New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UPSTREAM: 69215: Fix flake in CSI plugin e2e test #20967
UPSTREAM: 69215: Fix flake in CSI plugin e2e test #20967
Conversation
/sig storage |
/assign @wongma7 |
CC @tsmetana |
/lgtm |
I think the problem lies in the fact that Openshift maps
I believe in this case the files stored in the mount point are subject to different security policies than they would be if they were stored in the host (i.e., as it happens in Kubernetes). |
/assign @gnufied |
Just to confirm - we are sure that external-provisioner pod isn't already privileged right? I think what may be happening is - on upstream in absence of selinux the other pods are able to access that socket but in case of selinux since we don't peform relabeling of hostpaths, other pods can't access socket unless privileged. It seems like an oversight in my opinion to have driver pod privileged and other pods not. Lets submit this to upstream and see what people think? |
Yes, I inspected the container during the test and it wasn't privileged. Also, here is a test run with commit 5e39b only; it fails with the message described in the Bugzilla ticket above:
Sure, I can try submitting the patch upstream. |
Submitted upstream: kubernetes/kubernetes#69215 |
a5f4762
to
e9302aa
Compare
The upstream PR [1] was merged, so I updated this one to carry that patch instead. |
/test cmd |
/lgtm |
/assign @knobunc @smarterclayton for final merge. @bertinatto thanks for fixing this! |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bertinatto, gnufied, knobunc, wongma7 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign @smarterclayton |
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@bertinatto: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This PR fixes a flake in the CSI plugin test.
During the test, the container hostpath-driver exposes the socket /csi/csi.sock so that other containers can connect to and perform CSI operations.
Since hostpath-driver container is privileged, other containers can't access the socket because they don't have the proper permission for it. As a result, the other containers need to be privileged as well.
The flake only happens in OKD, so I haven't submitted a PR to upstream.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1622670