diff --git a/README.md b/README.md index 8124f31ff..c706cb143 100644 --- a/README.md +++ b/README.md @@ -90,19 +90,8 @@ Kube-rbac-proxy flags: Global flags: - --add-dir-header If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - -h, --help help for kube-rbac-proxy - --log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --log-dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --log-file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --logtostderr log to standard error instead of files (default true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --skip-headers If true, avoid header prefixes in the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components) - --version version[=true] Print version information and quit + -h, --help help for kube-rbac-proxy + --version version[=true] --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version ``` diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go index 0b62b222d..0b67728ac 100644 --- a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go +++ b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go @@ -40,7 +40,6 @@ import ( "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" - utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authorization/union" "k8s.io/client-go/kubernetes" @@ -84,17 +83,16 @@ that can perform RBAC authorization against the Kubernetes API using SubjectAcce k8sapiflag.PrintFlags(fs) + if err := o.Validate(); err != nil { + return err + } + // set default options completedOptions, err := Complete(o) if err != nil { return err } - // validate options - if errs := completedOptions.Validate(); len(errs) != 0 { - return utilerrors.NewAggregate(errs) - } - return Run(completedOptions) }, Args: func(cmd *cobra.Command, args []string) error { @@ -146,63 +144,6 @@ type completedProxyRunOptions struct { ignorePaths []string } -func (o *completedProxyRunOptions) Validate() []error { - var errs []error - - hasCerts := !(o.tls.CertFile == "") && !(o.tls.KeyFile == "") - hasInsecureListenAddress := o.insecureListenAddress != "" - if !hasCerts || hasInsecureListenAddress { - klog.Warning(` -==== Deprecation Warning ====================== - -Insecure listen address will be removed. -Using --insecure-listen-address won't be possible! - -The ability to run kube-rbac-proxy without TLS certificates will be removed. -Not using --tls-cert-file and --tls-private-key-file won't be possible! - -For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187 - -=============================================== - - `) - } - - if o.tls.ReloadInterval != time.Minute { - klog.Warning(` -==== Deprecation Warning ====================== - -tls-reload-interval will be removed. -Using --tls-reload-interval won't be possible! - -For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/196 - -=============================================== - `) - - } - - if len(o.allowPaths) > 0 && len(o.ignorePaths) > 0 { - errs = append(errs, fmt.Errorf("cannot use --allow-paths and --ignore-paths together")) - } - - for _, pathAllowed := range o.allowPaths { - _, err := path.Match(pathAllowed, "") - if err != nil { - errs = append(errs, fmt.Errorf("failed to verify allow path: %s", pathAllowed)) - } - } - - for _, pathIgnored := range o.ignorePaths { - _, err := path.Match(pathIgnored, "") - if err != nil { - errs = append(errs, fmt.Errorf("failed to verify ignored path: %s", pathIgnored)) - } - } - - return errs -} - func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) { var err error completed := &completedProxyRunOptions{ @@ -451,7 +392,7 @@ func Run(cfg *completedProxyRunOptions) error { return srv.Serve(tlsListener) }, func(err error) { if err := srv.Shutdown(context.Background()); err != nil { - klog.Errorf("failed to gracefully