HNC: find a new way to test unpropagatable objects

Question

HNC: find a new way to test unpropagatable objects

adrianludwin opened this issue 3 years ago · comments

Since #1489, HNC has been able to propagate cluster-admin rolebindings and therefore the test for #328, #605 and #771 have broken. We need to find another way to stop HNC from propagating these objects, possibly by having some special-purpose test webhook or something.

Adrian Ludwin · Answer 1 · Wed Apr 28 2021 02:39:18 GMT+0800 (China Standard Time)

Another possible way to do it:

Create a Role in the parent and forbid it from being propagated
Create a RoleBinding in the parent

Usually, RBs cannot be created with the Roles they refer to existing first, so this should cause an error.

Adrian Ludwin · Answer 2 · Wed Apr 28 2021 02:39:29 GMT+0800 (China Standard Time)

/good-first-issue

Kubernetes Prow Robot · Answer 3 · Wed Apr 28 2021 02:39:30 GMT+0800 (China Standard Time)

@adrianludwin:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Adrian Ludwin · Answer 4 · Fri Jul 09 2021 03:45:07 GMT+0800 (China Standard Time)

Replaced by kubernetes-sigs/hierarchical-namespaces#13

/close

Kubernetes Prow Robot · Answer 5 · Fri Jul 09 2021 03:45:11 GMT+0800 (China Standard Time)

@adrianludwin: Closing this issue.

In response to this:

Replaced by kubernetes-sigs/hierarchical-namespaces#13

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.