From 72af349315058ea4d2942cce883cc9809d55cb88 Mon Sep 17 00:00:00 2001 From: Patrick Ohly Date: Mon, 22 Aug 2022 13:49:35 +0200 Subject: [PATCH] e2e: disable pod security checks The pods that we deploy inside the test namespaces need privileges. --- go.mod | 2 +- test/e2e/storage/conversion.go | 4 ++++ test/e2e/storage/dax/dax.go | 8 ++++++++ test/e2e/storage/pmem_csi.go | 4 ++++ test/e2e/tls/tls.go | 4 ++++ test/e2e/versionskew/versionskew.go | 14 +++++++++----- 6 files changed, 30 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index e9c26c3f8..c8c0cc5c2 100644 --- a/go.mod +++ b/go.mod @@ -32,6 +32,7 @@ require ( k8s.io/kube-scheduler v0.25.0 k8s.io/kubectl v1.25.0 k8s.io/kubernetes v1.25.0 + k8s.io/pod-security-admission v0.0.0 k8s.io/utils v0.0.0-20220812165043-ad590609e2e5 sigs.k8s.io/controller-runtime v0.12.3 sigs.k8s.io/sig-storage-lib-external-provisioner/v6 v6.2.0 @@ -111,7 +112,6 @@ require ( k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/kubelet v0.0.0 // indirect k8s.io/mount-utils v0.0.0 // indirect - k8s.io/pod-security-admission v0.0.0 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect diff --git a/test/e2e/storage/conversion.go b/test/e2e/storage/conversion.go index 178916bd0..ae692b7cf 100644 --- a/test/e2e/storage/conversion.go +++ b/test/e2e/storage/conversion.go @@ -31,6 +31,7 @@ import ( "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1" "github.com/intel/pmem-csi/test/e2e/deploy" @@ -48,6 +49,9 @@ var _ = deploy.DescribeForSome("raw-conversion", func(d *deploy.Deployment) bool }, func(d *deploy.Deployment) { f := framework.NewDefaultFramework("conversion") + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + It("works", func() { testRawNamespaceConversion(f, d.DriverName, d.Namespace) }) diff --git a/test/e2e/storage/dax/dax.go b/test/e2e/storage/dax/dax.go index ca00dd649..4b20bb93c 100644 --- a/test/e2e/storage/dax/dax.go +++ b/test/e2e/storage/dax/dax.go @@ -31,6 +31,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" + admissionapi "k8s.io/pod-security-admission/api" api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1" "github.com/intel/pmem-csi/test/e2e/deploy" @@ -92,6 +93,9 @@ func (p *daxTestSuite) DefineTests(driver storageframework.TestDriver, pattern s f := framework.NewDefaultFramework("dax") + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + init := func() { l = local{} @@ -525,6 +529,10 @@ var _ = deploy.DescribeForSome("dax", func(d *deploy.Deployment) bool { }, func(d *deploy.Deployment) { var l local f := framework.NewDefaultFramework("dax") + + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + init := func() { l = local{} diff --git a/test/e2e/storage/pmem_csi.go b/test/e2e/storage/pmem_csi.go index 87da34754..0ecedd079 100644 --- a/test/e2e/storage/pmem_csi.go +++ b/test/e2e/storage/pmem_csi.go @@ -19,6 +19,7 @@ import ( k8stypes "k8s.io/apimachinery/pkg/types" "k8s.io/kubernetes/test/e2e/framework" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" + admissionapi "k8s.io/pod-security-admission/api" runtime "sigs.k8s.io/controller-runtime/pkg/client" "github.com/intel/pmem-csi/pkg/k8sutil" @@ -52,6 +53,9 @@ var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) { var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) { f := framework.NewDefaultFramework("pmem-csi") + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + DefineLateBindingTests(d, f) DefineImmediateBindingTests(d, f) DefineKataTests(d) diff --git a/test/e2e/tls/tls.go b/test/e2e/tls/tls.go index d95911518..9b9fad836 100644 --- a/test/e2e/tls/tls.go +++ b/test/e2e/tls/tls.go @@ -19,6 +19,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/intel/pmem-csi/test/e2e/deploy" pmempod "github.com/intel/pmem-csi/test/e2e/pod" @@ -31,6 +32,9 @@ import ( var _ = deploy.DescribeForAll("TLS", func(d *deploy.Deployment) { f := framework.NewDefaultFramework("tls") + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + // All of the following pod names, namespaces and ports match // those in the current deployment files. diff --git a/test/e2e/versionskew/versionskew.go b/test/e2e/versionskew/versionskew.go index fc8002588..f41e8087c 100644 --- a/test/e2e/versionskew/versionskew.go +++ b/test/e2e/versionskew/versionskew.go @@ -15,20 +15,21 @@ import ( "fmt" "strconv" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/kubernetes/test/e2e/framework" + e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" "k8s.io/kubernetes/test/e2e/framework/skipper" + e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/intel/pmem-csi/pkg/k8sutil" "github.com/intel/pmem-csi/pkg/version" "github.com/intel/pmem-csi/test/e2e/deploy" "github.com/intel/pmem-csi/test/e2e/driver" "github.com/intel/pmem-csi/test/e2e/storage/dax" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - utilerrors "k8s.io/apimachinery/pkg/util/errors" - e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" - e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -155,6 +156,9 @@ func (p *skewTestSuite) DefineTests(driver storageframework.TestDriver, pattern f := framework.NewDefaultFramework("skew") + // Several pods needs privileges. + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + // We rely here on the driver being named after a deployment // (see csi_volumes.go). d := deploy.MustParse(driver.GetDriverInfo().Name)