New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make supplemental groups test working again #27664
make supplemental groups test working again #27664
Conversation
/assign @ingvagabund |
|
||
fsGroup := int64(1111) | ||
supGroup := int64(2222) | ||
|
||
projectName := oc.Namespace() | ||
sa := createServiceAccount(ctx, oc, projectName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reusing this func from scc.go, should I moveit to a separate file like common.go
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure whether it was me who originally reviewed the PR of that SA creation, but this wait piece of the code is weird:
origin/test/extended/security/scc.go
Lines 479 to 491 in 79baa1b
err = wait.Poll(100*time.Millisecond, 3*time.Minute, func() (bool, error) { | |
_, err := oc.AdminKubeClient().CoreV1().ServiceAccounts(namespace).Get(context.Background(), sa.Name, metav1.GetOptions{}) | |
if err != nil { | |
// If we can't access the service accounts, let's wait till the controller | |
// create it. | |
if kapierrs.IsNotFound(err) || kapierrs.IsForbidden(err) { | |
e2e.Logf("Waiting for service account %q to be available: %v (will retry) ...", sa.Name, err) | |
return false, nil | |
} | |
return false, fmt.Errorf("Failed to get service account %q: %v", sa.Name, err) | |
} | |
return true, nil | |
}) |
If you're to re-use it, replace it with
origin/test/extended/util/framework.go
Lines 1023 to 1024 in 79baa1b
func WaitForServiceAccount(c corev1client.ServiceAccountInterface, name string) error { | |
waitFn := func() (bool, error) { |
No need to export it or move it anywhere yet, I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, using the WaitForServiceAccount
now
/assign @stlaz |
e0d2ca0
to
08769b5
Compare
|
||
fsGroup := int64(1111) | ||
supGroup := int64(2222) | ||
|
||
projectName := oc.Namespace() | ||
sa := createServiceAccount(ctx, oc, projectName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure whether it was me who originally reviewed the PR of that SA creation, but this wait piece of the code is weird:
origin/test/extended/security/scc.go
Lines 479 to 491 in 79baa1b
err = wait.Poll(100*time.Millisecond, 3*time.Minute, func() (bool, error) { | |
_, err := oc.AdminKubeClient().CoreV1().ServiceAccounts(namespace).Get(context.Background(), sa.Name, metav1.GetOptions{}) | |
if err != nil { | |
// If we can't access the service accounts, let's wait till the controller | |
// create it. | |
if kapierrs.IsNotFound(err) || kapierrs.IsForbidden(err) { | |
e2e.Logf("Waiting for service account %q to be available: %v (will retry) ...", sa.Name, err) | |
return false, nil | |
} | |
return false, fmt.Errorf("Failed to get service account %q: %v", sa.Name, err) | |
} | |
return true, nil | |
}) |
If you're to re-use it, replace it with
origin/test/extended/util/framework.go
Lines 1023 to 1024 in 79baa1b
func WaitForServiceAccount(c corev1client.ServiceAccountInterface, name string) error { | |
waitFn := func() (bool, error) { |
No need to export it or move it anywhere yet, I think.
err := retry.RetryOnConflict(retry.DefaultRetry, func() error { | ||
_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", oc.Username()).Output() | ||
// sa serves as a subject instead of the user | ||
_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", supSubject).Output() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC -z <SA name> -n <namespace>
is what should be used here, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
both of these options should work, but yes this makes the intent more clearer
o.Expect(err).NotTo(o.HaveOccurred()) | ||
|
||
out, stderr, err := oc.Run("exec").Args("-p", supplementalGroupsPod, "--", "/usr/bin/id", "-G").Outputs() | ||
out, stderr, err := oc.Run("exec").Args(supplementalGroupsPod, "--as", supSubject, "--", "/usr/bin/id", "-G").Outputs() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should likely work even without that impersonation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it does not
"Error from server (Forbidden): pods \"supplemental-groups\" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods \"supplemental-groups\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1111}: 1111 is not an allowed group, provider \"restricted\": Forbidden: not usable by user or serviceaccount, provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"
we have access to the service account which has elevated privileges.
Other option is to run this as an admin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought admin was the default user. Yep, run it like so 👍
- remove user group requirement for the test - remove [Local] from test as it is not local anymore since 356a379
08769b5
to
2a2c7c6
Compare
/retest |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atiratree, soltysh, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold Revision 2a2c7c6 was retested 3 times: holding |
/hold cancel |
@atiratree: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Remove [Local] from test as it is not local anymore since #16408 . So this test has not been run in the CI for a long time. And locally as well, since it has been broken because of the removal of
exec -p
feature in kubernetes/kubernetes#76713.