Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

End2End - Pod Security Admission fixes #368

Merged
merged 2 commits into from
Oct 27, 2022
Merged

End2End - Pod Security Admission fixes #368

merged 2 commits into from
Oct 27, 2022

Conversation

zeeke
Copy link
Member

@zeeke zeeke commented Oct 6, 2022

These changes aim to solve Pod Security Admission problem when running tests against k8s v1.25+ , as privileged pods are often needed during tests.

@zeeke
e2e-test: Support Pod Security labels
b32ec02 
Add `pod-security.kubernetes.io/*` labels to
namespace created during tests.

Signed-off-by: Andrea Panattoni <[email protected]>
@zeeke
e2e-test: improve resource cleaning
4b7f949 
If a test use a different namespace than
`sriov-conformance-testing`, clean.All() should
remove any sriov resource.

Signed-off-by: Andrea Panattoni <[email protected]>
@github-actions
Copy link

github-actions bot commented Oct 6, 2022

Thanks for your PR,
To run vendors CIs use one of:

  • /test-all: To run all tests for all vendors.
  • /test-e2e-all: To run all E2E tests for all vendors.
  • /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs use one of:

  • /skip-all: To skip all tests for all vendors.
  • /skip-e2e-all: To skip all E2E tests for all vendors.
  • /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
    Best regards.

@coveralls
Copy link

Pull Request Test Coverage Report for Build 3197352728

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 24.977%
Totals Coverage Status
Change from base Build 3145228912: 0.0%
Covered Lines: 1871
Relevant Lines: 7491
💛 - Coveralls

@e0ne
Copy link
Collaborator

e0ne commented Oct 13, 2022

/test-e2e-all

e0ne
e0ne reviewed Oct 13, 2022
View reviewed changes
test/util/clean/clean.go
if !namespaces.Exists(namespaces.Test, clients) {
return nil
}

err := namespaces.DeleteAndWait(clients, namespaces.Test, 5*time.Minute)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused by this change and the commit message: will it remove sriov resources from all namespaces or just from the specified one?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function delete the namespace and all the objects in that namespace. it's for a test namespace we don't run this function on the operator namespace.

There is also a clean sriov function to remove all the sriov related objects like sriovNetwork and sriovNetworkNodePolicy

SchSeba
SchSeba approved these changes Oct 24, 2022
View reviewed changes
Copy link
Collaborator

@SchSeba SchSeba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

thanks!

wizhaoredhat
wizhaoredhat reviewed Oct 25, 2022
View reviewed changes
test/util/namespaces/namespaces.go
@@ -20,6 +20,13 @@ import (
// Test is the namespace to be use for testing
const Test = "sriov-conformance-testing"

var inhibitSecurityAdmissionLabels = map[string]string{
"pod-security.kubernetes.io/audit": "privileged",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to align this with what we have for #371

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I see the labels have a delta.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wizhaoredhat this is fine for the test-pods we have this in other places where we run tests like openshift-kni/cnf-features-deploy#1238

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, got it. Thanks!

SchSeba
SchSeba approved these changes Oct 26, 2022
View reviewed changes
test/util/namespaces/namespaces.go
@@ -20,6 +20,13 @@ import (
// Test is the namespace to be use for testing
const Test = "sriov-conformance-testing"

var inhibitSecurityAdmissionLabels = map[string]string{
"pod-security.kubernetes.io/audit": "privileged",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wizhaoredhat this is fine for the test-pods we have this in other places where we run tests like openshift-kni/cnf-features-deploy#1238

@e0ne e0ne merged commit 928b059 into k8snetworkplumbingwg:master Oct 27, 2022
@cgoncalves cgoncalves mentioned this pull request Oct 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wizhaoredhat wizhaoredhat wizhaoredhat left review comments

@SchSeba SchSeba SchSeba approved these changes

@e0ne e0ne e0ne approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zeeke @coveralls @e0ne @SchSeba @wizhaoredhat