shutdown server: %w", err) + klog.Error(fmt.Errorf("failed to gracefully shutdown server: %w", err)) } }) @@ -499,7 +440,7 @@ func Run(cfg *completedProxyRunOptions) error { return proxyEndpointsSrv.Serve(tlsListener) }, func(err error) { if err := proxyEndpointsSrv.Shutdown(context.Background()); err != nil { - klog.Errorf("failed to gracefully shutdown proxy endpoints server: %w", err) + klog.Error(fmt.Errorf("failed to gracefully shutdown proxy endpoints server: %w", err)) } }) } @@ -524,10 +465,10 @@ func Run(cfg *completedProxyRunOptions) error { return srv.Serve(l) }, func(err error) { if err := srv.Shutdown(context.Background()); err != nil { - klog.Errorf("failed to gracefully shutdown server: %w", err) + klog.Error(fmt.Errorf("failed to gracefully shutdown server: %w", err)) } if err := l.Close(); err != nil { - klog.Errorf("failed to gracefully close listener: %w", err) + klog.Error(fmt.Errorf("failed to gracefully close listener: %w", err)) } }) } diff --git a/cmd/kube-rbac-proxy/app/options/options.go b/cmd/kube-rbac-proxy/app/options/options.go index 238d29240..3ef6ed739 100644 --- a/cmd/kube-rbac-proxy/app/options/options.go +++ b/cmd/kube-rbac-proxy/app/options/options.go @@ -17,13 +17,18 @@ limitations under the License. package options import ( + "fmt" + "path" "time" + utilerrors "k8s.io/apimachinery/pkg/util/errors" k8sapiflag "k8s.io/component-base/cli/flag" + "k8s.io/klog/v2" "github.com/brancz/kube-rbac-proxy/pkg/authn" "github.com/brancz/kube-rbac-proxy/pkg/authz" "github.com/brancz/kube-rbac-proxy/pkg/proxy" + "github.com/spf13/pflag" ) type ProxyRunOptions struct { @@ -45,6 +50,22 @@ type ProxyRunOptions struct { HTTP2Disable bool HTTP2MaxConcurrentStreams uint32 HTTP2MaxSize uint32 + + flagSet *pflag.FlagSet +} + +var disabledFlags = []string{ + "logtostderr", + "add-dir-header", + "alsologtostderr", + "log-backtrace-at", + "log-dir", + "log-file", + "log-file-max-size", + "one-output", + "skip-headers", + "skip-log-headers", + "stderrthreshold", } type TLSConfig struct { @@ -122,5 +143,84 @@ func (o *ProxyRunOptions) Flags() k8sapiflag.NamedFlagSets { flagset.Uint32Var(&o.HTTP2MaxConcurrentStreams, "http2-max-concurrent-streams", 100, "The maximum number of concurrent streams per HTTP/2 connection.") flagset.Uint32Var(&o.HTTP2MaxSize, "http2-max-size", 256*1024, "The maximum number of bytes that the server will accept for frame size and buffer per stream in a HTTP/2 request.") + // disabled flags + o.flagSet = flagset // reference used for validation + for _, disabledOpt := range disabledFlags { + _ = flagset.String(disabledOpt, "", "[DISABLED]") + if err := flagset.MarkHidden(disabledOpt); err != nil { + panic(err) + } + } + return namedFlagSets } + +func (o *ProxyRunOptions) Validate() error { + var errs []error + + hasCerts := !(o.TLS.CertFile == "") && !(o.TLS.KeyFile == "") + hasInsecureListenAddress := o.InsecureListenAddress != "" + if !hasCerts || hasInsecureListenAddress { + klog.Warning(` +==== Deprecation Warning ====================== + +Insecure listen address will be removed. +Using --insecure-listen-address won't be possible! + +The ability to run kube-rbac-proxy without TLS certificates will be removed. +Not using --tls-cert-file and --tls-private-key-file won't be possible! + +For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/187 + +=============================================== + + `) + } + + if o.TLS.ReloadInterval != time.Minute { + klog.Warning(` +==== Deprecation Warning ====================== + +tls-reload-interval will be removed. +Using --tls-reload-interval won't be possible! + +For more information, please go to https://github.com/brancz/kube-rbac-proxy/issues/196 + +=============================================== + `) + + } + + if