Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make supplemental groups test working again #27664

Merged
merged 2 commits into from Feb 7, 2023
Merged

make supplemental groups test working again #27664

merged 2 commits into from Feb 7, 2023

Conversation

atiratree
Copy link
Member

  • remove user group requirement for the test

Remove [Local] from test as it is not local anymore since #16408 . So this test has not been run in the CI for a long time. And locally as well, since it has been broken because of the removal of exec -p feature in kubernetes/kubernetes#76713.

@atiratree
Copy link
Member Author

/assign @ingvagabund

atiratree
atiratree commented Jan 17, 2023
View reviewed changes
test/extended/security/supplemental_groups.go

fsGroup := int64(1111)
supGroup := int64(2222)

projectName := oc.Namespace()
sa := createServiceAccount(ctx, oc, projectName)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reusing this func from scc.go, should I moveit to a separate file like common.go?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure whether it was me who originally reviewed the PR of that SA creation, but this wait piece of the code is weird:

origin/test/extended/security/scc.go

Lines 479 to 491 in 79baa1b

err = wait.Poll(100*time.Millisecond, 3*time.Minute, func() (bool, error) {
_, err := oc.AdminKubeClient().CoreV1().ServiceAccounts(namespace).Get(context.Background(), sa.Name, metav1.GetOptions{})
if err != nil {
// If we can't access the service accounts, let's wait till the controller
// create it.
if kapierrs.IsNotFound(err) || kapierrs.IsForbidden(err) {
e2e.Logf("Waiting for service account %q to be available: %v (will retry) ...", sa.Name, err)
return false, nil
}
return false, fmt.Errorf("Failed to get service account %q: %v", sa.Name, err)
}
return true, nil
})

If you're to re-use it, replace it with

origin/test/extended/util/framework.go

Lines 1023 to 1024 in 79baa1b

func WaitForServiceAccount(c corev1client.ServiceAccountInterface, name string) error {
waitFn := func() (bool, error) {

No need to export it or move it anywhere yet, I think.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, using the WaitForServiceAccount now

@ingvagabund
Copy link
Member

/assign @stlaz
/unassign

@openshift-ci openshift-ci bot assigned stlaz and unassigned ingvagabund Jan 17, 2023
stlaz
stlaz suggested changes Jan 19, 2023
View reviewed changes
test/extended/security/supplemental_groups.go

fsGroup := int64(1111)
supGroup := int64(2222)

projectName := oc.Namespace()
sa := createServiceAccount(ctx, oc, projectName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure whether it was me who originally reviewed the PR of that SA creation, but this wait piece of the code is weird:

origin/test/extended/security/scc.go

Lines 479 to 491 in 79baa1b

err = wait.Poll(100*time.Millisecond, 3*time.Minute, func() (bool, error) {
_, err := oc.AdminKubeClient().CoreV1().ServiceAccounts(namespace).Get(context.Background(), sa.Name, metav1.GetOptions{})
if err != nil {
// If we can't access the service accounts, let's wait till the controller
// create it.
if kapierrs.IsNotFound(err) || kapierrs.IsForbidden(err) {
e2e.Logf("Waiting for service account %q to be available: %v (will retry) ...", sa.Name, err)
return false, nil
}
return false, fmt.Errorf("Failed to get service account %q: %v", sa.Name, err)
}
return true, nil
})

If you're to re-use it, replace it with

origin/test/extended/util/framework.go

Lines 1023 to 1024 in 79baa1b

func WaitForServiceAccount(c corev1client.ServiceAccountInterface, name string) error {
waitFn := func() (bool, error) {

No need to export it or move it anywhere yet, I think.

test/extended/security/supplemental_groups.go Outdated
err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", oc.Username()).Output()
// sa serves as a subject instead of the user
_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", supSubject).Output()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC -z <SA name> -n <namespace> is what should be used here, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

both of these options should work, but yes this makes the intent more clearer

stlaz
stlaz reviewed Jan 19, 2023
View reviewed changes
test/extended/security/supplemental_groups.go
o.Expect(err).NotTo(o.HaveOccurred())

out, stderr, err := oc.Run("exec").Args("-p", supplementalGroupsPod, "--", "/usr/bin/id", "-G").Outputs()
out, stderr, err := oc.Run("exec").Args(supplementalGroupsPod, "--as", supSubject, "--", "/usr/bin/id", "-G").Outputs()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should likely work even without that impersonation

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it does not

"Error from server (Forbidden): pods \"supplemental-groups\" is forbidden: exec operation is not allowed because the pod's security context exceeds your permissions: pods \"supplemental-groups\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1111}: 1111 is not an allowed group, provider \"restricted\": Forbidden: not usable by user or serviceaccount, provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"

we have access to the service account which has elevated privileges.

Other option is to run this as an admin.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought admin was the default user. Yep, run it like so 👍

@atiratree
make supplemental groups test working again
785c6a7 
- remove user group requirement for the test
- remove [Local] from test as it is not local anymore since 356a379
@atiratree
use WaitForServiceAccount
2a2c7c6
@atiratree
Copy link
Member Author

/retest

@stlaz
Copy link
Member

stlaz commented Feb 2, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 2, 2023
soltysh
soltysh approved these changes Feb 2, 2023
View reviewed changes
Copy link
Member

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 2, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: atiratree, soltysh, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 2, 2023
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 79d9b29 and 2 for PR HEAD 2a2c7c6 in total

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 362a0e2 and 1 for PR HEAD 2a2c7c6 in total

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 73d3250 and 0 for PR HEAD 2a2c7c6 in total

@openshift-ci-robot
Copy link

/hold

Revision 2a2c7c6 was retested 3 times: holding

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 3, 2023
@atiratree
Copy link
Member Author

/hold cancel
/retest

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 7, 2023
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD a8e9bfe and 2 for PR HEAD 2a2c7c6 in total

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 7, 2023

@atiratree: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-ovn-etcd-scaling 2a2c7c6 link false /test e2e-azure-ovn-etcd-scaling
ci/prow/e2e-aws-ovn-etcd-scaling 2a2c7c6 link false /test e2e-aws-ovn-etcd-scaling
ci/prow/e2e-aws-ovn-upgrade 2a2c7c6 link false /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-single-node-upgrade 2a2c7c6 link false /test e2e-aws-ovn-single-node-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 60274b3 into openshift:master Feb 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz requested changes

@soltysh soltysh soltysh approved these changes

@mfojtik mfojtik Awaiting requested review from mfojtik

Assignees

@stlaz stlaz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@atiratree @ingvagabund @stlaz @openshift-ci-robot @soltysh @openshift-merge-robot