New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-999: Use privileged namespace for oc debug commands #96
Conversation
@stbenjam: This pull request references Jira Issue OCPBUGS-999, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@stbenjam: This pull request references Jira Issue OCPBUGS-999, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test ci/prow/e2e-aws-driver-toolkit-presubmit |
/test e2e-aws-driver-toolkit-presubmit |
@stbenjam: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
do you know which version of looking at the error, I would consider that an error of |
@stbenjam Thanks for that PR. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stbenjam, ybettan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3c818f2
to
56a719a
Compare
Fixed a mistake in the |
@kpouget I think the error comes from the fact that the default namespace has harden restrictions now after openshift/cluster-kube-apiserver-operator#1369. So by changing the test to deploy a new namesaspce, give it some privileges (not using the default permissions) and running everything there, we may be able to solve that issue. I may be wrong though, this is just my understanding of the PR. |
I have a bug open asking If that does get fixed we can remove this (and the -n option from the oc debugs here), but this should fix the driver kit jobs for now. |
ack, thanks, that's exactly what I had in mind when I said it was an error of |
/lgtm I have posted a request for help in slack - https://coreos.slack.com/archives/CEKNRGF25/p1662640077384329. Hope it will get answered soon. |
openshift/release#32135 should fix the presubmit |
Now that openshift/release#32115 is merged. |
Sorry for staling this PR further. Can you please squash the 2 commits using the original commits message for this PR? |
Jobs using this e2e script are peramfailing with errors like this: ``` + oc debug --image-stream=openshift/driver-toolkit:latest -n openshift --quiet -- bash -c 'echo "$SOURCE_GIT_URL/commit/$SOURCE_GIT_COMMIT"' Error from server (Forbidden): pods "image-debug" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "debug" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "debug" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "debug" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "debug" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ```
6a892c9
to
6cc10a8
Compare
I squashed, but I don't really like it since it makes it harder for reviewers to see what changed... |
/retest Thanks. We try to keep each PR as an atomic unit. I agree that it make it harder to review but it make it easier to understand the code change when you check the log rather than if we let the bot squash them (in that case it is usually not clear at all what the PR is doing). In this case this is only a small PR, but this is something we try to do it all the team repos. |
/lgtm |
@stbenjam: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@stbenjam: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-999 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Jobs using this e2e script are peramfailing with errors like this: