CNTRLPLANE-1: Update to Kubernetes v1.32.1

images/tests/Dockerfile.rhel

@@ -22,5 +22,5 @@ RUN PACKAGES="git gzip util-linux" && \
 LABEL io.k8s.display-name="OpenShift End-to-End Tests" \
       io.openshift.release.operator=true \
       io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
-      io.openshift.build.versions="kubernetes-tests=1.31.1" \
+      io.openshift.build.versions="kubernetes-tests=1.32.1" \
       io.openshift.tags="openshift,tests,e2e"

pkg/cmd/openshift-tests/images/images_command.go

@@ -83,11 +83,6 @@ func NewImagesCommand() *cobra.Command {
 			for _, line := range lines {
 				fmt.Fprintln(os.Stdout, line)
 			}
-			// TODO: these should be removed when landing k8s 1.31:
-			newImages := injectNewImages(ref, o.Upstream)
-			for _, line := range newImages {
-				fmt.Fprintln(os.Stdout, line)
-			}
 			return nil
 		},
 	}
@@ -99,43 +94,6 @@ func NewImagesCommand() *cobra.Command {
 	return cmd
 }
 
-func injectNewImages(ref reference.DockerImageReference, upstream bool) []string {
-	lines := []string{}
-	for original, mirror := range map[string]string{
-		"registry.k8s.io/e2e-test-images/agnhost:2.53":                    "e2e-1-registry-k8s-io-e2e-test-images-agnhost-2-53-S5hiptYgC5MyFXZH",
-		"registry.k8s.io/e2e-test-images/busybox:1.29-2":                  "e2e-52-registry-k8s-io-e2e-test-images-busybox-1-29-2-ZYWRth-o9U_JR2ZE",
-		"registry.k8s.io/e2e-test-images/httpd:2.4.38-4":                  "e2e-10-registry-k8s-io-e2e-test-images-httpd-2-4-38-4-lYFH2l3oSS5xEICa",
-		"registry.k8s.io/e2e-test-images/httpd:2.4.39-4":                  "e2e-11-registry-k8s-io-e2e-test-images-httpd-2-4-39-4-Hgo23C6O-Y8DPv5N",
-		"registry.k8s.io/e2e-test-images/jessie-dnsutils:1.7":             "e2e-14-registry-k8s-io-e2e-test-images-jessie-dnsutils-1-7-bJ-yvCS2MUBlnXm1",
-		"registry.k8s.io/e2e-test-images/nautilus:1.7":                    "e2e-16-registry-k8s-io-e2e-test-images-nautilus-1-7-7f05f70QXiLXg0hX",
-		"registry.k8s.io/e2e-test-images/nginx:1.14-4":                    "e2e-18-registry-k8s-io-e2e-test-images-nginx-1-14-4-20h7A1tgJp0m0c1_",
-		"registry.k8s.io/e2e-test-images/nonewprivs:1.3":                  "e2e-23-registry-k8s-io-e2e-test-images-nonewprivs-1-3-lsPs1J8LjWvEYqre",
-		"registry.k8s.io/e2e-test-images/nonroot:1.4":                     "e2e-24-registry-k8s-io-e2e-test-images-nonroot-1-4-u_r1WOwfmHWUVyUc",
-		"registry.k8s.io/e2e-test-images/regression-issue-74839:1.2":      "e2e-28-registry-k8s-io-e2e-test-images-regression-issue-74839-1-2-pZ_RxNuqvcwEiCKE",
-		"registry.k8s.io/e2e-test-images/resource-consumer:1.13":          "e2e-29-registry-k8s-io-e2e-test-images-resource-consumer-1-13-LT0C2W4wMzShSeGS",
-		"registry.k8s.io/e2e-test-images/volume/nfs:1.4":                  "e2e-30-registry-k8s-io-e2e-test-images-volume-nfs-1-4-u7V8iW5QIcWM2i6h",
-		"registry.k8s.io/etcd:3.5.16-0":                                   "e2e-9-registry-k8s-io-etcd-3-5-16-0-ExW1ETJqOZa6gx2F",
-		"registry.k8s.io/sig-storage/csi-attacher:v4.7.0":                 "e2e-44-registry-k8s-io-sig-storage-csi-attacher-v4-7-0-aS7GIn0bMzvq3KoO",
-		"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0":   "e2e-50-registry-k8s-io-sig-storage-csi-node-driver-registrar-v2-12-0-jkkxroBOcREoIm9b",
-		"registry.k8s.io/sig-storage/csi-provisioner:v5.1.0":              "e2e-43-registry-k8s-io-sig-storage-csi-provisioner-v5-1-0-9nVNb-KrN4Qb7WGv",
-		"registry.k8s.io/sig-storage/csi-resizer:v1.12.0":                 "e2e-45-registry-k8s-io-sig-storage-csi-resizer-v1-12-0-bjLLc3vKDh_BJRU2",
-		"registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0":              "e2e-42-registry-k8s-io-sig-storage-csi-snapshotter-v8-1-0-3cVspluN_7tfQqYd",
-		"registry.k8s.io/sig-storage/hello-populator:v1.0.1":              "e2e-32-registry-k8s-io-sig-storage-hello-populator-v1-0-1-Ei7libli17J5IWn-",
-		"registry.k8s.io/sig-storage/hostpathplugin:v1.15.0":              "e2e-49-registry-k8s-io-sig-storage-hostpathplugin-v1-15-0-YS6opQN6AdImbOb6",
-		"registry.k8s.io/sig-storage/livenessprobe:v2.14.0":               "e2e-51-registry-k8s-io-sig-storage-livenessprobe-v2-14-0-969ousmSC9UQiDgO",
-		"registry.k8s.io/sig-storage/nfs-provisioner:v4.0.8":              "e2e-17-registry-k8s-io-sig-storage-nfs-provisioner-v4-0-8-W5pbwDbNliDm1x4k",
-		"registry.k8s.io/sig-storage/volume-data-source-validator:v1.0.0": "e2e-33-registry-k8s-io-sig-storage-volume-data-source-validator-v1-0-0-pJwTeQGTDmAV8753",
-	} {
-		if upstream {
-			lines = append(lines, fmt.Sprintf("%s %s:%s", original, ref.Exact(), mirror))
-		} else {
-			lines = append(lines, fmt.Sprintf("quay.io/openshift/community-e2e-images:%s %s:%s", mirror, ref.Exact(), mirror))
-		}
-	}
-	sort.Strings(lines)
-	return lines
-}
-
 type imagesOptions struct {
 	Repository string
 	Upstream   bool

