|token.*required|required.*token' --type go pkg/apis/authentication/ -A 5 | head -50Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
pkg/apis/authentication/zz_generated.deepcopy.go:208:func (in *TokenReviewSpec) DeepCopyInto(out *TokenReviewSpec) {
pkg/apis/authentication/zz_generated.deepcopy.go-209- *out = *in
pkg/apis/authentication/zz_generated.deepcopy.go-210- if in.Audiences != nil {
pkg/apis/authentication/zz_generated.deepcopy.go-211- in, out := &in.Audiences, &out.Audiences
pkg/apis/authentication/zz_generated.deepcopy.go-212- *out = make([]string, len(*in))
pkg/apis/authentication/zz_generated.deepcopy.go-213- copy(*out, *in)
--
pkg/apis/authentication/zz_generated.deepcopy.go:218:// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReviewSpec.
pkg/apis/authentication/zz_generated.deepcopy.go:219:func (in *TokenReviewSpec) DeepCopy() *TokenReviewSpec {
pkg/apis/authentication/zz_generated.deepcopy.go-220- if in == nil {
pkg/apis/authentication/zz_generated.deepcopy.go-221- return nil
pkg/apis/authentication/zz_generated.deepcopy.go-222- }
pkg/apis/authentication/zz_generated.deepcopy.go:223: out := new(TokenReviewSpec)
pkg/apis/authentication/zz_generated.deepcopy.go-224- in.DeepCopyInto(out)
pkg/apis/authentication/zz_generated.deepcopy.go-225- return out
pkg/apis/authentication/zz_generated.deepcopy.go-226-}
pkg/apis/authentication/zz_generated.deepcopy.go-227-
pkg/apis/authentication/zz_generated.deepcopy.go-228-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
--
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:71: if err := s.AddGeneratedConversionFunc((*authenticationv1beta1.TokenReviewSpec)(nil), (*authentication.TokenReviewSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:72: return Convert_v1beta1_TokenReviewSpec_To_authentication_TokenReviewSpec(a.(*authenticationv1beta1.TokenReviewSpec), b.(*authentication.TokenReviewSpec), scope)
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-73- }); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-74- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-75- }
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:76: if err := s.AddGeneratedConversionFunc((*authentication.TokenReviewSpec)(nil), (*authenticationv1beta1.TokenReviewSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:77: return Convert_authentication_TokenReviewSpec_To_v1beta1_TokenReviewSpec(a.(*authentication.TokenReviewSpec), b.(*authenticationv1beta1.TokenReviewSpec), scope)
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-78- }); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-79- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-80- }
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-81- if err := s.AddGeneratedConversionFunc((*authenticationv1beta1.TokenReviewStatus)(nil), (*authentication.TokenReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-82- return Convert_v1beta1_TokenReviewStatus_To_authentication_TokenReviewStatus(a.(*authenticationv1beta1.TokenReviewStatus), b.(*authentication.TokenReviewStatus), scope)
--
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:156: if err := Convert_v1beta1_TokenReviewSpec_To_authentication_TokenReviewSpec(&in.Spec, &out.Spec, s); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-157- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-158- }
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-159- if err := Convert_v1beta1_TokenReviewStatus_To_authentication_TokenReviewStatus(&in.Status, &out.Status, s); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-160- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-161- }
--
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:172: if err := Convert_authentication_TokenReviewSpec_To_v1beta1_TokenReviewSpec(&in.Spec, &out.Spec, s); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-173- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-174- }
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-175- if err := Convert_authentication_TokenReviewStatus_To_v1beta1_TokenReviewStatus(&in.Status, &out.Status, s); err != nil {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-176- return err
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-177- }
--
pkg/apis/authentication/v1beta1/zz_generated.conversion.go:186:func autoConvert_v1beta1_TokenReviewSpec_To_authentication_TokenReviewSpec(in *authenticationv1beta1.TokenReviewSpec, out *authentication.TokenReviewSpec, s conversion.Scope) error {
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-187- out.Token = in.Token
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-188- out.Audiences = *(*[]string)(unsafe.Pointer(&in.Audiences))
pkg/apis/authentication/v1beta1/zz_generated.conversion.go-189- return nil
Script executed:
