UPSTREAM: <carry>: e2e-framework: don't autosync PodSecurity labels

In the tests, we oftentimes create pods directly by the administrative user and so their SCC-related privileges are being used to create the pods. The PSa label syncher however works by introspecting SAs in each namespace, and since the SAs in the direct pod creation use-cases don't have the SCC-related privileges, the labelsyncer evaluates these namespaces as "restricted" because only the "restricted-v2" SCC is ever assigned in the namespaces. This breaks tests where pods are created directly. OpenShift-Rebase-Source: 4b7ae56
bertinatto · Dec 20, 2023 · da2d390 · da2d390
1 parent 6cb6a49
commit da2d390
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
@@ -460,6 +460,9 @@ func (f *Framework) CreateNamespace(ctx context.Context, baseName string, labels
 	labels[admissionapi.EnforceLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityEnforceLevel, f.NamespacePodSecurityLevel)
 	labels[admissionapi.WarnLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityWarnLevel, f.NamespacePodSecurityLevel)
 	labels[admissionapi.AuditLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityAuditLevel, f.NamespacePodSecurityLevel)
+	// turn off the OpenShift label syncer so that it does not attempt to sync
+	// the PodSecurity admission labels
+	labels["security.openshift.io/scc.podSecurityLabelSync"] = "false"
 
 	ns, err := createTestingNS(ctx, baseName, f.ClientSet, labels)
 	// check ns instead of err to see if it's nil as we may