integration: Disable installing Security Profile Operator #2486
Conversation
The security profile operator is only used by TestAuditSeccomp to install a simple seccomp profile in the cluster. This is an overkill. This commit uses a simpler approach by copying the profile by using a DaemonSet to the node and disables installing this by default. The code to deploy/undeploy the SPO isn't removed as it could be useful to test the "advise seccomp" gadget in the future. Some reasons to avoid deploying the SPO are: - It needs quite a lot of resources - It takes a lot of time to be deployed - Some times it fails to be deployed, and also to be cleanup, leaving it running on the cluster Signed-off-by: Mauricio Vasquez <mauriciov@microsoft.com>
There was a problem hiding this comment.
I tested it on minikube and AKS is working fine. I agree that removing SPO as a dependency frees resources and simplify things.
Perhaps we should confirm with @blanquicet as well before removing SPO.
| @@ -25,8 +25,6 @@ import ( | |||
|
|
|||
| func TestAuditSeccomp(t *testing.T) { | |||
There was a problem hiding this comment.
Just wondering if we should also have a TestAuditSeccompSPO which allows testing with SPO and is guarded by:
if *doNotDeploySPO {
t.Skip("Skipping test since SPO is not deployed")
}
Not sure if it makes sense or not.
There was a problem hiding this comment.
I don't think it's necessary as using this manual sp installation approach fully tests the audit-seccomp gadget.
| @@ -25,8 +25,6 @@ import ( | |||
|
|
|||
| func TestAuditSeccomp(t *testing.T) { | |||
There was a problem hiding this comment.
I don't think it's necessary as using this manual sp installation approach fully tests the audit-seccomp gadget.
| doNotDeploySPO = flag.Bool("no-deploy-spo", false, "don't deploy the Security Profiles Operator (SPO)") | ||
| doNotDeploySPO = flag.Bool("no-deploy-spo", true, "don't deploy the Security Profiles Operator (SPO)") |
There was a problem hiding this comment.
I agree to keep the code because it will be helpful to test the advise seccomp-profile gadget, see #975.
|
Merging now, I'll monitor this test to see if there are any issues later on. |
The security profile operator is only used by TestAuditSeccomp to install a simple seccomp profile in the cluster. This is an overkill.
This commit uses a simpler approach by copying the profile by using a DaemonSet to the node and disables installing this by default. The code to deploy/undeploy the SPO isn't removed as it could be useful to test the "advise seccomp" gadget in the future.
Some reasons to avoid deploying the SPO are: