🌱 fix(test): make e2e test bundle compatible with restricted SCC#2711
Conversation
The e2e test operator ran busybox httpd on port 80 writing to /var/www/,
both of which require root. Restricted SCC enforces non-root UIDs from a
namespace-assigned range, causing the pod to crash with Permission denied.
Similarly, several feature files hardcoded runAsUser:1000 which falls
outside the allowed UID range on some k8s implementations.
Changes:
- bundle.go: switch httpd from port 80+/var/www to port 8080+/tmp/www so
the pod starts under any SCC without root privileges
- steps.go: match the /tmp/www path in the readiness exec probe; add
OLM_NAMESPACE as a substitution variable; make per-step timeout
configurable via E2E_STEP_TIMEOUT env var (default 5m unchanged)
- install.feature: replace hardcoded "olmv1-system" with ${OLM_NAMESPACE}
so referred-secret lookups work when OLM is deployed in a different
namespace
- revision.feature, recover.feature: remove runAsUser:1000 from pod/
container specs; keep runAsNonRoot:true
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Todd Short <tshort@redhat.com>
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Makes the e2e test bundle and feature scenarios compatible with Kubernetes clusters that enforce restricted SCC (e.g. OpenShift), where root UIDs and privileged ports are disallowed and namespace-assigned UID ranges may exclude 1000. Also adds a configurable per-step timeout to accommodate slower runtimes.
Changes:
- Switch the test bundle's httpd from port 80 /
/var/wwwto port 8080 //tmp/wwwand update the matching readiness exec probe path. - Remove hardcoded
runAsUser: 1000(and, inrevision.feature, alsorunAsNonRoot: true) from pod/container security contexts; parameterizeolmv1-systemvia a newOLM_NAMESPACEsubstitution variable. - Make the per-step e2e timeout overridable via the
E2E_STEP_TIMEOUTenvironment variable.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/internal/catalog/bundle.go | httpd script and container/probe ports moved to unprivileged 8080 and /tmp/www. |
| test/e2e/steps/steps.go | New OLM_NAMESPACE substitution var, configurable timeout via env var, and updated exec probe path to /tmp/www/ready. |
| test/e2e/features/install.feature | Replace hardcoded olmv1-system with ${OLM_NAMESPACE} for referred-secret lookup. |
| test/e2e/features/revision.feature | Remove runAsUser: 1000 and runAsNonRoot: true from three security contexts. |
| test/e2e/features/recover.feature | Remove runAsUser: 1000, retain runAsNonRoot: true. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2711 +/- ##
==========================================
+ Coverage 68.12% 68.16% +0.03%
==========================================
Files 145 145
Lines 10698 10698
==========================================
+ Hits 7288 7292 +4
+ Misses 2880 2878 -2
+ Partials 530 528 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: joelanford The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
Nice find! |
openshift-merge-bot
Bot
merged commit ef1a6b1
into
operator-framework:main
The e2e test operator ran busybox httpd on port 80 writing to /var/www/, both of which require root. Restricted SCC enforces non-root UIDs from a namespace-assigned range, causing the pod to crash with Permission denied. Similarly, several feature files hardcoded runAsUser:1000 which falls outside the allowed UID range on some k8s implementations.
Changes:
Fixes OPRUN-4607
Description
Reviewer Checklist