1. 09 Jul, 2018 2 commits
  2. 08 Jul, 2018 19 commits
  3. 07 Jul, 2018 11 commits
    • Kubernetes Submit Queue's avatar
      Merge pull request #65920 from dims/pause-image-should-be-arch-agnostic · d51bfcd4
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      kubeadm: pause image should be arch agnostic, as it is a manifest list
      Signed-off-by: 's avatarDavanum Srinivas <davanum@gmail.com>
      
      
      
      **What this PR does / why we need it**:
      
      `pause` image is backed by a manifest list. so we should not use the arch image when reporting using say `kubeadm config image list`
      
      **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
      Fixes https://github.com/kubernetes/kubeadm/issues/962
      
      **Special notes for your reviewer**:
      
      **Release note**:
      
      ```release-note
      kubeadm: Fix pause image to not use architecture, as it is a manifest list
      ```
      d51bfcd4
    • Kubernetes Submit Queue's avatar
      Merge pull request #65906 from liggitt/union-authz-message · 5b052de4
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Improve multi-authorizer errors
      
      Fixes #52279 
      
      Includes an indication from the RBAC authorizer that it attempted to authorize the request. this reduces confusion when combined with a webhook authorizer that returns specific reasons for rejection
      
      /sig auth
      
      ```release-note
      NONE
      ```
      5b052de4
    • Kubernetes Submit Queue's avatar
      Merge pull request #65913 from dougm/vcp-logout-race · c899ccf4
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      vSphere Cloud Provider: avoid read race during logout
      
      **What this PR does / why we need it**:
      
      The `go test -race` will sometimes detect a read race in the vSphere Cloud Provider logout function, causing tests to fail.
      
      **Which issue(s) this PR fixes**:
      Fixes #65696
      
      **Special notes for your reviewer**:
      
      The Client nil check was added in 6d1c4a3c , but there was not any
      go test coverage of that code path until e22f9ca4
      
      **Release note**:
      
      ```release-note
      none
      ```
      c899ccf4
    • Kubernetes Submit Queue's avatar
      Merge pull request #65904 from deads2k/api-02-trackscheme · 8e2fdb32
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      track schemes by name for error reporting
      
      Getting an error message about a type not being in the scheme is hard to fix if you don't know which scheme is failing.  This adds a name to the scheme which can be set during creation or can be set based on the calling stack.  If you use the old constructor a name is generated for you based on the stack.  Something like "k8s.io/client-go/dynamic/scheme.go:28" for instance.
      
      Also moves a typer to its point of use.  This was debt from previous refactors which I noticed going through.
      
      @kubernetes/sig-api-machinery-misc 
      @sttts 
      
      ```release-note
      NONE
      ```
      8e2fdb32
    • Kubernetes Submit Queue's avatar
      Merge pull request #65946 from cblecker/fix-godeps-65707 · 60c44af9
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Remove unneeded deps
      
      **What this PR does / why we need it**:
      #65707 removed reliance on `github.com/google/cadvisor/http` (and it's dependencies), but we forgot to clean up the dep. This is causing failures in batches and postsubmits.
      
      **Release note**:
      ```release-note
      NONE
      ```
      
      /cc @BenTheElder @dims @dashpole @luxas @philips @yujuhong
      60c44af9
    • Christoph Blecker's avatar
      Remove unneeded deps · f97fdf76
      Christoph Blecker authored
      f97fdf76
    • Kubernetes Submit Queue's avatar
      Merge pull request #65802 from xlgao-zju/improve-output · 2d288a7d
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      [kubeadm] Print required flags when running kubeadm upgrade plan
      
      **What this PR does / why we need it**:
      print required flags when running kubeadm upgrade plan
      
      **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
      Close [kubernetes/kubeadm#935](https://github.com/kubernetes/kubeadm/issues/935)
      
      **Special notes for your reviewer**:
      /assign @chuckha 
      /assign @neolit123 
      
      **Release note**:
      
      ```release-note
      kubeadm: print required flags when running kubeadm upgrade plan
      ```
      2d288a7d
    • Kubernetes Submit Queue's avatar
      Merge pull request #65707 from dims/remove-deprecated-cadvisor-port · 097f300a
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Remove --cadvisor-port - has been deprecated since v1.10
      
