From e1cf77858e8a8502a293b432658d06f4fbc020d0 Mon Sep 17 00:00:00 2001 From: Walter Fender Date: Mon, 4 Dec 2017 14:44:54 -0800 Subject: [PATCH] Add e2e test for when a webhook does not return. Adding code to simulate a webhook not returning. Ensure that we verify that the returned error is a timeout. --- test/e2e/apimachinery/webhook.go | 33 +++++++++++++++++++++++++++++++- test/images/webhook/Makefile | 4 ++-- test/images/webhook/main.go | 9 +++++++-- 3 files changed, 41 insertions(+), 5 deletions(-) diff --git a/test/e2e/apimachinery/webhook.go b/test/e2e/apimachinery/webhook.go index cd7c12c4da..e9a714f49e 100644 --- a/test/e2e/apimachinery/webhook.go +++ b/test/e2e/apimachinery/webhook.go @@ -56,6 +56,7 @@ const ( skipNamespaceLabelValue = "yes" skippedNamespaceName = "exempted-namesapce" disallowedPodName = "disallowed-pod" + hangingPodName = "hanging-pod" disallowedConfigMapName = "disallowed-configmap" allowedConfigMapName = "allowed-configmap" crdName = "e2e-test-webhook-crd" @@ -99,7 +100,7 @@ var _ = SIGDescribe("AdmissionWebhook", func() { // Note that in 1.9 we will have backwards incompatible change to // admission webhooks, so the image will be updated to 1.9 sometime in // the development 1.9 cycle. - deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v6", context) + deployWebhookAndService(f, "gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v7", context) }) AfterEach(func() { cleanWebhookTest(client, namespaceName) @@ -453,6 +454,17 @@ func testWebhook(f *framework.Framework) { framework.Failf("expect error contains %q, got %q", expectedErrMsg2, err.Error()) } + By("create a pod that causes the webhook to hang") + client = f.ClientSet + // Creating the pod, the request should be rejected + pod = hangingPod(f) + _, err = client.CoreV1().Pods(f.Namespace.Name).Create(pod) + Expect(err).NotTo(BeNil()) + expectedTimeoutErr := "request did not complete within allowed duration" + if !strings.Contains(err.Error(), expectedTimeoutErr) { + framework.Failf("expect timeout error %q, got %q", expectedTimeoutErr, err.Error()) + } + By("create a configmap that should be denied by the webhook") // Creating the configmap, the request should be rejected configmap := nonCompliantConfigMap(f) @@ -631,6 +643,25 @@ func nonCompliantPod(f *framework.Framework) *v1.Pod { } } +func hangingPod(f *framework.Framework) *v1.Pod { + return &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: hangingPodName, + Labels: map[string]string{ + "webhook-e2e-test": "wait-forever", + }, + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "wait-forever", + Image: framework.GetPauseImageName(f.ClientSet), + }, + }, + }, + } +} + func nonCompliantConfigMap(f *framework.Framework) *v1.ConfigMap { return &v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ diff --git a/test/images/webhook/Makefile b/test/images/webhook/Makefile index 75f04cd374..a201dd5b23 100644 --- a/test/images/webhook/Makefile +++ b/test/images/webhook/Makefile @@ -14,7 +14,7 @@ build: CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o webhook . - docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v6 . + docker build --no-cache -t gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v7 . rm -rf webhook push: - gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v6 + gcloud docker -- push gcr.io/kubernetes-e2e-test-images/k8s-sample-admission-webhook-amd64:1.8v7 diff --git a/test/images/webhook/main.go b/test/images/webhook/main.go index d487c08caa..da2e4e9d3f 100644 --- a/test/images/webhook/main.go +++ b/test/images/webhook/main.go @@ -85,11 +85,16 @@ func admitPods(ar v1beta1.AdmissionReview) *v1beta1.AdmissionResponse { reviewResponse.Allowed = true var msg string - for k, v := range pod.Labels { - if k == "webhook-e2e-test" && v == "webhook-disallow" { + if v, ok := pod.Labels["webhook-e2e-test"]; ok { + if v == "webhook-disallow" { reviewResponse.Allowed = false msg = msg + "the pod contains unwanted label; " } + if v == "wait-forever" { + reviewResponse.Allowed = false + msg = msg + "the pod response should not be sent; " + <-make(chan int) // Sleep forever - no one sends to this channel + } } for _, container := range pod.Spec.Containers { if strings.Contains(container.Name, "webhook-disallow") {