Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "[release-1.8] Enable PSA FG on Kubevirt (#2093)" #2135

Merged
merged 2 commits into from
Nov 15, 2022
Merged

Revert "[release-1.8] Enable PSA FG on Kubevirt (#2093)" #2135

merged 2 commits into from
Nov 15, 2022

Conversation

tiraboschi
Copy link
Member

This reverts commit 4731026.

Signed-off-by: Simone Tiraboschi stirabos@redhat.com

Reviewer Checklist

Reviewers are supposed to review the PR for every aspect below one by one. To check an item means the PR is either "OK" or "Not Applicable" in terms of that item. All items are supposed to be checked before merging a PR.

  • PR Message
  • Commit Messages
  • How to test
  • Unit Tests
  • Functional Tests
  • User Documentation
  • Developer Documentation
  • Upgrade Scenario
  • Uninstallation Scenario
  • Backward Compatibility
  • Troubleshooting Friendly

Release note:

Revert PSA FG on Kubevirt

@tiraboschi
Revert "Enable PSA FG on Kubevirt (kubevirt#2093)"
7c34993 
This reverts commit 4731026.

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 8, 2022
@tiraboschi
Copy link
Member Author

/hold

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 8, 2022
@tiraboschi
Copy link
Member Author

/override-bot

@tiraboschi
Copy link
Member Author

hco-e2e-image-index-aws succeeded
/override ci/prow/hco-e2e-image-index-azure

hco-e2e-image-index-sno-aws succeeded
ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-upgrade-index-aws succeeded
ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws
ci/prow/hco-e2e-upgrade-index-sno-azure

@kubevirt-bot
Copy link
Contributor

@tiraboschi: Overrode contexts on behalf of tiraboschi: ci/prow/hco-e2e-image-index-azure

In response to this:

hco-e2e-image-index-aws succeeded
/override ci/prow/hco-e2e-image-index-azure

hco-e2e-image-index-sno-aws succeeded
ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-upgrade-index-aws succeeded
ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws
ci/prow/hco-e2e-upgrade-index-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi
Copy link
Member Author

hco-e2e-image-index-sno-aws succeeded
/override ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-upgrade-index-aws succeeded
/override ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws
/override ci/prow/hco-e2e-upgrade-index-sno-azure

@kubevirt-bot
Copy link
Contributor

@tiraboschi: Overrode contexts on behalf of tiraboschi: ci/prow/hco-e2e-image-index-sno-azure, ci/prow/hco-e2e-upgrade-index-azure, ci/prow/hco-e2e-upgrade-index-sno-azure

In response to this:

hco-e2e-image-index-sno-aws succeeded
/override ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-upgrade-index-aws succeeded
/override ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws
/override ci/prow/hco-e2e-upgrade-index-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi
Copy link
Member Author

/test hco-e2e-kv-smoke-gcp

@kubevirt-bot
Copy link
Contributor

@tiraboschi: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test build-hco-test-utils-image
  • /test pull-hyperconverged-cluster-operator-e2e-k8s-1.23
  • /test pull-hyperconverged-cluster-operator-e2e-k8s-1.24

Use /test all to run the following jobs that were automatically triggered:

  • pull-hyperconverged-cluster-operator-e2e-k8s-1.23
  • pull-hyperconverged-cluster-operator-e2e-k8s-1.24

In response to this:

/test hco-e2e-kv-smoke-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi
Copy link
Member Author

/retest

@tiraboschi
hack: brutal workaround to bypass SCC->PSA on OCP
3ccdf83 
brutal workaround to bypass SCC -> PSA on OCP >= 4.12

remove ASAP!!!