      **What this PR does / why we need it**:
      
      **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
      Fixes #56523
      
      **Special notes for your reviewer**:
      - Deprecated in https://github.com/kubernetes/kubernetes/pull/59827 (v1.10)
      - Disabled in https://github.com/kubernetes/kubernetes/pull/63881 (v1.11)
      
      **Release note**:
      
      ```release-note
      [action required] The formerly publicly-available cAdvisor web UI that the kubelet started using `--cadvisor-port` is now entirely removed in 1.12. The recommended way to run cAdvisor if you still need it, is via a DaemonSet.
      ```
      097f300a
    • Kubernetes Submit Queue's avatar
      Merge pull request #65495 from sjenning/add-reviewer · cb9ddd34
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      add sjenning to sig-node-reviewers
      
      Request to be added to sig-node-reviewers
      
      Sponsor @derekwaynecarr 
      
      PR activity (~75 merged PRs):
      https://github.com/kubernetes/kubernetes/pulls?q=is%3Apr+author%3Asjenning
      
      QoS-level memory limits:
      https://github.com/kubernetes/kubernetes/pull/41149
      
      QoS pod status field:
      https://github.com/kubernetes/kubernetes/pull/37968
      https://github.com/kubernetes/kubernetes/pull/38989
      
      Memcg threshold notification for eviction:
      https://github.com/kubernetes/kubernetes/pull/38989
      
      Areas of focus:
      Kubelet sync loop and pod lifecycle
      QoS/Pod level cgroup manager
      systemd cgroup driver
      CRI
      dockershim
      Volume manager
      SELinux
      cAdvisor
      
      Member since: Feb 2016
      cb9ddd34
    • Kubernetes Submit Queue's avatar
      Merge pull request #65926 from Random-Liu/fix-run-as-group · f634f7da
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Fix RunAsGroup.
      
      For https://github.com/kubernetes/features/issues/213
      See https://github.com/containerd/cri/issues/836
      
      In https://github.com/containerd/cri/issues/836, people thought that this is a containerd issue. However, it turns out that this feature doesn't work at all. @krmayankk
      
      Without the fix:
      ```
      • Failure [10.125 seconds]
      [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
      /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
        should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup] [It]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
      
        Expected error:
            <*errors.errorString | 0xc42185bcd0>: {
                s: "expected \"gid=2002\" in container output: Expected\n    <string>: uid=1002 gid=1002\n    \nto contain substring\n    <string>: gid=2002",
            }
            expected "gid=2002" in container output: Expected
                <string>: uid=1002 gid=1002
                
            to contain substring
                <string>: gid=2002
        not to have occurred
      
      /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/util.go:2325
      ```
      
      With the fix:
      ```
      SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
      ------------------------------
      [k8s.io] [sig-node] Security Context [Feature:SecurityContext] 
        should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
      [BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
      STEP: Creating a kubernetes client
      Jul  6 15:38:43.994: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
      STEP: Building a namespace api object, basename security-context
      Jul  6 15:38:44.024: INFO: No PodSecurityPolicies found; assuming PodSecurityPolicy is disabled.
      STEP: Waiting for a default service account to be provisioned in namespace
      [It] should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
      STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
      Jul  6 15:38:44.027: INFO: Waiting up to 5m0s for pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hwm7l" to be "success or failure"
      Jul  6 15:38:44.029: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.17106ms
      Jul  6 15:38:46.031: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003308423s
      Jul  6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005287901s
      STEP: Saw pod success
      Jul  6 15:38:48.033: INFO: Pod "security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
      Jul  6 15:38:48.034: INFO: Trying to get logs from node 127.0.0.1 pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
      STEP: delete the pod
      Jul  6 15:38:48.047: INFO: Waiting for pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 to disappear
      Jul  6 15:38:48.049: INFO: Pod security-context-56aac70e-816d-11e8-91cd-8cdcd43ac064 no longer exists
      [AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
      Jul  6 15:38:48.049: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
      STEP: Destroying namespace "e2e-tests-security-context-hwm7l" for this suite.
      Jul  6 15:38:54.057: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
      Jul  6 15:38:54.084: INFO: namespace: e2e-tests-security-context-hwm7l, resource: bindings, ignored listing per whitelist
      Jul  6 15:38:54.107: INFO: namespace e2e-tests-security-context-hwm7l deletion completed in 6.056285097s
      
