New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
e2e: support admissionapi.LevelRestricted in test/e2e/framework/pod #118134
Conversation
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
0e728f7
to
842388b
Compare
865b289
to
c1ecff5
Compare
@chrishenzie, @humblec: tests should be passing now, please take a look. /hold For approval by some other test/e2e approver. |
Ack.. will review this soon. thanks 👍 |
/cc @liggitt @s-urbaniak since they authored the initial implementation #106454 |
/retitle e2e: support admissionapi.LevelRestricted in test/e2e/framework/pod |
it looks good to me. In many e2e test cases, we have been taking seperate args/params for |
@@ -72,7 +73,8 @@ func NewDeployment(deploymentName string, replicas int32, podLabels map[string]s | |||
|
|||
// CreateDeployment creates a deployment. | |||
func CreateDeployment(ctx context.Context, client clientset.Interface, replicas int32, podLabels map[string]string, nodeSelector map[string]string, namespace string, pvclaims []*v1.PersistentVolumeClaim, command string) (*appsv1.Deployment, error) { | |||
deploymentSpec := testDeployment(replicas, podLabels, nodeSelector, namespace, pvclaims, false, command) | |||
// TODO: let the caller decide about the security level. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mark the todo with a name or an issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I started writing an issue and then noticed that the function is only called in three places. Addressing the TODO by passing admissionapi.LevelRestricted is now in this PR.
@@ -398,8 +399,9 @@ func runVolumeTesterPod(ctx context.Context, client clientset.Interface, timeout | |||
When SELinux is enabled on the host, client-pod can not read the content, with permission denied. | |||
Invoking client-pod as privileged, so that it can access the volume content, even when SELinux is enabled on the host. | |||
*/ | |||
if config.Prefix == "hostpathsymlink" || config.Prefix == "hostpath" { | |||
privileged = true | |||
securityLevel := admissionapi.LevelBaseline // TODO: also support LevelRestricted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
associate the todo with a github user or an issue
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -178,7 +178,7 @@ var _ = utils.SIGDescribe("NFSPersistentVolumes[Disruptive][Flaky]", func() { | |||
framework.ExpectNoError(e2epv.WaitOnPVandPVC(ctx, c, f.Timeouts, ns, pv2, pvc2)) | |||
|
|||
ginkgo.By("Attaching both PVC's to a single pod") | |||
clientPod, err = e2epod.CreatePod(ctx, c, ns, nil, []*v1.PersistentVolumeClaim{pvc1, pvc2}, true, "") | |||
clientPod, err = e2epod.CreatePod(ctx, c, ns, nil, []*v1.PersistentVolumeClaim{pvc1, pvc2}, f.NamespacePodSecurityEnforceLevel, "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f.NamespacePodSecurityEnforceLevel
is not obviously equivalent to privileged... is it supposed to be? comment applied everywhere this replacement was made
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reasoning is this: if the function had been used to create a privileged pod in a namespace that only had LevelBaseline
, then creating that pod would have failed. Therefore those namespaces must have been configured with LevelPrivileged
and thus this change is valid.
These helper functions are unnecessarily complex: in theory, they could be used with different combination of parameters, but in practice, that flexibility is never used. But the complexity comes at a cost when reading the code ("where do these values come from?"), when calling them (need to pass several parameters in the right order), or when extending them (adding another value in this PR). I think the helpers should be as simple as possible. |
c1ecff5
to
0ebe1ca
Compare
/retest |
0ebe1ca
to
5635e31
Compare
CreatePod and MakePod only accepted an `isPrivileged` boolean, which made it impossible to write tests using those helpers which work in a default framework.Framework, because the default there is LevelRestricted. The simple boolean gets replaced with admissionapi.Level. Passing LevelRestricted does the same as calling e2epod.MixinRestrictedPodSecurity. Instead of explicitly passing a constant to these modified helpers, most tests get updated to pass f.NamespacePodSecurityLevel. This has the advantage that if that level gets lowered in the future, tests only need to be updated in one place. In some cases, helpers taking client+namespace+timeouts parameters get replaced with passing the Framework instance to get access to f.NamespacePodSecurityEnforceLevel. These helpers don't need separate parameters because in practice all they ever used where the values from the Framework instance.
5635e31
to
c903c29
Compare
/lgtm |
LGTM label has been added. Git tree hash: 342dbda0f62df098072f1fb5086670bb9c991d45
|
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, pohly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
CreatePod and MakePod only accepted an
isPrivileged
boolean, which made it impossible to write tests using those helpers which work in a default framework.Framework, because the default there is LevelRestricted.The simple boolean gets replaced with admissionapi.Level. Passing LevelRestricted does the same as calling e2epod.MixinRestrictedPodSecurity.
Special notes for your reviewer:
Instead of explicitly passing a constant to these modified helpers, most tests get updated to pass f.NamespacePodSecurityEnforceLevel. This has the advantage that if that level gets lowered in the future, tests only need to be updated in one place.
In some cases, helpers taking client+namespace+timeouts parameters get replaced with passing the Framework instance to get access to f.NamespacePodSecurityEnforceLevel. These helpers don't need separate parameters because in practice all they ever used where the values from the Framework instance.
See also https://kubernetes.slack.com/archives/C019LFTGNQ3/p1684501567057229
Does this PR introduce a user-facing change?