len(o.AllowPaths) > 0 && len(o.IgnorePaths) > 0 { + errs = append(errs, fmt.Errorf("cannot use --allow-paths and --ignore-paths together")) + } + + for _, pathAllowed := range o.AllowPaths { + _, err := path.Match(pathAllowed, "") + if err != nil { + errs = append(errs, fmt.Errorf("failed to verify allow path: %s", pathAllowed)) + } + } + + for _, pathIgnored := range o.IgnorePaths { + _, err := path.Match(pathIgnored, "") + if err != nil { + errs = append(errs, fmt.Errorf("failed to verify ignored path: %s", pathIgnored)) + } + } + + // Removed upstream flags shouldn't be use + for _, disabledOpt := range disabledFlags { + if flag := o.flagSet.Lookup(disabledOpt); flag.Changed { + klog.Warningf(` +==== Removed Flag Warning ====================== + +%s is removed in the k8s upstream and has no effect any more. + +=============================================== + `, disabledOpt) + } + } + + return utilerrors.NewAggregate(errs) +} diff --git a/pkg/tls/reloader_test.go b/pkg/tls/reloader_test.go index 3494b1958..50c2836db 100644 --- a/pkg/tls/reloader_test.go +++ b/pkg/tls/reloader_test.go @@ -335,7 +335,8 @@ func writeTempFile(pattern string, data []byte) (string, error) { func poll(interval, timeout time.Duration, f func() error) error { var lastErr error - err := wait.Poll(interval, timeout, func() (bool, error) { + ctx := context.Background() + err := wait.PollUntilContextTimeout(ctx, interval, timeout, true, func(_ context.Context) (bool, error) { lastErr = f() if lastErr != nil { @@ -346,7 +347,7 @@ func poll(interval, timeout time.Duration, f func() error) error { return true, nil }) - if err != nil && err == wait.ErrWaitTimeout && lastErr != nil { + if err != nil && wait.Interrupted(err) && lastErr != nil { err = fmt.Errorf("%v: %v", err, lastErr) } diff --git a/test/e2e/allowpaths/deployment.yaml b/test/e2e/allowpaths/deployment.yaml index 06dc38abf..3ab4a211a 100644 --- a/test/e2e/allowpaths/deployment.yaml +++ b/test/e2e/allowpaths/deployment.yaml @@ -22,7 +22,6 @@ spec: - "--proxy-endpoints-port=8643" - "--upstream=http://127.0.0.1:8081/" - "--allow-paths=/metrics,/api/v1/label/*/values" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/basics.go b/test/e2e/basics.go index 30e1c7bdc..c89221194 100644 --- a/test/e2e/basics.go +++ b/test/e2e/basics.go @@ -108,6 +108,92 @@ func testBasics(client kubernetes.Interface) kubetest.TestSuite { } } +func testFlags(client kubernetes.Interface) kubetest.TestSuite { + return func(t *testing.T) { + command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` + + kubetest.Scenario{ + Name: "WithAllOtherDisabledFlags", + Description: ` + This should succeed. Even though all flags are set for kube-rbac-proxy. + This implies deprecated flags that got disabled. + `, + + Given: kubetest.Actions( + kubetest.CreatedManifests( + client, + "flags/clusterRole.yaml", + "flags/clusterRoleBinding.yaml", + "flags/deployment-other-flags.yaml", + "flags/service.yaml", + "flags/serviceAccount.yaml", + "flags/clusterRole-client.yaml", + "flags/clusterRoleBinding-client.yaml", + ), + ), + When: kubetest.Actions( + kubetest.PodsAreReady( + client, + 1, + "app=kube-rbac-proxy", + ), + kubetest.ServiceIsReady( + client, + "kube-rbac-proxy", + ), + ), + Then: kubetest.Actions( + kubetest.ClientSucceeds( + client, + command, + nil, + ), + ), + }.Run(t) + + kubetest.Scenario{ + Name: "WithDisabledLogToStdErr", + Description: ` + This should succeed. Even though logtostderr flag is set for + kube-rbac-proxy. + It is complementary to the other flags above. + `, + + Given: kubetest.Actions( + kubetest.CreatedManifests( + client, + "flags/clusterRole.yaml", + "flags/clusterRoleBinding.yaml", + "flags/deployment-logtostderr.yaml", + "flags/service.yaml", + "flags/serviceAccount.yaml", + // This