test/extended/authorization/rbac/groups_default_rules.go

@@ -249,15 +249,15 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] The default clust
 		}
 
 		g.By("should only allow the system:authenticated group to access certain policy rules", func() {
-			testAllGroupRules(ruleResolver, kuser.AllAuthenticated, allAuthenticatedRules, namespaces.Items)
+			testAllGroupRules(ctx, ruleResolver, kuser.AllAuthenticated, allAuthenticatedRules, namespaces.Items)
 		})
 
 		g.By("should only allow the system:unauthenticated group to access certain policy rules", func() {
-			testAllGroupRules(ruleResolver, kuser.AllUnauthenticated, allUnauthenticatedRules, namespaces.Items)
+			testAllGroupRules(ctx, ruleResolver, kuser.AllUnauthenticated, allUnauthenticatedRules, namespaces.Items)
 		})
 
 		g.By("should only allow the system:authenticated:oauth group to access certain policy rules", func() {
-			testAllGroupRules(ruleResolver, "system:authenticated:oauth", []rbacv1.PolicyRule{
+			testAllGroupRules(ctx, ruleResolver, "system:authenticated:oauth", []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule("create").Groups(projectGroup, legacyProjectGroup).Resources("projectrequests").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(oauthGroup).Resources("useroauthaccesstokens").RuleOrDie(),
 			}, namespaces.Items)
@@ -266,20 +266,20 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] The default clust
 	})
 })
 