      • [SLOW TEST:10.113 seconds]
      [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
      /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
        should support container.SecurityContext.RunAsUser And container.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:112
      ------------------------------
      SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
      ------------------------------
      [k8s.io] [sig-node] Security Context [Feature:SecurityContext] 
        should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
      [BeforeEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:141
      STEP: Creating a kubernetes client
      Jul  6 15:38:54.108: INFO: >>> kubeConfig: /var/run/kubernetes/admin.kubeconfig
      STEP: Building a namespace api object, basename security-context
      STEP: Waiting for a default service account to be provisioned in namespace
      [It] should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
      STEP: Creating a pod to test pod.Spec.SecurityContext.RunAsUser
      Jul  6 15:38:54.137: INFO: Waiting up to 5m0s for pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" in namespace "e2e-tests-security-context-hs2vr" to be "success or failure"
      Jul  6 15:38:54.138: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 1.374422ms
      Jul  6 15:38:56.140: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Pending", Reason="", readiness=false. Elapsed: 2.003249942s
      Jul  6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064": Phase="Succeeded", Reason="", readiness=false. Elapsed: 4.005110799s
      STEP: Saw pod success
      Jul  6 15:38:58.142: INFO: Pod "security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064" satisfied condition "success or failure"
      Jul  6 15:38:58.143: INFO: Trying to get logs from node 127.0.0.1 pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 container test-container: <nil>
      STEP: delete the pod
      Jul  6 15:38:58.149: INFO: Waiting for pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 to disappear
      Jul  6 15:38:58.152: INFO: Pod security-context-5cb16d23-816d-11e8-91cd-8cdcd43ac064 no longer exists
      [AfterEach] [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:142
      Jul  6 15:38:58.152: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
      STEP: Destroying namespace "e2e-tests-security-context-hs2vr" for this suite.
      Jul  6 15:39:04.157: INFO: Waiting up to 30s for server preferred namespaced resources to be successfully discovered
      Jul  6 15:39:04.175: INFO: namespace: e2e-tests-security-context-hs2vr, resource: bindings, ignored listing per whitelist
      Jul  6 15:39:04.193: INFO: namespace e2e-tests-security-context-hs2vr deletion completed in 6.039953722s
      
      • [SLOW TEST:10.085 seconds]
      [k8s.io] [sig-node] Security Context [Feature:SecurityContext]
      /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:679
        should support pod.Spec.SecurityContext.RunAsUser And pod.Spec.SecurityContext.RunAsGroup [Feature:RunAsGroup]
        /go/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/node/security_context.go:84
      ------------------------------
      SSSSJul  6 15:39:04.193: INFO: Running AfterSuite actions on all node
      Jul  6 15:39:04.193: INFO: Running AfterSuite actions on node 1
      
      Ran 2 of 1007 Specs in 50.246 seconds
      SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 1005 Skipped PASS
      
      Ginkgo ran 1 suite in 50.482926642s
      Test Suite Passed
      2018/07/06 15:39:04 process.go:155: Step './hack/ginkgo-e2e.sh -host=https://localhost:6443 --ginkgo.focus=RunAsGroup' finished in 50.523613088s
      2018/07/06 15:39:04 e2e.go:83: Done
      ```
      
      We should cherry-pick this to 1.10 and 1.11. /cc @kubernetes/sig-node-bugs 
      
      ```release-note
      Fix `RunAsGroup` which doesn't work since 1.10.
      ```
      f634f7da
    • Kubernetes Submit Queue's avatar
      Merge pull request #65252 from jingax10/script_cleanup_branch · 3e5b902c
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Remove echo cmd when overwriting a file from an Env var.
      
      **What this PR does / why we need it**:
      
      Cleanup the shell script.
      
