-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add some cmd-test for oc policy scc-subject-review/scc-review
#16122
Conversation
/unassign |
/test cmd |
btw if only unit tests are added and they pass, but some other unit tests fail, then they should be ignored [1]. I'm not sure this is the case here. Just saying no need to retest until everything pass when only some unstable units are failing. [1] or probably reported somewhere as flakes |
/unassign |
/lgtm |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
/test extended_conformance_gce |
@deads2k, would you be able to give a quick review of this PR? QE would like to upstream some of their tests. |
@@ -105,6 +105,7 @@ os::cmd::expect_success_and_text 'oc policy can-i --list --user harold --groups | |||
|
|||
os::cmd::expect_failure 'oc policy scc-subject-review' | |||
os::cmd::expect_failure 'oc policy scc-review' | |||
os::cmd::expect_failure 'oc policy scc-subject-review -u invalid --namespace=noexist' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ones above failed on arg problems, but this one is probably failing on something else. Add a text check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, sorry, I think this is just another arg check case, because inputfile in this command is required.
if len(args) == 0 && len(o.FilenameOptions.Filenames) == 0 { |
test/cmd/policy.sh
Outdated
os::cmd::expect_success 'oc create -f ${OS_ROOT}/test/testdata/scc_lax.yaml' | ||
os::cmd::expect_success "oc login -u bob -p bobpassword" | ||
os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
os::cmd::expect_success_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
os::cmd::expect_success_and_text 'oc policy scc-review -z system:serviceaccount:policy-second:default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/extended/testdata/deployments/deployment-simple.yaml --no-headers=true' 'DeploymentConfig/deployment-simple default lax' | ||
os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml --no-headers=true' '' | ||
os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --namespace=no-exist' 'error: unable to compute Pod Security Policy Review for "hello": User "bob" cannot create podsecuritypolicyreviews in project "no-exist"' | ||
os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks like a bug. Any idea why we don't support it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks like a bug. Any idea why we don't support it?
hmmm... maybe we don't know how to complete it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine, we don't support stateful sets, see line 109 and 112 for same errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine, we don't support stateful sets, see line 109 and 112 for same errors.
Why don't we? Is not possible given the info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe at the time of writing it we didn't. It's worth double checking now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's your answer:
origin/pkg/oc/admin/policy/review.go
Line 174 in 50094ed
// TODO remove this as soon upstream statefulSet validation for podSpec is fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like it's still not fixed upstream, either: https://github.com/kubernetes/kubernetes/blob/ea017719e52138263cb6e82eff8652cdd465d322/pkg/apis/apps/validation/validation.go#L57 so I don't think we can fix it on our end as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@soltysh are you working on this? if not, I would like to take a look : )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to pick it up.
Looks ok. Needs a squash and maybe a comment or two. Seems like you might want your own files to make sure that they don't get scrubbed away by accident. Something you're an owner/approver on. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/lgtm cancel |
708719b
to
410b7dc
Compare
410b7dc
to
0c599b1
Compare
0dff65b
to
79de996
Compare
hi @soltysh I met a really weird problem, in this line : https://github.com/openshift/origin/pull/16122/files#diff-9a8e8ef8bf78b44957b8d3a6c9163dbdR144 previously the failed error message was @akostadinov I think this is a typical reason why we should move those checks into upstream. |
Yes, that changed just recently. |
/assign |
/lgtm |
ping @stevekuznetsov for approval |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shiywang, soltysh, stevekuznetsov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
3 similar comments
/retest |
/retest |
/retest |
No need to retest, this is blocked on #16323 |
/retest Please review the full test history for this PR and help us cut down flakes. |
Automatic merge from submit-queue |
this is a testcase enhance from OCP-12839
@soltysh @stuartchuan @akostadinov ptal