Skip to content
This repository has been archived by the owner on Oct 22, 2024. It is now read-only.

Commit

Permalink
e2e: disable pod security checks
Browse files Browse the repository at this point in the history 
The pods that we deploy inside the test namespaces need privileges.
  • Loading branch information
@pohly
pohly committed Sep 14, 2022
1 parent 2e46b90 commit 72af349
Show file tree
Hide file tree
Showing 6 changed files with 30 additions and 6 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ require (
k8s.io/kube-scheduler v0.25.0
k8s.io/kubectl v1.25.0
k8s.io/kubernetes v1.25.0
k8s.io/pod-security-admission v0.0.0
k8s.io/utils v0.0.0-20220812165043-ad590609e2e5
sigs.k8s.io/controller-runtime v0.12.3
sigs.k8s.io/sig-storage-lib-external-provisioner/v6 v6.2.0
Expand Down Expand Up @@ -111,7 +112,6 @@ require (
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
k8s.io/kubelet v0.0.0 // indirect
k8s.io/mount-utils v0.0.0 // indirect
k8s.io/pod-security-admission v0.0.0 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32 // indirect
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
Expand Down
4 changes: 4 additions & 0 deletions test/e2e/storage/conversion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"k8s.io/client-go/kubernetes"
"k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
admissionapi "k8s.io/pod-security-admission/api"

api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1"
"github.com/intel/pmem-csi/test/e2e/deploy"
Expand All @@ -48,6 +49,9 @@ var _ = deploy.DescribeForSome("raw-conversion", func(d *deploy.Deployment) bool
}, func(d *deploy.Deployment) {
f := framework.NewDefaultFramework("conversion")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

It("works", func() {
testRawNamespaceConversion(f, d.DriverName, d.Namespace)
})
Expand Down
8 changes: 8 additions & 0 deletions test/e2e/storage/dax/dax.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
"k8s.io/kubernetes/test/e2e/framework/volume"
storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
admissionapi "k8s.io/pod-security-admission/api"

api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1"
"github.com/intel/pmem-csi/test/e2e/deploy"
Expand Down Expand Up @@ -92,6 +93,9 @@ func (p *daxTestSuite) DefineTests(driver storageframework.TestDriver, pattern s

f := framework.NewDefaultFramework("dax")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

init := func() {
l = local{}

Expand Down Expand Up @@ -525,6 +529,10 @@ var _ = deploy.DescribeForSome("dax", func(d *deploy.Deployment) bool {
}, func(d *deploy.Deployment) {
var l local
f := framework.NewDefaultFramework("dax")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

init := func() {
l = local{}

Expand Down
4 changes: 4 additions & 0 deletions test/e2e/storage/pmem_csi.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
k8stypes "k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/test/e2e/framework"
storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
admissionapi "k8s.io/pod-security-admission/api"
runtime "sigs.k8s.io/controller-runtime/pkg/client"

"github.com/intel/pmem-csi/pkg/k8sutil"
Expand Down Expand Up @@ -52,6 +53,9 @@ var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) {
var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) {
f := framework.NewDefaultFramework("pmem-csi")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

DefineLateBindingTests(d, f)
DefineImmediateBindingTests(d, f)
DefineKataTests(d)
Expand Down
4 changes: 4 additions & 0 deletions test/e2e/tls/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
"k8s.io/kubernetes/test/e2e/framework/skipper"
admissionapi "k8s.io/pod-security-admission/api"

"github.com/intel/pmem-csi/test/e2e/deploy"
pmempod "github.com/intel/pmem-csi/test/e2e/pod"
Expand All @@ -31,6 +32,9 @@ import (
var _ = deploy.DescribeForAll("TLS", func(d *deploy.Deployment) {
f := framework.NewDefaultFramework("tls")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

// All of the following pod names, namespaces and ports match
// those in the current deployment files.

Expand Down
14 changes: 9 additions & 5 deletions test/e2e/versionskew/versionskew.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,21 @@ import (
"fmt"
"strconv"

v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/kubernetes/test/e2e/framework"
e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
"k8s.io/kubernetes/test/e2e/framework/skipper"
e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
admissionapi "k8s.io/pod-security-admission/api"

"github.com/intel/pmem-csi/pkg/k8sutil"
"github.com/intel/pmem-csi/pkg/version"
"github.com/intel/pmem-csi/test/e2e/deploy"
"github.com/intel/pmem-csi/test/e2e/driver"
"github.com/intel/pmem-csi/test/e2e/storage/dax"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand Down Expand Up @@ -155,6 +156,9 @@ func (p *skewTestSuite) DefineTests(driver storageframework.TestDriver, pattern

f := framework.NewDefaultFramework("skew")

// Several pods needs privileges.
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged

// We rely here on the driver being named after a deployment
// (see csi_volumes.go).
d := deploy.MustParse(driver.GetDriverInfo().Name)
Expand Down

0 comments on commit 72af349

Please sign in to comment.