adds the clients cluster role to succeed + "flags/clusterRole-client.yaml", + "flags/clusterRoleBinding-client.yaml", + ), + ), + When: kubetest.Actions( + kubetest.PodsAreReady( + client, + 1, + "app=kube-rbac-proxy", + ), + kubetest.ServiceIsReady( + client, + "kube-rbac-proxy", + ), + ), + Then: kubetest.Actions( + kubetest.ClientSucceeds( + client, + command, + nil, + ), + ), + }.Run(t) + } +} + func testTokenAudience(client kubernetes.Interface) kubetest.TestSuite { return func(t *testing.T) { command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` diff --git a/test/e2e/basics/deployment.yaml b/test/e2e/basics/deployment.yaml index 086622c1c..be9b2469e 100644 --- a/test/e2e/basics/deployment.yaml +++ b/test/e2e/basics/deployment.yaml @@ -20,7 +20,6 @@ spec: args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/clientcertificates/deployment-wrongca.yaml b/test/e2e/clientcertificates/deployment-wrongca.yaml index 744a368d6..b47c5c822 100644 --- a/test/e2e/clientcertificates/deployment-wrongca.yaml +++ b/test/e2e/clientcertificates/deployment-wrongca.yaml @@ -20,7 +20,6 @@ spec: args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - - "--logtostderr=true" - "--client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - "--v=10" ports: diff --git a/test/e2e/clientcertificates/deployment.yaml b/test/e2e/clientcertificates/deployment.yaml index ed8c1808f..348ecbcc3 100644 --- a/test/e2e/clientcertificates/deployment.yaml +++ b/test/e2e/clientcertificates/deployment.yaml @@ -20,7 +20,6 @@ spec: args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - - "--logtostderr=true" - "--client-ca-file=/certs/ca.crt" - "--v=10" ports: diff --git a/test/e2e/flags/clusterRole-client.yaml b/test/e2e/flags/clusterRole-client.yaml new file mode 100644 index 000000000..421a9d947 --- /dev/null +++ b/test/e2e/flags/clusterRole-client.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics +rules: + - nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/test/e2e/flags/clusterRole.yaml b/test/e2e/flags/clusterRole.yaml new file mode 100644 index 000000000..e9bc500b7 --- /dev/null +++ b/test/e2e/flags/clusterRole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-rbac-proxy + namespace: default +rules: + - apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/test/e2e/flags/clusterRoleBinding-client.yaml b/test/e2e/flags/clusterRoleBinding-client.yaml new file mode 100644 index 000000000..4f93e2b8c --- /dev/null +++ b/test/e2e/flags/clusterRoleBinding-client.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics +subjects: + - kind: ServiceAccount + name: default + namespace: default diff --git a/test/e2e/flags/clusterRoleBinding.yaml b/test/e2e/flags/clusterRoleBinding.yaml new file mode 100644 index 000000000..f7be8fa4e --- /dev/null +++ b/test/e2e/flags/clusterRoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-rbac-proxy + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-rbac-proxy +subjects: + - kind: ServiceAccount + name: kube-rbac-proxy + namespace: default diff --git a/test/e2e/flags/deployment-logtostderr.yaml b/test/e2e/flags/deployment-logtostderr.yaml new file mode 100644 index 000000000..086622c1c --- /dev/null +++ b/test/e2e/flags/deployment-logtostderr.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-rbac-proxy + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:local + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8081/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: prometheus-example-app + image: quay.io/brancz/prometheus-example-app:v0.1.0 + args: + - "--bind=127.0.0.1:8081" diff --git a/test/e2e/flags/deployment-other-flags.yaml b/test/e2e/flags/deployment-other-flags.yaml new file mode 100644 index 000000000..070eb7932 --- /dev/null +++ b/test/e2e/flags/deployment-other-flags.