kubernetes: [e2e test failure] [sig-api-machinery] Aggregator Should be able to support the 1.7 Sample API Server using the current Aggregator

Failure cluster 42229f8b33f735ea0213

Error text:

/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/apimachinery/aggregator.go:65
creating cluster role wardler
Expected error:
    <*errors.StatusError | 0xc421134380>: {
        ErrStatus: {
            TypeMeta: {Kind: "", APIVersion: ""},
            ListMeta: {SelfLink: "", ResourceVersion: ""},
            Status: "Failure",
            Message: "clusterroles.rbac.authorization.k8s.io \"wardler\" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"create\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"delete\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"deletecollection\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"get\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"list\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"patch\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"update\"]} PolicyRule{Resources:[\"flunders\"], APIGroups:[\"wardle.k8s.io\"], Verbs:[\"watch\"]} PolicyRule{NonResourceURLs:[\"*\"], Verbs:[\"get\"]}] user=&{pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com  [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:[\"selfsubjectaccessreviews\"], APIGroups:[\"authorization.k8s.io\"], Verbs:[\"create\"]} PolicyRule{NonResourceURLs:[\"/api\" \"/api/*\" \"/apis\" \"/apis/*\" \"/healthz\" \"/swaggerapi\" \"/swaggerapi/*\" \"/version\"], Verbs:[\"get\"]}] ruleResolutionErrors=[]",
            Reason: "Forbidden",
            Details: {
                Name: "wardler",
                Group: "rbac.authorization.k8s.io",
                Kind: "clusterroles",
                UID: "",
                Causes: nil,
                RetryAfterSeconds: 0,
            },
            Code: 403,
        },
    }
    clusterroles.rbac.authorization.k8s.io "wardler" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["delete"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["deletecollection"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["get"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["list"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["patch"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["update"]} PolicyRule{Resources:["flunders"], APIGroups:["wardle.k8s.io"], Verbs:["watch"]} PolicyRule{NonResourceURLs:["*"], Verbs:["get"]}] user=&{pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com  [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
not to have occurred
/go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/apimachinery/aggregator.go:331

Failure cluster statistics:

1 tests failed, 11 jobs failed, 241 builds failed. Failure stats cover 1 day time range ‘17 Aug 2017 22:57 UTC’ to ‘18 Aug 2017 22:57 UTC’.

Top failed tests by jobs failed:

Test Name	Jobs Failed
[sig-api-machinery] Aggregator Should be able to support the 1.7 Sample API Server using the current Aggregator	11

Top failed jobs by builds failed:

Job Name	Builds Failed	Latest Failure
ci-kubernetes-e2e-gci-gke-multizone	42	18 Aug 2017 22:02 UTC
ci-kubernetes-e2e-gci-gke	40	18 Aug 2017 22:00 UTC
ci-kubernetes-e2e-gke-multizone	40	18 Aug 2017 22:11 UTC

Current Status

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 21 (21 by maintainers)

Commits related to this issue

Merge pull request #51235 from cheftako/aggregator Automatic merge from submit-queue Fixed gke auth update wait condition. Lookup whoami on gke using gcloud auth list. Make sure we do not run the ... — committed to kubernetes/kubernetes by deleted user 7 years ago
Debug for issues #50945 Aggregator e2e test is intermittantly failing on GKE but not GCE. Adding the following debugging for help trace issue. Make sure we always use the same rest client. Randomly g... — committed to cheftako/kubernetes by cheftako 7 years ago
Merge pull request #52816 from cheftako/e2e-aggr Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.co... — committed to kubernetes/kubernetes by deleted user 7 years ago
Merge pull request #53030 from cheftako/e2e-aggr Automatic merge from submit-queue (batch tested with PRs 51648, 53030, 53009). If you want to cherry-pick this change to another branch, please follow... — committed to kubernetes/kubernetes by deleted user 7 years ago
Merge pull request #53039 from abgworrall/automated-cherry-pick-of-#53030-upstream-release-1.8 Automatic merge from submit-queue. Automated cherry pick of #53030 Cherry pick of #53030 on release-1.... — committed to kubernetes/kubernetes by deleted user 7 years ago

Most upvoted comments

I don’t see how one would be able to create an RBAC binding but another would fail later.

The gke authorizer allows the “bind” verb, so the client can create a binding to the cluster-admin. It cannot create a role directly unless it has permissions via RBAC. Since we don’t have a way to determine the username associated with iclient, binding to all authenticated users is what was done as a workaround.

liggitt on Sep 21, 2017