-func testAllGroupRules(ruleResolver validation.AuthorizationRuleResolver, group string, expectedClusterRules []rbacv1.PolicyRule, namespaces []corev1.Namespace) {
-	testGroupRules(ruleResolver, group, metav1.NamespaceNone, expectedClusterRules)
+func testAllGroupRules(ctx context.Context, ruleResolver validation.AuthorizationRuleResolver, group string, expectedClusterRules []rbacv1.PolicyRule, namespaces []corev1.Namespace) {
+	testGroupRules(ctx, ruleResolver, group, metav1.NamespaceNone, expectedClusterRules)
 
 	for _, namespace := range namespaces {
 		// merge the namespace scoped and cluster wide rules
 		rules := append([]rbacv1.PolicyRule{}, groupNamespaceRules[group][namespace.Name]...)
 		rules = append(rules, expectedClusterRules...)
 
-		testGroupRules(ruleResolver, group, namespace.Name, rules)
+		testGroupRules(ctx, ruleResolver, group, namespace.Name, rules)
 	}
 }
 
-func testGroupRules(ruleResolver validation.AuthorizationRuleResolver, group, namespace string, expectedRules []rbacv1.PolicyRule) {
-	actualRules, err := ruleResolver.RulesFor(&kuser.DefaultInfo{Groups: []string{group}}, namespace)
+func testGroupRules(ctx context.Context, ruleResolver validation.AuthorizationRuleResolver, group, namespace string, expectedRules []rbacv1.PolicyRule) {
+	actualRules, err := ruleResolver.RulesFor(ctx, &kuser.DefaultInfo{Groups: []string{group}}, namespace)
 	o.Expect(err).NotTo(o.HaveOccurred()) // our default RBAC policy should never have rule resolution errors
 
 	if cover, missing := rbacvalidation.Covers(expectedRules, actualRules); !cover {

test/extended/bootstrap_user/bootstrap_user_login.go

@@ -16,6 +16,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	e2e "k8s.io/kubernetes/test/e2e/framework"
+	clocktesting "k8s.io/utils/clock/testing"
 
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
@@ -32,7 +33,7 @@ var _ = g.Describe("[sig-auth][Feature:BootstrapUser] The bootstrap user", func(
 	g.It("should successfully login with password decoded from kubeadmin secret [Disruptive]", func() {
 		var originalPasswordHash []byte
 		secretExists := true
-		recorder := events.NewInMemoryRecorder("")
+		recorder := events.NewInMemoryRecorder("", clocktesting.NewFakePassiveClock(time.Now()))
 