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
@tiraboschi tiraboschi changed the title Revert "Enable PSA FG on Kubevirt (#2093)" Revert "[release-1.8] Enable PSA FG on Kubevirt (#2093)" Nov 8, 2022
@sonarcloud
Copy link

sonarcloud bot commented Nov 8, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@tiraboschi tiraboschi self-assigned this Nov 8, 2022
@openshift-ci
Copy link

openshift-ci bot commented Nov 9, 2022

@tiraboschi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/hco-e2e-image-index-azure 3ccdf83 link true /test hco-e2e-image-index-azure
ci/prow/hco-e2e-image-index-gcp 3ccdf83 link true /test hco-e2e-image-index-gcp
ci/prow/hco-e2e-image-index-sno-azure 3ccdf83 link false /test hco-e2e-image-index-sno-azure
ci/prow/hco-e2e-upgrade-index-sno-azure 3ccdf83 link false /test hco-e2e-upgrade-index-sno-azure
ci/prow/hco-e2e-upgrade-index-azure 3ccdf83 link true /test hco-e2e-upgrade-index-azure
ci/prow/hco-e2e-kv-smoke-azure 3ccdf83 link true /test hco-e2e-kv-smoke-azure

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@tiraboschi
Copy link
Member Author

hco-e2e-image-index-aws succeeded:
/override ci/prow/hco-e2e-image-index-azure
/override ci/prow/hco-e2e-image-index-gcp

hco-e2e-image-index-sno-aws succeeded:
/override ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-kv-smoke-gcp succeeded:
/override ci/prow/hco-e2e-kv-smoke-azure

hco-e2e-upgrade-index-aws succeeded:
/override ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws succeeded:
/override ci/prow/hco-e2e-upgrade-index-sno-azure

@kubevirt-bot
Copy link
Contributor

@tiraboschi: Overrode contexts on behalf of tiraboschi: ci/prow/hco-e2e-image-index-azure, ci/prow/hco-e2e-image-index-gcp, ci/prow/hco-e2e-image-index-sno-azure, ci/prow/hco-e2e-kv-smoke-azure, ci/prow/hco-e2e-upgrade-index-azure, ci/prow/hco-e2e-upgrade-index-sno-azure

In response to this:

hco-e2e-image-index-aws succeeded:
/override ci/prow/hco-e2e-image-index-azure
/override ci/prow/hco-e2e-image-index-gcp

hco-e2e-image-index-sno-aws succeeded:
/override ci/prow/hco-e2e-image-index-sno-azure

hco-e2e-kv-smoke-gcp succeeded:
/override ci/prow/hco-e2e-kv-smoke-azure

hco-e2e-upgrade-index-aws succeeded:
/override ci/prow/hco-e2e-upgrade-index-azure

hco-e2e-upgrade-index-sno-aws succeeded:
/override ci/prow/hco-e2e-upgrade-index-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi tiraboschi mentioned this pull request Nov 9, 2022
Merged
tiraboschi added a commit to tiraboschi/kubevirt that referenced this pull request Nov 11, 2022
@tiraboschi
tests: avoid opting out from OCP/OKD podSecurityLabelSync
43b65f2 
Avoid opting out from OCP/OKD podSecurityLabelSync

This was done there because the virt-controller auto labelling
mechanism is overlapping and fighting with the
Openshift Pod Security Admission Autolabeling.
So we were setting that at test suite level
assuming that the Kubevirt PSA FG was always
on when deploying on Openshift.

Now we revisited that decision and so HCO
is not going to enable the PSA FG on Kubevirt, see:
kubevirt/hyperconverged-cluster-operator#2136
kubevirt/hyperconverged-cluster-operator#2135
kubevirt/hyperconverged-cluster-operator#2134
kubevirt/hyperconverged-cluster-operator#2133

but at this point, if PSA is enabled on the cluster,
on Openshift we should rely on its default
Pod Security Admission Autolabeling,
and so always blindly setting
"security.openshift.io/scc.podSecurityLabelSync": "false"
at testsuite level appears as a bad idea.

Set also
pod-security.kubernetes.io/warn=privileged
on the namespaces where we set
pod-security.kubernetes.io/enforce=privileged
to get rid of warnings from those namespaces.

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
@tiraboschi
Copy link
Member Author

/unhold

@kubevirt-bot kubevirt-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 15, 2022
orenc1
orenc1 approved these changes Nov 15, 2022
View reviewed changes
Copy link
Collaborator

@orenc1 orenc1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: orenc1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 15, 2022
@kubevirt-bot kubevirt-bot merged commit 66c6c46 into kubevirt:release-1.8 Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orenc1 orenc1 orenc1 approved these changes

@machadovilaca machadovilaca Awaiting requested review from machadovilaca

Assignees

@tiraboschi tiraboschi

@orenc1 orenc1

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tiraboschi @kubevirt-bot @orenc1