Skip to content

Commit

Permalink
UPSTREAM: <carry>: e2e-framework: don't autosync PodSecurity labels
Browse files Browse the repository at this point in the history 
In the tests, we oftentimes create pods directly by the administrative
user and so their SCC-related privileges are being used to create the
pods. The PSa label syncher however works by introspecting SAs in each
namespace, and since the SAs in the direct pod creation use-cases don't
have the SCC-related privileges, the labelsyncer evaluates these
namespaces as "restricted" because only the "restricted-v2" SCC is ever
assigned in the namespaces. This breaks tests where pods are created
directly.

OpenShift-Rebase-Source: 4b7ae56
  • Loading branch information
@stlaz @bertinatto
stlaz authored and bertinatto committed Jun 9, 2023
1 parent d01af44 commit 0612d76
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions test/e2e/framework/framework.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,9 @@ func (f *Framework) CreateNamespace(ctx context.Context, baseName string, labels
enforceLevel = f.NamespacePodSecurityEnforceLevel
}
labels[admissionapi.EnforceLevelLabel] = string(enforceLevel)
// turn off the OpenShift label syncer so that it does not attempt to sync
// the PodSecurity admission labels
labels["security.openshift.io/scc.podSecurityLabelSync"] = "false"

ns, err := createTestingNS(ctx, baseName, f.ClientSet, labels)
// check ns instead of err to see if it's nil as we may
Expand Down

0 comments on commit 0612d76

Please sign in to comment.