Skip to content

Make PSA host enforcement honor emulation version #133176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 25, 2025
Merged

Make PSA host enforcement honor emulation version #133176

merged 1 commit into from
Jul 25, 2025

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jul 24, 2025

What type of PR is this?

/kind bug
/kind cleanup
/kind feature

What this PR does / why we need it:

Follow up to #125271 to make the new PSA check honor emulation version by skipping the new check added in 1.34 when emulating a prior minor.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

/cc @deads2k @tssurya
/sig auth

@k8s-ci-robot k8s-ci-robot requested review from deads2k and tssurya July 24, 2025 15:07
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Jul 24, 2025
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 24, 2025
@liggitt liggitt mentioned this pull request Jul 24, 2025
Merged
@liggitt liggitt force-pushed the psa-host-probe-emulation branch from a130f0f to f02c160 Compare July 24, 2025 15:14
@jpbetz
Copy link
Contributor

jpbetz commented Jul 24, 2025

/lgtm
/approve

Good catch.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 24, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 0770fb633503eb27e07498b5939f91626b460ec7

@liggitt liggitt added this to the v1.34 milestone Jul 24, 2025
@liggitt liggitt added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-blocker labels Jul 24, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jul 24, 2025
@liggitt liggitt added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 24, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jul 24, 2025
@liggitt
Copy link
Member Author

liggitt commented Jul 24, 2025

will follow-up in 1.35 with #133178 to make admission and PSA emulation-version-aware generally

@michaelasp
Copy link
Contributor

Thanks @liggitt for the quick fix!

@michaelasp
Copy link
Contributor

/retest

I think I've seen this flake before on another PR

@BenTheElder
Copy link
Member

verify is a real failure, need to run hack/update-featuregates.sh

@liggitt liggitt force-pushed the psa-host-probe-emulation branch from f02c160 to 27e1675 Compare July 24, 2025 16:36
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 24, 2025
@k8s-ci-robot k8s-ci-robot requested a review from jpbetz July 24, 2025 16:36
@liggitt
Copy link
Member Author

liggitt commented Jul 24, 2025

grrr... done

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpbetz, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jpbetz
Copy link
Contributor

jpbetz commented Jul 24, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 24, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 84d27985cf03fd0d3381057195856869e8de1ccf

@BenTheElder
Copy link
Member

https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/133176/pull-kubernetes-unit/1948422053505798144

k8s.io/apiserver/pkg/server: filters expand_less38s{Failed  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === PAUSE TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === CONT  TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out     priority-and-fairness_test.go:890: Waiting for the request: "/request/time-out-as-designed" to time out     priority-and-fairness_test.go:861: Expected APF headers to match, but got: expected HTTP header X-Kubernetes-PF-FlowSchema-UID to have value "test-fs", but got: ""     priority-and-fairness_test.go:897: Waiting for the inner handler of the request: "/request/time-out-as-designed" to complete     priority-and-fairness_test.go:915: Waiting for the controller to shutdown --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out (5.14s)  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter (0.26s) | k8s.io/apiserver/pkg/server: filters expand_less | 38s | {Failed  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === PAUSE TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === CONT  TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out     priority-and-fairness_test.go:890: Waiting for the request: "/request/time-out-as-designed" to time out     priority-and-fairness_test.go:861: Expected APF headers to match, but got: expected HTTP header X-Kubernetes-PF-FlowSchema-UID to have value "test-fs", but got: ""     priority-and-fairness_test.go:897: Waiting for the inner handler of the request: "/request/time-out-as-designed" to complete     priority-and-fairness_test.go:915: Waiting for the controller to shutdown --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out (5.14s)  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter (0.26s)
k8s.io/apiserver/pkg/server: filters expand_less | 38s
{Failed  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === PAUSE TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out === CONT  TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out     priority-and-fairness_test.go:890: Waiting for the request: "/request/time-out-as-designed" to time out     priority-and-fairness_test.go:861: Expected APF headers to match, but got: expected HTTP header X-Kubernetes-PF-FlowSchema-UID to have value "test-fs", but got: ""     priority-and-fairness_test.go:897: Waiting for the inner handler of the request: "/request/time-out-as-designed" to complete     priority-and-fairness_test.go:915: Waiting for the controller to shutdown --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter/priority_level_concurrency_is_set_to_1,_inner_handler_panics_after_the_request_times_out (5.14s)  === RUN   TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter --- FAIL: TestPriorityAndFairnessWithPanicRecoveryAndTimeoutFilter (0.26s)

/retest

@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit 2d5f58a into kubernetes:master Jul 25, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this to Closed / Done in SIG Auth Jul 25, 2025
tssurya
tssurya reviewed Aug 3, 2025
View reviewed changes
pkg/features/kube_features.go
@@ -713,6 +713,12 @@ const (
// Denies pod admission if static pods reference other API objects.
PreventStaticPodAPIReferences featuregate.Feature = "PreventStaticPodAPIReferences"

// owner: @tssurya
Copy link
Contributor

@tssurya tssurya Aug 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for adding the gate!

tssurya
tssurya reviewed Aug 3, 2025
View reviewed changes
staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
@@ -73,7 +74,21 @@ func CheckHostProbesAndHostLifecycle() Check {
}
}

// TODO(liggitt): rework this to make emulation version influence "latest" across all checks, instead of piece-mill feature gate checking.
var skipProbeHostEnforcement = &atomic.Bool{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for doing this stopgap to fix the CI!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tssurya tssurya tssurya left review comments

@deads2k deads2k Awaiting requested review from deads2k

@jpbetz jpbetz Awaiting requested review from jpbetz

Assignees

@jpbetz jpbetz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-blocker release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Status: Closed / Done
[sig-release] Bug Triage
Status: Done
Milestone
v1.34
Development

Successfully merging this pull request may close these issues.
7 participants
@liggitt @jpbetz @k8s-ci-robot @michaelasp @BenTheElder @k8s-triage-robot @tssurya