# Verify the actual behavior: does API server accept requests without token field?
rg -n 'token.*nil|Token.*empty|omitempty' pkg/apis/authentication/types.go -C 2Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
81- // spec.audiences field should validate that a compatible audience identifier
82- // is returned in the status.audiences field to ensure that the TokenReview
83: // server is audience aware. If a TokenReview returns an empty
84- // status.audience field where status.authenticated is "true", the token is
85- // valid against the audience of the Kubernetes API server.
Script executed:
# Check if validation rules exist in the OpenAPI schema itself (CEL validation)
rg -n 'validationRules|x-kubernetes-validations' api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json -A 5 | head -30Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
Script executed:
# Search for webhook/validation logic in authentication package
rg -n 'webhook|Validate|validation' pkg/apis/authentication/ --type go | grep -i token | head -20Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
pkg/apis/authentication/validation/validation.go:28:// ValidateTokenRequest validates a TokenRequest.
pkg/apis/authentication/validation/validation.go:29:func ValidateTokenRequest(tr *authentication.TokenRequest) field.ErrorList {
Script executed:
# Check the actual TokenReview OpenAPI schema definition around the token field
sed -n '110,140p' api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.jsonRepository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
"description": "TokenReviewSpec is a description of the token authentication request.",
"properties": {
"audiences": {
"description": "audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.",
"items": {
"default": "",
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "atomic"
},
"token": {
"description": "token is the opaque bearer token.",
"type": "string"
}
},
"required": [
"token"
],
"type": "object"
},
"io.k8s.api.authentication.v1.TokenReviewStatus": {
"description": "TokenReviewStatus is the result of the token authentication request.",
"properties": {
"audiences": {
"description": "audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.",
"items": {
"default": "",
"type": "string"
},
"type": "array",
Script executed:
# Check what ValidateTokenRequest actually validates
sed -n '28,60p' pkg/apis/authentication/validation/validation.goRepository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 0
stdout:
// ValidateTokenRequest validates a TokenRequest.
func ValidateTokenRequest(tr *authentication.TokenRequest) field.ErrorList {
allErrs := field.ErrorList{}
specPath := field.NewPath("spec")
if tr.Spec.ExpirationSeconds < MinTokenAgeSec {
allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
}
if tr.Spec.ExpirationSeconds > 1<<32 {
allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration larger than 2^32 seconds"))
}
return allErrs
}
Script executed:
# Search for any validation of Token field being required/non-empty
rg -n 'Token.*required|Token.*empty|len.*Token|Token.*nil' pkg/apis/authentication/validation/ -C 3Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 1
Script executed:
# Check if there's a ValidateTokenReviewSpec or ValidateTokenReview function
rg -n 'ValidateTokenReview' pkg/apis/authentication/validation/validation.go -A 10Repository: openshift/kubernetes
Repository: openshift/kubernetes
Exit code: 1
Required spec.token lacks corresponding server-side validation.
Line 126 adds OpenAPI required: ["token"], but there is no ValidateTokenReview or ValidateTokenReviewSpec function in pkg/apis/authentication/validation/ to enforce this constraint. The Token field in pkg/apis/authentication/types.go has only a datapolicy tag and no validation markers. Without explicit server-side validation, the required constraint in the schema may not be enforced at runtime, creating drift between the API contract and actual behavior.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json` around
lines 126 - 128, The OpenAPI schema marks spec.token as required but there's no
server-side validator; add a validation implementation under
pkg/apis/authentication/validation that enforces non-empty Token (e.g.,
implement ValidateTokenReview and/or ValidateTokenReviewSpec which check that
Token (pkg/apis/authentication/types.go) is not empty and return an appropriate
field.ErrorList), register these validators with the admission/validation entry
points for TokenReview resources, and/or add kubebuilder validation markers on
the Token field in types.go if you prefer code-gen'd OpenAPI + then regenerate
to keep schema and server-side checks in sync.
