add some cmd-test for oc policy scc-subject-review/scc-review
#16122
Conversation
openshift-ci-robot
added
the
size/XS
|
/unassign |
|
/test cmd |
|
btw if only unit tests are added and they pass, but some other unit tests fail, then they should be ignored [1]. I'm not sure this is the case here. Just saying no need to retest until everything pass when only some unstable units are failing. [1] or probably reported somewhere as flakes |
|
/unassign |
|
/lgtm |
openshift-merge-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test extended_conformance_gce |
|
@deads2k, would you be able to give a quick review of this PR? QE would like to upstream some of their tests. |
| @@ -105,6 +105,7 @@ os::cmd::expect_success_and_text 'oc policy can-i --list --user harold --groups | |||
|
|
|||
| os::cmd::expect_failure 'oc policy scc-subject-review' | |||
| os::cmd::expect_failure 'oc policy scc-review' | |||
| os::cmd::expect_failure 'oc policy scc-subject-review -u invalid --namespace=noexist' | |||
There was a problem hiding this comment.
The ones above failed on arg problems, but this one is probably failing on something else. Add a text check.
There was a problem hiding this comment.
oh, sorry, I think this is just another arg check case, because inputfile in this command is required.
test/cmd/policy.sh
Outdated
| os::cmd::expect_success 'oc create -f ${OS_ROOT}/test/testdata/scc_lax.yaml' | ||
| os::cmd::expect_success "oc login -u bob -p bobpassword" | ||
| os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
| os::cmd::expect_success_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
| os::cmd::expect_success_and_text 'oc policy scc-review -z system:serviceaccount:policy-second:default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' | ||
| os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/extended/testdata/deployments/deployment-simple.yaml --no-headers=true' 'DeploymentConfig/deployment-simple default lax' | ||
| os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml --no-headers=true' '' | ||
| os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --namespace=no-exist' 'error: unable to compute Pod Security Policy Review for "hello": User "bob" cannot create podsecuritypolicyreviews in project "no-exist"' | ||
| os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.' |
There was a problem hiding this comment.
this looks like a bug. Any idea why we don't support it?
There was a problem hiding this comment.
this looks like a bug. Any idea why we don't support it?
hmmm... maybe we don't know how to complete it.
There was a problem hiding this comment.
It's fine, we don't support stateful sets, see line 109 and 112 for same errors.
There was a problem hiding this comment.
It's fine, we don't support stateful sets, see line 109 and 112 for same errors.
Why don't we? Is not possible given the info?
There was a problem hiding this comment.
Maybe at the time of writing it we didn't. It's worth double checking now.
There was a problem hiding this comment.
Here's your answer:
origin/pkg/oc/admin/policy/review.go
Line 174 in 50094ed
There was a problem hiding this comment.
It looks like it's still not fixed upstream, either: https://github.com/kubernetes/kubernetes/blob/ea017719e52138263cb6e82eff8652cdd465d322/pkg/apis/apps/validation/validation.go#L57 so I don't think we can fix it on our end as well.
There was a problem hiding this comment.
@soltysh are you working on this? if not, I would like to take a look : )
Looks ok. Needs a squash and maybe a comment or two. Seems like you might want your own files to make sure that they don't get scrubbed away by accident. Something you're an owner/approver on. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/lgtm cancel |
openshift-merge-robot
removed
the
approved
shiywang
force-pushed
the
test-extend
branch
from
708719b
to
410b7dc
Compare
shiywang
force-pushed
the
test-extend
branch
from
410b7dc
to
0c599b1
Compare
shiywang
force-pushed
the
test-extend
branch
from
0dff65b
to
79de996
Compare
|
hi @soltysh I met a really weird problem, in this line : https://github.com/openshift/origin/pull/16122/files#diff-9a8e8ef8bf78b44957b8d3a6c9163dbdR144 previously the failed error message was @akostadinov I think this is a typical reason why we should move those checks into upstream. |
Yes, that changed just recently. |
|
/assign |
|
/lgtm |
|
ping @stevekuznetsov for approval |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shiywang, soltysh, stevekuznetsov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
No need to retest, this is blocked on #16323 |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
Automatic merge from submit-queue |
this is a testcase enhance from OCP-12839
@soltysh @stuartchuan @akostadinov ptal