Skip to content

Enable RBAC in E2E templates#17860

Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
rifelpet:template-rbac
Jan 13, 2026
Merged

Enable RBAC in E2E templates#17860
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
rifelpet:template-rbac

Conversation

@rifelpet
Copy link
Copy Markdown
Member

@rifelpet rifelpet commented Jan 13, 2026

Kops only defaults to RBAC in kops create cluster:

kops/upup/pkg/fi/cloudup/new_cluster.go

Lines 183 to 185 in 05e2a37

func (o *NewClusterOptions) InitDefaults() {
o.Channel = api.DefaultChannel
o.Authorization = AuthorizationFlagRBAC

A cluster applied via manifest will default to AlwaysAllow:

kops/pkg/apis/kops/v1alpha2/defaults.go

Lines 57 to 60 in 05e2a37

if obj.Authorization.IsEmpty() {
// Before the Authorization field was introduced, the behaviour was alwaysAllow
obj.Authorization.AlwaysAllow = &AlwaysAllowAuthorizationSpec{}
}

Certain E2E tests expect RBAC to be enabled, and theres little value in testing these configurations with AlwaysAllow, so set RBAC in these templates.

https://prow.k8s.io/view/gs/kubernetes-ci-logs/logs/e2e-kops-aws-apiserver-nodes/2010839104693997568

Kubernetes e2e suite: [It] [sig-node] [FeatureGate:KubeletFineGrainedAuthz] [Beta] when calling kubelet API check /healthz enpoint is not accessible via nodes/configz
    <string>: 200
to equal
    <string>: 403
In [It] at: k8s.io/kubernetes/test/e2e/node/kubelet_authz.go:54 @ 01/12/26 22:39:03.443
}

https://storage.googleapis.com/kubernetes-ci-logs/logs/e2e-kops-aws-apiserver-nodes/2010839104693997568/artifacts/cluster.yaml

  authorization:
    alwaysAllow: {}

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 13, 2026
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 13, 2026
@hakman hakman closed this Jan 13, 2026
@hakman hakman reopened this Jan 13, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 13, 2026

/override netlify

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

@hakman: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

  • netlify

Only the following failed contexts/checkruns were expected:

  • EasyCLA
  • build-linux-amd64
  • build-linux-arm64
  • build-macos-amd64
  • build-windows-amd64
  • deploy/netlify
  • pull-kops-build
  • pull-kops-e2e-k8s-aws-amazonvpc
  • pull-kops-e2e-k8s-aws-calico
  • pull-kops-e2e-k8s-gce-cilium
  • pull-kops-e2e-k8s-gce-ipalias
  • pull-kops-kubernetes-e2e-ubuntu-gce-build
  • pull-kops-test
  • pull-kops-verify-boilerplate
  • pull-kops-verify-generated
  • pull-kops-verify-gofmt
  • pull-kops-verify-golangci-lint
  • pull-kops-verify-gomod
  • pull-kops-verify-govet
  • tests-e2e-scenarios-bare-metal
  • tests-e2e-scenarios-bare-metal-ipv6
  • tide
  • verify-amd64
  • verify-arm64

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override netlify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 13, 2026

/override deploy/netlify

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

@hakman: Overrode contexts on behalf of hakman: deploy/netlify

Details

In response to this:

/override deploy/netlify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 13, 2026

/override pull-kops-kubernetes-e2e-ubuntu-gce-build

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

@hakman: Overrode contexts on behalf of hakman: pull-kops-kubernetes-e2e-ubuntu-gce-build

Details

In response to this:

/override pull-kops-kubernetes-e2e-ubuntu-gce-build

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-triage-robot
Copy link
Copy Markdown

k8s-triage-robot commented Jan 13, 2026

Retesting failed PR that otherwise appears ready for merge.

Please help us fix flaky tests by following our Flaky Tests Guide.

Prevent this bot from retesting with /lgtm cancel or /hold.
For this robot's configuration, see here.

/retest-required

@rifelpet
Enable RBAC in e2e templates
c47d4dd 
Kops only defaults to RBAC in `kops create cluster`. A cluster provided via manifest will default to AlwaysAllow.

Certain E2E tests expect RBAC to be enabled, and theres little value in testing these configurations with AlwaysAllow, so set RBAC in these templates.
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 13, 2026

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 13, 2026

/override pull-kops-e2e-k8s-aws-calico

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

@hakman: Overrode contexts on behalf of hakman: pull-kops-e2e-k8s-aws-calico

Details

In response to this:

/override pull-kops-e2e-k8s-aws-calico

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot merged commit 660a895 into kubernetes:master Jan 13, 2026
27 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.36 milestone Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hakman hakman hakman approved these changes

@johngmyers johngmyers Awaiting requested review from johngmyers

@olemarkus olemarkus Awaiting requested review from olemarkus

Assignees

@hakman hakman

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

v1.36

Development

Successfully merging this pull request may close these issues.

4 participants

@rifelpet @k8s-ci-robot @hakman @k8s-triage-robot