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-rbac-proxy + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:local + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8081/" + - "--add-dir-header=true" + - "--alsologtostderr=true" + - "--log-backtrace-at=0" + - "--log-dir=mustnotexist" + - "--log-file=mustnotexist" + - "--log-file-max-size=1800" + - "--one-output=true" + - "--skip-headers=true" + - "--skip-log-headers=true" + - "--stderrthreshold=2" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: prometheus-example-app + image: quay.io/brancz/prometheus-example-app:v0.1.0 + args: + - "--bind=127.0.0.1:8081" diff --git a/test/e2e/flags/service.yaml b/test/e2e/flags/service.yaml new file mode 100644 index 000000000..b1ae11686 --- /dev/null +++ b/test/e2e/flags/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: kube-rbac-proxy + name: kube-rbac-proxy + namespace: default +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + app: kube-rbac-proxy diff --git a/test/e2e/flags/serviceAccount.yaml b/test/e2e/flags/serviceAccount.yaml new file mode 100644 index 000000000..45feecc9c --- /dev/null +++ b/test/e2e/flags/serviceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-rbac-proxy + namespace: default diff --git a/test/e2e/h2c-upstream/deployment.yaml b/test/e2e/h2c-upstream/deployment.yaml index 5dcf88620..d340c642e 100644 --- a/test/e2e/h2c-upstream/deployment.yaml +++ b/test/e2e/h2c-upstream/deployment.yaml @@ -21,7 +21,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--upstream-force-h2c=true" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/http2/deployment-no-http2.yaml b/test/e2e/http2/deployment-no-http2.yaml index babb96a41..32398eb96 100644 --- a/test/e2e/http2/deployment-no-http2.yaml +++ b/test/e2e/http2/deployment-no-http2.yaml @@ -21,7 +21,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--ignore-paths=/metrics,/api/v1/*" - - "--logtostderr=true" - "--http2-disable=true" - "--v=10" ports: diff --git a/test/e2e/http2/deployment.yaml b/test/e2e/http2/deployment.yaml index 8e1f545b3..c04093ccc 100644 --- a/test/e2e/http2/deployment.yaml +++ b/test/e2e/http2/deployment.yaml @@ -21,7 +21,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--ignore-paths=/metrics,/api/v1/*" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/ignorepaths/deployment.yaml b/test/e2e/ignorepaths/deployment.yaml index 8e1f545b3..c04093ccc 100644 --- a/test/e2e/ignorepaths/deployment.yaml +++ b/test/e2e/ignorepaths/deployment.yaml @@ -21,7 +21,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--ignore-paths=/metrics,/api/v1/*" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go index ea5e5d04f..1529e9d91 100644 --- a/test/e2e/main_test.go +++ b/test/e2e/main_test.go @@ -60,6 +60,7 @@ func Test(t *testing.T) { "TLS": testTLS(client), "StaticAuthorizer": testStaticAuthorizer(client), "HTTP2": testHTTP2(client), + "Flags": testFlags(client), } for name, tc := range tests { diff --git a/test/e2e/static-auth/deployment.yaml b/test/e2e/static-auth/deployment.yaml index 21019bd60..da3e44394 100644 --- a/test/e2e/static-auth/deployment.yaml +++ b/test/e2e/static-auth/deployment.yaml @@ -23,7 +23,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--config-file=/etc/kube-rbac-proxy/config-file.yaml" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/tokenrequest/deployment.yaml b/test/e2e/tokenrequest/deployment.yaml index f30ecb0f6..efbe2ccfd 100644 --- a/test/e2e/tokenrequest/deployment.yaml +++ b/test/e2e/tokenrequest/deployment.yaml @@ -21,7 +21,6 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - "--auth-token-audiences=kube-rbac-proxy" - - "--logtostderr=true" - "--v=10" ports: - containerPort: 8443