Skip to content

[Fix] Remove remote client of insecurely setup cluster #7486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 1 commit into from
Nov 3, 2025
Merged

[Fix] Remove remote client of insecurely setup cluster #7486

k8s-ci-robot merged 1 commit into from
Nov 3, 2025

Conversation

@mszadkow
Copy link
Contributor

@mszadkow mszadkow commented Oct 31, 2025

What type of PR is this?

/kind bug

What this PR does / why we need it:

Even though we validate and prevent the use of invalid/insecure kubeconfigs, the remoteClient of the Cluster that kuebconfig was updated with invalid kubeconfig still remains on the list of valid clusters.
Because of that it is still possible to admit a workload to this cluster.
To give a stronger message to the user that Kubeconfig was improperly updated remoteClient will be removed from the clusterReconciler remoteClients list.

Which issue(s) this PR fixes:

Relates to this PR: #7483

Special notes for your reviewer:

Does this PR introduce a user-facing change?

MultiKueue: Remove remoteClient from clusterReconciler when kubeconfig is detected as invalid or insecure, preventing workloads from being admitted to misconfigured clusters.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. labels Oct 31, 2025
@k8s-ci-robot k8s-ci-robot requested a review from kannon92 October 31, 2025 14:41
@netlify
Copy link

netlify bot commented Oct 31, 2025
edited
Loading

Deploy Preview for kubernetes-sigs-kueue canceled.

Name Link
🔨 Latest commit a65a2f7
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-kueue/deploys/6908af1c0926940008edccf5

@k8s-ci-robot k8s-ci-robot requested a review from tenzen-y October 31, 2025 14:41
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 31, 2025
@mszadkow mszadkow mentioned this pull request Oct 31, 2025
Merged
@mimowo
Copy link
Contributor

mimowo commented Oct 31, 2025

LGTM, I will merge after rebased

@mszadkow mszadkow force-pushed the fix/remove-remote-client-with-invalid-kubeconfig branch from 2f4a1fe to 295e18d Compare November 3, 2025 09:38
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
@mszadkow mszadkow force-pushed the fix/remove-remote-client-with-invalid-kubeconfig branch 2 times, most recently from b8fd915 to 3192ea5 Compare November 3, 2025 12:52
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
mimowo
mimowo reviewed Nov 3, 2025
View reviewed changes
@mszadkow mszadkow force-pushed the fix/remove-remote-client-with-invalid-kubeconfig branch from 3192ea5 to a65a2f7 Compare November 3, 2025 13:33
@mimowo
Copy link
Contributor

mimowo commented Nov 3, 2025

/lgtm
/approve
/cherrypick release-0.14
/cherrypick release-0.13

@k8s-infra-cherrypick-robot
Copy link
Contributor

k8s-infra-cherrypick-robot commented Nov 3, 2025

@mimowo: once the present PR merges, I will cherry-pick it on top of release-0.13, release-0.14 in new PRs and assign them to you.

In response to this:

/lgtm
/approve
/cherrypick release-0.14
/cherrypick release-0.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 3, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 3, 2025

LGTM label has been added.

Git tree hash: e375806e3444d60a3cb21983ba96d08686918dc0

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 3, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mimowo, mszadkow

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2025
@mimowo
Copy link
Contributor

mimowo commented Nov 3, 2025

https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/kubernetes-sigs_kueue/7486/pull-kueue-test-integration-baseline-main/1985355810229719040

is a known flake

@mimowo
Copy link
Contributor

mimowo commented Nov 3, 2025

/test pull-kueue-test-integration-baseline-main

@k8s-ci-robot k8s-ci-robot merged commit cb1e46d into kubernetes-sigs:main Nov 3, 2025
23 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v0.15 milestone Nov 3, 2025
@k8s-infra-cherrypick-robot
Copy link
Contributor

k8s-infra-cherrypick-robot commented Nov 3, 2025

@mimowo: #7486 failed to apply on top of branch "release-0.14":

Applying: Remove remote client of insecurely setup cluster
Using index info to reconstruct a base tree...
M	pkg/controller/admissionchecks/multikueue/multikueuecluster.go
M	pkg/controller/admissionchecks/multikueue/multikueuecluster_test.go
M	test/integration/multikueue/setup_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/integration/multikueue/setup_test.go
CONFLICT (content): Merge conflict in test/integration/multikueue/setup_test.go
Auto-merging pkg/controller/admissionchecks/multikueue/multikueuecluster_test.go
Auto-merging pkg/controller/admissionchecks/multikueue/multikueuecluster.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Remove remote client of insecurely setup cluster

In response to this:

/lgtm
/approve
/cherrypick release-0.14
/cherrypick release-0.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot
Copy link
Contributor

k8s-infra-cherrypick-robot commented Nov 3, 2025

@mimowo: #7486 failed to apply on top of branch "release-0.13":

Applying: Remove remote client of insecurely setup cluster
Using index info to reconstruct a base tree...
M	pkg/controller/admissionchecks/multikueue/multikueuecluster.go
M	pkg/controller/admissionchecks/multikueue/multikueuecluster_test.go
M	test/integration/multikueue/setup_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/integration/multikueue/setup_test.go
CONFLICT (content): Merge conflict in test/integration/multikueue/setup_test.go
Auto-merging pkg/controller/admissionchecks/multikueue/multikueuecluster_test.go
Auto-merging pkg/controller/admissionchecks/multikueue/multikueuecluster.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Remove remote client of insecurely setup cluster

In response to this:

/lgtm
/approve
/cherrypick release-0.14
/cherrypick release-0.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@mszadkow mszadkow deleted the fix/remove-remote-client-with-invalid-kubeconfig branch November 4, 2025 07:30
This was referenced Nov 4, 2025
Merged
Merged
Singularity23x0 pushed a commit to Singularity23x0/kueue that referenced this pull request Nov 5, 2025
@mszadkow @Singularity23x0
Remove remote client of insecurely setup cluster (kubernetes-sigs#7486)
c20b6ac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mimowo mimowo mimowo left review comments

@kannon92 kannon92 Awaiting requested review from kannon92

@tenzen-y tenzen-y Awaiting requested review from tenzen-y

Assignees

@mimowo mimowo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

v0.15

Development

Successfully merging this pull request may close these issues.

4 participants

@mszadkow @mimowo @k8s-infra-cherrypick-robot @k8s-ci-robot