 		// always restore cluster to original state at the end
 		defer func() {

test/extended/etcd/etcd_storage_path.go

@@ -282,27 +282,11 @@ func testEtcd3StoragePath(t g.GinkgoTInterface, oc *exutil.CLI, etcdClient3Fn fu
 	// Apply output of git diff origin/release-1.XY origin/release-1.X(Y+1) test/integration/etcd/data.go. This is needed
 	// to apply the right data depending on the kube version of the running server. Replace this with the next current
 	// and rebase version next time. Don't pile them up.
-	if strings.HasPrefix(version.Minor, "32") {
+	if strings.HasPrefix(version.Minor, "33") {
 		for k, a := range map[schema.GroupVersionResource]etcddata.StorageData{
 			// Added etcd data.
 			// TODO: When rebase has started, add etcd storage data has been added to
-			//       k8s.io/kubernetes/test/integration/etcd/data.go in the 1.32 release.
-			gvr("resource.k8s.io", "v1beta1", "deviceclasses"): {
-				Stub:             `{"metadata": {"name": "class2name"}}`,
-				ExpectedEtcdPath: "/registry/deviceclasses/class2name",
-			},
-			gvr("resource.k8s.io", "v1beta1", "resourceclaims"): {
-				Stub:             `{"metadata": {"name": "claim2name"}, "spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}`,
-				ExpectedEtcdPath: "/registry/resourceclaims/" + oc.Namespace() + "/claim2name",
-			},
-			gvr("resource.k8s.io", "v1beta1", "resourceclaimtemplates"): {
-				Stub:             `{"metadata": {"name": "claimtemplate2name"}, "spec": {"spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}}`,
-				ExpectedEtcdPath: "/registry/resourceclaimtemplates/" + oc.Namespace() + "/claimtemplate2name",
-			},
-			gvr("resource.k8s.io", "v1beta1", "resourceslices"): {
-				Stub:             `{"metadata": {"name": "node2slice"}, "spec": {"nodeName": "worker1", "driver": "dra.example.com", "pool": {"name": "worker1", "resourceSliceCount": 1}}}`,
-				ExpectedEtcdPath: "/registry/resourceslices/node2slice",
-			},
+			//       k8s.io/kubernetes/test/integration/etcd/data.go in the 1.33 release.
 		} {
 			if _, preexisting := etcdStorageData[k]; preexisting {
 				t.Errorf("upstream etcd storage data already has data for %v. Update current and rebase version diff to next rebase version", k)
@@ -312,38 +296,11 @@ func testEtcd3StoragePath(t g.GinkgoTInterface, oc *exutil.CLI, etcdClient3Fn fu
 
 		// Modified etcd data.
 		// TODO: When rebase has started, fixup etcd storage data that has been modified
-		//       in k8s.io/kubernetes/test/integration/etcd/data.go in the 1.32 release.
-
-		// compare https://github.com/kubernetes/kubernetes/pull/127511
-		etcdStorageData[gvr("resource.k8s.io", "v1alpha3", "deviceclasses")] = etcddata.StorageData{
-			Stub:             `{"metadata": {"name": "class1name"}}`,
-			ExpectedEtcdPath: "/registry/deviceclasses/class1name",
-			ExpectedGVK:      gvkP("resource.k8s.io", "v1beta1", "DeviceClass"),
-		}
-		etcdStorageData[gvr("resource.k8s.io", "v1alpha3", "resourceclaims")] = etcddata.StorageData{
-			Stub:             `{"metadata": {"name": "claim1name"}, "spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}`,
-			ExpectedEtcdPath: "/registry/resourceclaims/" + oc.Namespace() + "/claim1name",
-			ExpectedGVK:      gvkP("resource.k8s.io", "v1beta1", "ResourceClaim"),
-		}
-		etcdStorageData[gvr("resource.k8s.io", "v1alpha3", "resourceclaimtemplates")] = etcddata.StorageData{
-			Stub:             `{"metadata": {"name": "claimtemplate1name"}, "spec": {"spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}}`,
-			ExpectedEtcdPath: "/registry/resourceclaimtemplates/" + oc.Namespace() + "/claimtemplate1name",
-			ExpectedGVK:      gvkP("resource.k8s.io", "v1beta1", "ResourceClaimTemplate"),
-		}
-		etcdStorageData[gvr("resource.k8s.io", "v1alpha3", "podschedulingcontexts")] = etcddata.StorageData{
-			Stub:             `{"metadata": {"name": "pod1name"}, "spec": {"selectedNode": "node1name", "potentialNodes": ["node1name", "node2name"]}}`,
-			ExpectedEtcdPath: "/registry/podschedulingcontexts/" + oc.Namespace() + "/pod1name",
-			ExpectedGVK:      gvkP("resource.k8s.io", "v1beta1", "PodSchedulingContext"),
-		}
-		etcdStorageData[gvr("resource.k8s.io", "v1alpha3", "resourceslices")] = etcddata.StorageData{
-			Stub:             `{"metadata": {"name": "node1slice"}, "spec": {"nodeName": "worker1", "driver": "dra.example.com", "pool": {"name": "worker1", "resourceSliceCount": 1}}}`,
-			ExpectedEtcdPath: "/registry/resourceslices/node1slice",
-			ExpectedGVK:      gvkP("resource.k8s.io", "v1beta1", "ResourceSlice"),
-		}
+		//       in k8s.io/kubernetes/test/integration/etcd/data.go in the 1.33 release.
 
