Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tests for SELinuxMount feature #123554

Merged
merged 4 commits into from Mar 1, 2024
Merged

Add tests for SELinuxMount feature #123554

merged 4 commits into from Mar 1, 2024

Conversation

jsafrane
Copy link
Member

@jsafrane jsafrane commented Feb 28, 2024
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Add tests for SELinuxMount feature.

Since there are two semi-independent feature gates SELinuxMountReadWriteOncePod and SELinuxMount, there are three classes of tests:

  • Tests with [FeatureGate:SELinuxMountReadWriteOncePod]: requires SELinuxMountReadWriteOncePod feature gate to be enabled and SELinuxMount to be either disabled or enabled (unless [Feature:SELinuxMountReadWriteOncePodOnly] is specified, see below).
  • Tests with [FeatureGate:SELinuxMountReadWriteOncePod, Feature:SELinuxMountReadWriteOncePodOnly] require SELinuxMountReadWriteOncePod enabled and SELinuxMount disabled. These tests ensure that appropriate warning metrics are increased when the feature is limited to RWOP volumes.
  • Tests with [FeatureGate:SELinuxMountReadWriteOncePod, FeatureGate:SELinuxMount] require both SELinuxMountReadWriteOncePodOnly and SELinuxMount enabled.

Special notes for your reviewer:

  • I moved away from using generic [Feature:SELinuxMountReadWriteOncePod] tag in favor of feature-gate specific [FeatureGate:SELinuxMountReadWriteOncePod].
  • I had to rework tests that run two Pods with the same volume in parallel. With the feature limited to RWOP volumes only, the second Pod always got stuck until the first pod was deleted (because RWOP). Now that we support RWO / RWX volumes, the second Pod may start and the test needs to reflect that and start counting CSI calls before deleting the second pod.

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

@jsafrane
Add e2e tests for SELinuxMount
52558a0
@jsafrane
Update SELinuxMount stage/unstage tests to allow RWO
ba35627 
Previously, SELinuxMount started two pods and in laboratory conditions
waited for the second Pod to get stuck (because of RWOP) and observed
kubelet behavor after the test unstuck them (i.e. deleted the first Pod).

When testing RWO volumes, the second Pod may not get stuck, it may actually
run. So update the tests to allow the second Pod to run and start counting
CSI calls for it earlier.
@jsafrane
Add information about SELinux test tags
2a22b6f
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 28, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/test sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 28, 2024
@jsafrane jsafrane changed the title Selinux rwx tests Add tests for SELinuxMount feature Feb 28, 2024
@jsafrane
Copy link
Member Author

/test pull-kubernetes-e2e-gce-storage-slow

@jsafrane
Copy link
Member Author

/retest
pull-kubernetes-e2e-gce-* seems to be perma-failing, last check before filing an issue.
IPv6 job just flaked.

@jsafrane
Copy link
Member Author

e2e-gce-* should be already fixed by kubernetes/test-infra#32094

@jsafrane
Tag all feature gates required by a test
74417b5 
Use all necessary feature gates in SELinuxMount tests.
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 1, 2024
bertinatto
bertinatto reviewed Mar 1, 2024
View reviewed changes
Copy link
Member

@bertinatto bertinatto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 1, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: a6bbf1addb4edcd5d05a9b73c5e33d09534e9283

@k8s-ci-robot
Copy link
Contributor

@jsafrane: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-e2e-gce-storage-slow 74417b5 link false /test pull-kubernetes-e2e-gce-storage-slow

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot merged commit 055b517 into kubernetes:master Mar 1, 2024
17 of 21 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Mar 1, 2024
@jsafrane jsafrane mentioned this pull request Mar 1, 2024
Merged
@jsafrane jsafrane changed the title Add tests for SELinuxMount feature Add CI job for SELinuxMount feature Mar 1, 2024
@jsafrane jsafrane changed the title Add CI job for SELinuxMount feature Add tests for SELinuxMount feature Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bertinatto bertinatto bertinatto left review comments

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@xing-yang xing-yang Awaiting requested review from xing-yang

Assignees

@bertinatto bertinatto

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jsafrane @k8s-ci-robot @bertinatto