OCPBUGS-999: Use privileged namespace for oc debug commands

[stbenjam]

Jobs using this e2e script are peramfailing with errors like this:

 + oc debug --image-stream=openshift/driver-toolkit:latest -n openshift --quiet -- bash -c 'echo "$SOURCE_GIT_URL/commit/$SOURCE_GIT_COMMIT"'

Error from server (Forbidden): pods "image-debug" is forbidden: violates
PodSecurity "restricted:latest": allowPrivilegeEscalation != false
(container "debug" must set
securityContext.allowPrivilegeEscalation=false), unrestricted
capabilities (container "debug" must set
securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
container "debug" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "debug" must set
securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

[openshift-ci-robot]

@stbenjam: This pull request references Jira Issue OCPBUGS-999, which is invalid:

• expected the bug to target the "4.12.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Jobs using this e2e script are peramfailing with errors like this:

+ oc debug --image-stream=openshift/driver-toolkit:latest -n openshift --quiet -- bash -c 'echo "$SOURCE_GIT_URL/commit/$SOURCE_GIT_COMMIT"'

Error from server (Forbidden): pods "image-debug" is forbidden: violates
PodSecurity "restricted:latest": allowPrivilegeEscalation != false
(container "debug" must set
securityContext.allowPrivilegeEscalation=false), unrestricted
capabilities (container "debug" must set
securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
container "debug" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "debug" must set
securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[stbenjam]

/jira refresh

[openshift-ci-robot]

@stbenjam: This pull request references Jira Issue OCPBUGS-999, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.12.0) matches configured target version for branch (4.12.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[stbenjam]

/test ci/prow/e2e-aws-driver-toolkit-presubmit

[stbenjam]

/test e2e-aws-driver-toolkit-presubmit

[openshift-ci]

@stbenjam: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-aws
• /test e2e-aws-driver-toolkit-presubmit
• /test e2e-upgrade
• /test image-contents
• /test images
• /test verify
• /test verify-imagestream

Use /test all to run all jobs.

In response to this:

/test ci/prow/e2e-aws-driver-toolkit-presubmit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kpouget]

do you know which version of oc is used?

looking at the error, I would consider that an error of oc debug, rather that something that should be/can be solved by the DTK

[ybettan]

@stbenjam Thanks for that PR.

[ybettan]

/approve
ipi-install step is failing.
/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stbenjam, ybettan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ybettan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stbenjam]

Fixed a mistake in the oc create ns command

[ybettan]

@kpouget I think the error comes from the fact that the default namespace has harden restrictions now after openshift/cluster-kube-apiserver-operator#1369.

So by changing the test to deploy a new namesaspce, give it some privileges (not using the default permissions) and running everything there, we may be able to solve that issue.

I may be wrong though, this is just my understanding of the PR.

[stbenjam]

I have a bug open asking oc to automatically create a privileged namespace for debug if one isn't provided: https://issues.redhat.com/browse/OCPBUGS-852, not sure if they'll fix it but it certainly won't be quick. We've had to do this namespace creation thing to fix a few jobs (e.g. fips - > openshift/release#31894)

If that does get fixed we can remove this (and the -n option from the oc debugs here), but this should fix the driver kit jobs for now.

[kpouget]

I have a bug open asking oc to automatically create a privileged namespace for debug if one isn't provided: https://issues.redhat.com/browse/OCPBUGS-852

ack, thanks, that's exactly what I had in mind when I said it was an error of oc debug :)
that patch looks good to me, FWIW ;-)

[ybettan]

/lgtm
Looks like there is any issue with the ipi-installer.

I have posted a request for help in slack - https://coreos.slack.com/archives/CEKNRGF25/p1662640077384329.

Hope it will get answered soon.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6e8d9f7 and 2 for PR HEAD 56a719a in total

[stbenjam]

openshift/release#32135 should fix the presubmit

[ybettan]

Now that openshift/release#32115 is merged.
/retest

[ybettan]

Sorry for staling this PR further. Can you please squash the 2 commits using the original commits message for this PR?

[stbenjam]

I squashed, but I don't really like it since it makes it harder for reviewers to see what changed...

[ybettan]

/retest

Thanks. We try to keep each PR as an atomic unit. I agree that it make it harder to review but it make it easier to understand the code change when you check the log rather than if we let the bot squash them (in that case it is usually not clear at all what the PR is doing).

In this case this is only a small PR, but this is something we try to do it all the team repos.

[ybettan]

/lgtm

[openshift-ci]

@stbenjam: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@stbenjam: All pull requests linked via external trackers have merged:

• openshift/driver-toolkit#96

Jira Issue OCPBUGS-999 has been moved to the MODIFIED state.

In response to this:

Jobs using this e2e script are peramfailing with errors like this:

+ oc debug --image-stream=openshift/driver-toolkit:latest -n openshift --quiet -- bash -c 'echo "$SOURCE_GIT_URL/commit/$SOURCE_GIT_COMMIT"'

Error from server (Forbidden): pods "image-debug" is forbidden: violates
PodSecurity "restricted:latest": allowPrivilegeEscalation != false
(container "debug" must set
securityContext.allowPrivilegeEscalation=false), unrestricted
capabilities (container "debug" must set
securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
container "debug" must set securityContext.runAsNonRoot=true),
seccompProfile (pod or container "debug" must set
securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.