e2e: support admissionapi.LevelRestricted in test/e2e/framework/pod #118134
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-priority
pohly
force-pushed
the
e2e-pod-security-levels
branch
from
0e728f7
to
842388b
Compare
pohly
force-pushed
the
e2e-pod-security-levels
branch
2 times, most recently
from
865b289
to
c1ecff5
Compare
pohly
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@chrishenzie, @humblec: tests should be passing now, please take a look. /hold For approval by some other test/e2e approver. |
k8s-ci-robot
added
the
do-not-merge/hold
|
Ack.. will review this soon. thanks 👍 |
|
/cc @liggitt @s-urbaniak since they authored the initial implementation #106454 |
|
/retitle e2e: support admissionapi.LevelRestricted in test/e2e/framework/pod |
k8s-ci-robot
changed the title
|
it looks good to me. In many e2e test cases, we have been taking seperate args/params for |
| @@ -72,7 +73,8 @@ func NewDeployment(deploymentName string, replicas int32, podLabels map[string]s | |||
|
|
|||
| // CreateDeployment creates a deployment. | |||
| func CreateDeployment(ctx context.Context, client clientset.Interface, replicas int32, podLabels map[string]string, nodeSelector map[string]string, namespace string, pvclaims []*v1.PersistentVolumeClaim, command string) (*appsv1.Deployment, error) { | |||
| deploymentSpec := testDeployment(replicas, podLabels, nodeSelector, namespace, pvclaims, false, command) | |||
| // TODO: let the caller decide about the security level. | |||
There was a problem hiding this comment.
mark the todo with a name or an issue
There was a problem hiding this comment.
I started writing an issue and then noticed that the function is only called in three places. Addressing the TODO by passing admissionapi.LevelRestricted is now in this PR.
| @@ -398,8 +399,9 @@ func runVolumeTesterPod(ctx context.Context, client clientset.Interface, timeout | |||
| When SELinux is enabled on the host, client-pod can not read the content, with permission denied. | |||
| Invoking client-pod as privileged, so that it can access the volume content, even when SELinux is enabled on the host. | |||
| */ | |||
| if config.Prefix == "hostpathsymlink" || config.Prefix == "hostpath" { | |||
| privileged = true | |||
| securityLevel := admissionapi.LevelBaseline // TODO: also support LevelRestricted | |||
There was a problem hiding this comment.
associate the todo with a github user or an issue
| @@ -178,7 +178,7 @@ var _ = utils.SIGDescribe("NFSPersistentVolumes[Disruptive][Flaky]", func() { | |||
| framework.ExpectNoError(e2epv.WaitOnPVandPVC(ctx, c, f.Timeouts, ns, pv2, pvc2)) | |||
|
|
|||
| ginkgo.By("Attaching both PVC's to a single pod") | |||
| clientPod, err = e2epod.CreatePod(ctx, c, ns, nil, []*v1.PersistentVolumeClaim{pvc1, pvc2}, true, "") | |||
| clientPod, err = e2epod.CreatePod(ctx, c, ns, nil, []*v1.PersistentVolumeClaim{pvc1, pvc2}, f.NamespacePodSecurityEnforceLevel, "") | |||
There was a problem hiding this comment.
f.NamespacePodSecurityEnforceLevel is not obviously equivalent to privileged... is it supposed to be? comment applied everywhere this replacement was made
There was a problem hiding this comment.
The reasoning is this: if the function had been used to create a privileged pod in a namespace that only had LevelBaseline, then creating that pod would have failed. Therefore those namespaces must have been configured with LevelPrivileged and thus this change is valid.
These helper functions are unnecessarily complex: in theory, they could be used with different combination of parameters, but in practice, that flexibility is never used. But the complexity comes at a cost when reading the code ("where do these values come from?"), when calling them (need to pass several parameters in the right order), or when extending them (adding another value in this PR). I think the helpers should be as simple as possible. |
pohly
force-pushed
the
e2e-pod-security-levels
branch
from
c1ecff5
to
0ebe1ca
Compare
|
/retest |
k8s-ci-robot
added
the
needs-rebase
pohly
force-pushed
the
e2e-pod-security-levels
branch
from
0ebe1ca
to
5635e31
Compare
k8s-ci-robot
removed
the
needs-rebase
CreatePod and MakePod only accepted an `isPrivileged` boolean, which made it impossible to write tests using those helpers which work in a default framework.Framework, because the default there is LevelRestricted. The simple boolean gets replaced with admissionapi.Level. Passing LevelRestricted does the same as calling e2epod.MixinRestrictedPodSecurity. Instead of explicitly passing a constant to these modified helpers, most tests get updated to pass f.NamespacePodSecurityLevel. This has the advantage that if that level gets lowered in the future, tests only need to be updated in one place. In some cases, helpers taking client+namespace+timeouts parameters get replaced with passing the Framework instance to get access to f.NamespacePodSecurityEnforceLevel. These helpers don't need separate parameters because in practice all they ever used where the values from the Framework instance.
pohly
force-pushed
the
e2e-pod-security-levels
branch
from
5635e31
to
c903c29
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 342dbda0f62df098072f1fb5086670bb9c991d45
|
|
/approve |
k8s-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, pohly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
CreatePod and MakePod only accepted an
isPrivilegedboolean, which made it impossible to write tests using those helpers which work in a default framework.Framework, because the default there is LevelRestricted.The simple boolean gets replaced with admissionapi.Level. Passing LevelRestricted does the same as calling e2epod.MixinRestrictedPodSecurity.
Special notes for your reviewer:
Instead of explicitly passing a constant to these modified helpers, most tests get updated to pass f.NamespacePodSecurityEnforceLevel. This has the advantage that if that level gets lowered in the future, tests only need to be updated in one place.
In some cases, helpers taking client+namespace+timeouts parameters get replaced with passing the Framework instance to get access to f.NamespacePodSecurityEnforceLevel. These helpers don't need separate parameters because in practice all they ever used where the values from the Framework instance.
See also https://kubernetes.slack.com/archives/C019LFTGNQ3/p1684501567057229
Does this PR introduce a user-facing change?