 		// Removed etcd data.
 		// TODO: When rebase has started, remove etcd storage data that has been removed
-		//       from k8s.io/kubernetes/test/integration/etcd/data.go in the 1.29 release.
+		//       from k8s.io/kubernetes/test/integration/etcd/data.go in the 1.33 release.
 		removeStorageData(t, etcdStorageData)
 	}
 

test/extended/networking/egress_firewall.go

@@ -25,7 +25,7 @@ const (
 	egressFWE2E          = "egress-firewall-e2e"
 	wcEgressFWE2E        = "wildcard-egress-firewall-e2e"
 	noEgressFWE2E        = "no-egress-firewall-e2e"
-	egressFWTestImage    = "registry.k8s.io/e2e-test-images/agnhost:2.52"
+	egressFWTestImage    = "registry.k8s.io/e2e-test-images/agnhost:2.53"
 	oVNKManifest         = "ovnk-egressfirewall-test.yaml"
 	oVNKWCManifest       = "ovnk-egressfirewall-wildcard-test.yaml"
 	openShiftSDNManifest = "sdn-egressnetworkpolicy-test.yaml"

test/extended/operators/certs.go

@@ -302,7 +302,7 @@ func fetchOnDiskCertificates(ctx context.Context, kubeClient kubernetes.Interfac
 	}
 	defer kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, nodeReaderCRB, metav1.DeleteOptions{})
 
-	pauseImage := image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.52")
+	pauseImage := image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.53")
 	podNameOnNode, err := createPods(ctx, kubeClient, namespace, nodeList, testPullSpec, pauseImage)
 	if err != nil {
 		return nil, err

test/extended/router/config_manager.go

@@ -391,7 +391,7 @@ http {
 					Containers: []corev1.Container{
 						{
 							Name:  "test",
-							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.52"),
+							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.53"),
 							Args:  []string{"netexec"},
 							Ports: []corev1.ContainerPort{
 								{

test/extended/router/weighted.go

@@ -245,7 +245,7 @@ var _ = g.Describe("[sig-network][Feature:Router][apigroup:image.openshift.io]",
 					Containers: []corev1.Container{
 						{
 							Name:  "test",
-							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.52"),
+							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.53"),
 							Args: []string{
 								"netexec",
 							},
@@ -276,7 +276,7 @@ var _ = g.Describe("[sig-network][Feature:Router][apigroup:image.openshift.io]",
 					Containers: []corev1.Container{
 						{
 							Name:  "test",
-							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.52"),
+							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.53"),
 							Args: []string{
 								"netexec",
 							},
@@ -307,7 +307,7 @@ var _ = g.Describe("[sig-network][Feature:Router][apigroup:image.openshift.io]",
 					Containers: []corev1.Container{
 						{
 							Name:  "test",
-							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.52"),
+							Image: image.LocationFor("registry.k8s.io/e2e-test-images/agnhost:2.53"),
 							Args: []string{
 								"netexec",
 							},

test/extended/testdata/cmd/test/cmd/testdata/hello-openshift/hello-pod.json

@@ -12,7 +12,7 @@
     "containers": [
       {
         "name": "hello-openshift",
-        "image": "registry.k8s.io/e2e-test-images/agnhost:2.52",
+        "image": "registry.k8s.io/e2e-test-images/agnhost:2.53",
         "args": ["netexec"],
         "ports": [
           {