      **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
      Fixes #
      
      **Special notes for your reviewer**:
      
      **Release note**:
      
      ```release-note
      "NONE"
      ```
      3e5b902c
  4. 06 Jul, 2018 8 commits
    • Yu-Ju Hong's avatar
      Add a README in test/e2e/node with a warning · e5bd6b1e
      Yu-Ju Hong authored
      e5bd6b1e
    • Benjamin Elder's avatar
      delete copied comment · 2583c122
      Benjamin Elder authored
      2583c122
    • Benjamin Elder's avatar
      switch to glob · 0b437106
      Benjamin Elder authored
      0b437106
    • Benjamin Elder's avatar
      ca79547e
    • Lantao Liu's avatar
      Fix RunAsGroup. · 3193a4a4
      Lantao Liu authored
      3193a4a4
    • Kubernetes Submit Queue's avatar
      Merge pull request #65815 from wojtek-t/kube_proxy_less_allocations · 5114d4e0
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      Reduce number of memory allocations when parsing iptables
      5114d4e0
    • Kubernetes Submit Queue's avatar
      Merge pull request #65856 from deads2k/controller-01-ignored · d1608c2e
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      only need to ignore resources that match discovery conditions
      
      GC and quota controllers ignore resources that are too expensive to manage.  In kube this is only events.  The incompatible resources should now be excluded on the basis of discovery.  We should actually reflect that in the RESTStorage (done for GC for events) and discovery too.
      
      @liggitt 
      @kubernetes/sig-api-machinery-bugs 
      
      ```release-note
      NONE
      ```
      d1608c2e
    • Kubernetes Submit Queue's avatar
      Merge pull request #65909 from liggitt/rbac-escalation-msg · 5b9cc7fb
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 65897, 65909, 65856, 65815). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
      
      make RBAC escalation error message more useful
      
      Fixes #65804
      
      Tested by granting a namespaced admin role to a user, then attempt to grant a broader role as that user:
      
      ```
      kubectl create rolebinding user1-admin --clusterrole=admin --user=user1
      kubectl create rolebinding user2-volume --as=user1 --clusterrole=system:volume-scheduler --user=user2
      ```
      
      before:
      > Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "user2-volume" is forbidden: attempt to grant extra privileges: [{[get] [] [persistentvolumes] [] []} {[list] [] [persistentvolumes] [] []} {[patch] [] [persistentvolumes] [] []} {[update] [] [persistentvolumes] [] []} {[watch] [] [persistentvolumes] [] []} {[get] [storage.k8s.io] [storageclasses] [] []} {[list] [storage.k8s.io] [storageclasses] [] []} {[watch] [storage.k8s.io] [storageclasses] [] []}] user=&{user1  [system:authenticated] map[]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]} {[create delete deletecollection get list patch update watch] [] [pods pods/attach pods/exec pods/portforward pods/proxy] [] []} {[create delete deletecollection get list patch update watch] [] [configmaps endpoints persistentvolumeclaims replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [] []} {[get list watch] [] [bindings events limitranges namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [] [namespaces] [] []} {[impersonate] [] [serviceaccounts] [] []} {[create delete deletecollection get list patch update watch] [apps] [daemonsets deployments deployments/rollback deployments/scale replicasets replicasets/scale statefulsets statefulsets/scale] [] []} {[create delete deletecollection get list patch update watch] [autoscaling] [horizontalpodautoscalers] [] []} {[create delete deletecollection get list patch update watch] [batch] [cronjobs jobs] [] []} {[create delete deletecollection get list patch update watch] [extensions] [daemonsets deployments deployments/rollback deployments/scale ingresses networkpolicies replicasets replicasets/scale replicationcontrollers/scale] [] []} {[create delete deletecollection get list patch update watch] [policy] [poddisruptionbudgets] [] []} {[create delete deletecollection get list patch update watch] [networking.k8s.io] [networkpolicies] [] []} {[create] [authorization.k8s.io] [localsubjectaccessreviews] [] []} {[create delete deletecollection get list patch update watch] [rbac.authorization.k8s.io] [rolebindings roles] [] []}] ruleResolutionErrors=[]
      
      after
      > Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "user2-volume" is forbidden: user "user1" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held:
      > {APIGroups:[""], Resources:["persistentvolumes"], Verbs:["get" "list" "patch" "update" "watch"]}
      > {APIGroups:["storage.k8s.io"], Resources:["storageclasses"], Verbs:["get" "list" "watch"]}
      5b9cc7fb