test: RunAsUser causes pods to not start on Windows

[jsturtevant]

What type of PR is this?

/kind failing-test

What this PR does / why we need it:

#109946 Introduced Restricted policy for some of the pod tests. This broke due to #102849. See https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-capz-master-containerd-windows/1529769915945324544

If the e2e suite is running with nodeOSDistro = windows then we set it to nil.

Which issue(s) this PR fixes:

Fixes #
Related to https://github.com/kubernetes/kubernetes/pull/109946/files#r881112011

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

/sig windows
/cc @marosset @liggitt @tallclair

[liggitt]

huh... I didn't expect this bit... do we not have any e2es that test non-homogenous clusters?

[liggitt]

I more expected to just drop RunAsUser

[jsturtevant]

We have a test in Windows that explicitly tests that network connectivity work across Windows and Linux. But otherwise, the assumption is the cluster we run tests against would either be Linux nodes or Windows nodes not both (other than the control plane node for Linux)

[jsturtevant]

Oh, ok so we should just drop the RunAsUser? (#109946 (comment))

[tallclair]

If we drop it, the callers still need to set RunAsUser for a bunch of the tests to pass on linux, which is still going to run into the same issues of either breaking windows or needing to determine the node OS...

[liggitt]

the callers still need to set RunAsUser for a bunch of the tests to pass on linux

is that true? I didn't think most tests were explicitly setting RunAsUser, and instead were running images that weren't built to use root by default

[tallclair]

Most of them use the pause image, which should be ok, but there's also a handful using busybox which doesn't set a user.

[jsturtevant]

/test pull-kubernetes-e2e-capz-windows-containerd

[endocrimes]

/test pull-kubernetes-node-kubelet-serial-containerd

[jsturtevant]

looking into the failure which seems to be that the apiserver pod didn't start. Don't believe it was related to this

/test pull-kubernetes-e2e-capz-windows-containerd

[jsturtevant]

/test pull-kubernetes-e2e-capz-windows-containerd

[marosset]

Since --node-os-distro is set as a e2e.test argument and we do schedule some linux containers during some Windows specific e2e tests this would add windows options with RunAsUserName set for those linux containers.
I don't think this will be an issue but did want to call that out.

[tallclair]

option: make 2 versions of GetRestrictedPodSecurityContext, one that guesses the OS and one that lets it be explicitly specified.

Then, the Mixin function should use the PodOS if present.

func GetRestrictedPodSecurityContext() *v1.PodSecurityContext {
  if NodeOSDistroIs("windows") {
    return GetRestrictedPodSecurityContextForOS(v1.WindowsPodOS) // could just be a string until PodOS merges?
  }
  return GetRestrictedPodSecurityContextForOS(v1.LinuxPodOS) // default
}

func GetRestrictedPodSecurityContextForOS(os PodOS) *v1.PodSecurityContext {
  // Bulk of the work
}

[jsturtevant]

I looked at doing this but seems like it should really be done when // TODO(#105919): Handle PodOS for windows pods. is completed. It made things a bit messier than it is now because there are a couple different cases too cover (framework.NodeOSDistroIs and handling PodOSsince this needs to be addressed in MixinRestrictedPodSecurity as well.

[jsturtevant]

That failure was similiar to earlier, I haven't been able to figure out what it is yet. The control plane didn't start:

kube-apiserver-capz-conf-6bprnv-control-plane-frsww          capz-conf-6bprnv-control-plane-frsww Pending       []
kube-controller-manager-capz-conf-6bprnv-control-plane-frsww capz-conf-6bprnv-control-plane-frsww Pending       []
kube-scheduler-capz-conf-6bprnv-control-plane-frsww          capz-conf-6bprnv-control-plane-frsww Pending 

/test pull-kubernetes-e2e-capz-windows-containerd

[jsturtevant]

Windows job passed, created kubernetes-sigs/cluster-api-provider-azure#2338 to track issue with capz cluster.

/assign @marosset @liggitt @tallclair

[marosset]

LGTM for me from Windows.
I noted one slight concern above and am satisfied with the approach

[marosset]

/triage accepted
/priority critical-urgent
(since this is breaking tests)

[k8s-ci-robot]

@marosset: The label(s) priority/critical-urgernt cannot be applied, because the repository doesn't have them.

In response to this:

/triage accepted
/priority critical-urgernt
(since this is breaking tests)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ravisantoshgudimetla]

Do you want to add similar securityContext checks for containers? It may not be a problem unless pod's explicitly have containers that have Windows options set.

[jsturtevant]

This doesn't look to set the users for the containers currently, so left it out for now.

[marosset]

/lgtm

[jsturtevant]

@liggitt @tallclair any further thoughts on these changes?

[jsturtevant]

/priority critical-urgent

[dims]

/approve

/hold for previous reviewers to chime in again.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, jsturtevant

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/e2e/framework/OWNERS [dims]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tallclair]

We might be able to clean this up further, but if this fixes currently failing tests we should probably merge it and iterate.

[tallclair]

nit: Is there a constant defined for this?

[jsturtevant]

There doesn't seem to be, If you search for it you will find it mostly used like this https://github.com/kubernetes/kubernetes/search?q=NodeOSDistroIs&type=code.

[tallclair]

nit: consider just clearing the RunAsUser here, to cut down on the number of places we need to check the OS

[jsturtevant]

I tried this but it is also needed in MixRestrictedPodSecurty and without using podOS (which has a TODO) I think it gets a bit unwieldy

[tallclair]

option: make 2 versions of GetRestrictedPodSecurityContext, one that guesses the OS and one that lets it be explicitly specified.

Then, the Mixin function should use the PodOS if present.

func GetRestrictedPodSecurityContext() *v1.PodSecurityContext {
  if NodeOSDistroIs("windows") {
    return GetRestrictedPodSecurityContextForOS(v1.WindowsPodOS) // could just be a string until PodOS merges?
  }
  return GetRestrictedPodSecurityContextForOS(v1.LinuxPodOS) // default
}

func GetRestrictedPodSecurityContextForOS(os PodOS) *v1.PodSecurityContext {
  // Bulk of the work
}

[jsturtevant]

@tallclair the feedback is valid but after trying it out it really feels like those changes should come in with the // TODO(#105919): Handle PodOS for windows pods. Are you ok with merging as is and revisting when PodOS is handled?

[marosset]

@tallclair the feedback is valid but after trying it out it really feels like those changes should come in with the // TODO(#105919): Handle PodOS for windows pods. Are you ok with merging as is and revisting when PodOS is handled?

Our sig-windows jobs targeting master are currently failing some tests because of this issue.
Can we use these changes as a mitigation and follow up with a more permanent solution to help us get our CI signal back to green?

[tallclair]

/hold cancel

Yes, let's follow up.