Comment on lines
+992
to
+1000
| { | ||
| "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. The format uses the shardRange() function combined with || (logical OR) to specify one or more hash ranges:\n\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000')\n shardRange(object.metadata.uid, '0x0', '0x8000000000000000') || shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n\nField paths use CEL-style object-rooted syntax (e.g. \"object.metadata.uid\"), NOT the fieldSelector format (\"metadata.uid\"). Currently supported paths:\n - object.metadata.uid\n - object.metadata.namespace\n\nhexStart and hexEnd are single-quoted CEL string literals with a '0x' prefix, defining the inclusive lower and exclusive upper bounds over the 64-bit FNV-1a hash space. The full range is [0x0, 0x10000000000000000), where the exclusive upper bound equals 2^64.\n\nExamples:\n 2-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x8000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x8000000000000000', '0x10000000000000000')\n 4-shard split:\n shard 0: shardRange(object.metadata.uid, '0x0000000000000000', '0x4000000000000000')\n shard 1: shardRange(object.metadata.uid, '0x4000000000000000', '0x8000000000000000')\n shard 2: shardRange(object.metadata.uid, '0x8000000000000000', '0xc000000000000000')\n shard 3: shardRange(object.metadata.uid, '0xc000000000000000', '0x10000000000000000')\n\nThis is an alpha field and requires enabling the ShardedListAndWatch feature gate.", | ||
| "in": "query", | ||
| "name": "shardSelector", | ||
| "schema": { | ||
| "type": "string", | ||
| "uniqueItems": true | ||
| } | ||
| }, |
There was a problem hiding this comment.
Adjust shardSelector wording for deletecollection behavior.
On Line 993, the description says it “restricts the list of returned objects,” but this operation is deletecollection; the selector constrains which objects are targeted for deletion.
✏️ Suggested wording update
- "description": "shardSelector restricts the list of returned objects using a CEL-based shard selector expression. ...
+ "description": "shardSelector restricts the set of objects targeted by this delete collection request using a CEL-based shard selector expression. ...🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json` around lines
992 - 1000, Update the description for the query parameter "shardSelector"
(parameter name: shardSelector, schema type: string) to reflect that this is
used by deletecollection operations: replace the phrase "restricts the list of
returned objects" with wording that it "restricts which objects are targeted for
deletion" (or equivalent) and keep the rest of the explanation about CEL
shardRange syntax, supported field paths, hexStart/hexEnd bounds, examples, and
the note about the ShardedListAndWatch feature gate unchanged.
Comment on lines
228
to
230
| "required": [ | ||
| "addressType", | ||
| "endpoints" | ||
| "addressType" | ||
| ], |
There was a problem hiding this comment.
Keep EndpointSlice.endpoints required unless the API type contract is also changed
Line 229 makes endpoints optional in OpenAPI, but pkg/apis/discovery/types.go:29-49 still models EndpointSlice.Endpoints as non-optional. This creates schema/type drift and can break generated-client expectations for create/replace payloads.
Suggested fix
"required": [
- "addressType"
+ "addressType",
+ "endpoints"
],🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json` around lines 228
- 230, The OpenAPI schema made EndpointSlice.endpoints optional while the Go
type EndpointSlice.Endpoints (pkg/apis/discovery/types.go) remains non-optional;
to fix this, update the OpenAPI schema for the EndpointSlice object by adding
"endpoints" to its "required" array so the JSON contract matches the Go model
(or alternatively make the Go field optional/omitempty if you intend the API to
be optional) — ensure you modify the EndpointSlice schema's "required" list in
the OpenAPI file to include "endpoints" to restore schema/type parity.
| * Add a rate limiter to the GCE cloudprovider ([#23019](https://github.com/kubernetes/kubernetes/pull/23019), [@alex-mohr](https://github.com/alex-mohr)) | ||
| * Add a Deployment example for kubectl expose. ([#23222](https://github.com/kubernetes/kubernetes/pull/23222), [@madhusudancs](https://github.com/madhusudancs)) | ||
| * Use versioned object when computing patch ([#23145](https://github.com/kubernetes/kubernetes/pull/23145), [@liggitt](https://github.com/liggitt)) | ||
| * kubelet: send all recevied pods in one update ([#23141](https://github.com/kubernetes/kubernetes/pull/23141), [@yujuhong](https://github.com/yujuhong)) |
There was a problem hiding this comment.
Fix typo: "recevied" should be "received".
The word "recevied" is misspelled in the changelog entry.
📝 Proposed fix
-* kubelet: send all recevied pods in one update ([`#23141`](https://gi...
+* kubelet: send all received pods in one update ([`#23141`](https://gi...📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| * kubelet: send all recevied pods in one update ([#23141](https://github.com/kubernetes/kubernetes/pull/23141), [@yujuhong](https://github.com/yujuhong)) | |
| * kubelet: send all received pods in one update ([`#23141`](https://github.com/kubernetes/kubernetes/pull/23141), [`@yujuhong`](https://github.com/yujuhong)) |
🧰 Tools
🪛 LanguageTool
[grammar] ~270-~270: Ensure spelling is correct
Context: ...ithub.com/liggitt)) * kubelet: send all recevied pods in one update ([#23141](https://gi...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG/CHANGELOG-1.2.md` at line 270, Fix the typo in the changelog entry
by replacing "recevied" with "received" in the line that currently reads "*
kubelet: send all recevied pods in one update ([`#23141`], [`@yujuhong`])" so it
becomes "* kubelet: send all received pods in one update ([`#23141`],
[`@yujuhong`])".
| * Add a rate limiter to the GCE cloudprovider ([#23019](https://github.com/kubernetes/kubernetes/pull/23019), [@alex-mohr](https://github.com/alex-mohr)) | ||
| * Add a Deployment example for kubectl expose. ([#23222](https://github.com/kubernetes/kubernetes/pull/23222), [@madhusudancs](https://github.com/madhusudancs)) | ||
| * Use versioned object when computing patch ([#23145](https://github.com/kubernetes/kubernetes/pull/23145), [@liggitt](https://github.com/liggitt)) | ||
| * kubelet: send all recevied pods in one update ([#23141](https://github.com/kubernetes/kubernetes/pull/23141), [@yujuhong](https://github.com/yujuhong)) |
There was a problem hiding this comment.
Fix typo: "recevied" should be "received".
The word "recevied" is misspelled in the changelog entry. This is the same typo that appears in CHANGELOG-1.2.md line 270.
📝 Proposed fix
-* kubelet: send all recevied pods in one update ([`#23141`](https://gi...
+* kubelet: send all received pods in one update ([`#23141`](https://gi...📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| * kubelet: send all recevied pods in one update ([#23141](https://github.com/kubernetes/kubernetes/pull/23141), [@yujuhong](https://github.com/yujuhong)) | |
| * kubelet: send all received pods in one update ([`#23141`](https://github.com/kubernetes/kubernetes/pull/23141), [`@yujuhong`](https://github.com/yujuhong)) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@CHANGELOG/CHANGELOG-1.3.md` at line 948, Change the misspelled word
"recevied" to "received" in the changelog entry line that reads "* kubelet: send
all recevied pods in one update
([`#23141`](https://github.com/kubernetes/kubernetes/pull/23141),
[`@yujuhong`](https://github.com/yujuhong))" so it reads "* kubelet: send all
received pods in one update (...)".
Member
Author
|
/test integration |
…s the gc integration test issue
jacobsee
force-pushed
the
rebase-1.36-jacob
branch
from
2af6682 to
6cd04ee
Compare
Member
Author
|
/test integration |
Could squash into UPSTREAM: <carry>: emit event when readyz goes true
Squash into: UPSTREAM: <carry>: add management support to kubelet
jacobsee
force-pushed
the
rebase-1.36-jacob
branch
from
6cd04ee to
2a71b56
Compare
Member
Author
|
/test integration |
|
@jacobsee: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR is related to:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
Summary by CodeRabbit
New Features
API Changes
Documentation
Chores