diff --git a/test/e2e/apimachinery/chunking.go b/test/e2e/apimachinery/chunking.go index 34545e59268..1153246a71d 100644 --- a/test/e2e/apimachinery/chunking.go +++ b/test/e2e/apimachinery/chunking.go @@ -35,6 +35,7 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/util/workqueue" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) func shouldCheckRemainingItem() bool { @@ -45,6 +46,7 @@ const numberOfTotalResources = 400 var _ = SIGDescribe("Servers with support for API chunking", func() { f := framework.NewDefaultFramework("chunking") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { ns := f.Namespace.Name diff --git a/test/e2e/apimachinery/crd_publish_openapi.go b/test/e2e/apimachinery/crd_publish_openapi.go index ca77c70e22d..6109523f636 100644 --- a/test/e2e/apimachinery/crd_publish_openapi.go +++ b/test/e2e/apimachinery/crd_publish_openapi.go @@ -44,6 +44,7 @@ import ( "k8s.io/kube-openapi/pkg/validation/spec" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils/crd" + admissionapi "k8s.io/pod-security-admission/api" ) var ( @@ -52,6 +53,7 @@ var ( var _ = SIGDescribe("CustomResourcePublishOpenAPI [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("crd-publish-openapi") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.16 diff --git a/test/e2e/apimachinery/crd_validation_rules.go b/test/e2e/apimachinery/crd_validation_rules.go index 2a351b8b1fa..551a6991367 100644 --- a/test/e2e/apimachinery/crd_validation_rules.go +++ b/test/e2e/apimachinery/crd_validation_rules.go @@ -32,10 +32,12 @@ import ( "k8s.io/apiserver/pkg/storage/names" "k8s.io/client-go/dynamic" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("CustomResourceValidationRules [Privileged:ClusterAdmin][Alpha][Feature:CustomResourceValidationExpressions]", func() { f := framework.NewDefaultFramework("crd-validation-expressions") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var apiExtensionClient *clientset.Clientset ginkgo.BeforeEach(func() { diff --git a/test/e2e/apimachinery/crd_watch.go b/test/e2e/apimachinery/crd_watch.go index 929fde6b990..829c2489543 100644 --- a/test/e2e/apimachinery/crd_watch.go +++ b/test/e2e/apimachinery/crd_watch.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/dynamic" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -38,6 +39,7 @@ import ( var _ = SIGDescribe("CustomResourceDefinition Watch [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("crd-watch") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("CustomResourceDefinition Watch", func() { /* diff --git a/test/e2e/apimachinery/custom_resource_definition.go b/test/e2e/apimachinery/custom_resource_definition.go index 4f636940ac8..4ae999e7856 100644 --- a/test/e2e/apimachinery/custom_resource_definition.go +++ b/test/e2e/apimachinery/custom_resource_definition.go @@ -39,11 +39,13 @@ import ( "k8s.io/client-go/dynamic" "k8s.io/client-go/util/retry" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("custom-resource-definition") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Simple CustomResourceDefinition", func() { /* diff --git a/test/e2e/apimachinery/discovery.go b/test/e2e/apimachinery/discovery.go index 04103aeeb5f..8c73032337f 100644 --- a/test/e2e/apimachinery/discovery.go +++ b/test/e2e/apimachinery/discovery.go @@ -28,6 +28,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/utils/crd" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -35,6 +36,7 @@ import ( var storageVersionServerVersion = utilversion.MustParseSemantic("v1.13.99") var _ = SIGDescribe("Discovery", func() { f := framework.NewDefaultFramework("discovery") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var namespaceName string diff --git a/test/e2e/apimachinery/etcd_failure.go b/test/e2e/apimachinery/etcd_failure.go index ed0c6c15145..e963b1c062a 100644 --- a/test/e2e/apimachinery/etcd_failure.go +++ b/test/e2e/apimachinery/etcd_failure.go @@ -31,6 +31,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -38,6 +39,7 @@ import ( var _ = SIGDescribe("Etcd failure [Disruptive]", func() { f := framework.NewDefaultFramework("etcd-failure") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // This test requires: diff --git a/test/e2e/apimachinery/flowcontrol.go b/test/e2e/apimachinery/flowcontrol.go index 8c4120e2089..95c745caebc 100644 --- a/test/e2e/apimachinery/flowcontrol.go +++ b/test/e2e/apimachinery/flowcontrol.go @@ -39,6 +39,7 @@ import ( "k8s.io/client-go/rest" clientsideflowcontrol "k8s.io/client-go/util/flowcontrol" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -52,6 +53,7 @@ var ( var _ = SIGDescribe("API priority and fairness", func() { f := framework.NewDefaultFramework("apf") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should ensure that requests can be classified by adding FlowSchema and PriorityLevelConfiguration", func() { testingFlowSchemaName := "e2e-testing-flowschema" diff --git a/test/e2e/apimachinery/generated_clientset.go b/test/e2e/apimachinery/generated_clientset.go index d728f9e8c69..05fd24eedf9 100644 --- a/test/e2e/apimachinery/generated_clientset.go +++ b/test/e2e/apimachinery/generated_clientset.go @@ -214,6 +214,7 @@ func newTestingCronJob(name string, value string) *batchv1.CronJob { var _ = SIGDescribe("Generated clientset", func() { f := framework.NewDefaultFramework("clientset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should create v1 cronJobs, delete cronJobs, watch cronJobs", func() { cronJobClient := f.ClientSet.BatchV1().CronJobs(f.Namespace.Name) diff --git a/test/e2e/apimachinery/health_handlers.go b/test/e2e/apimachinery/health_handlers.go index b67aa01945c..29fe083eaf6 100644 --- a/test/e2e/apimachinery/health_handlers.go +++ b/test/e2e/apimachinery/health_handlers.go @@ -27,6 +27,7 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -116,6 +117,7 @@ func testPath(client clientset.Interface, path string, requiredChecks sets.Strin var _ = SIGDescribe("health handlers", func() { f := framework.NewDefaultFramework("health") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should contain necessary checks", func() { ginkgo.By("/health") diff --git a/test/e2e/apimachinery/protocol.go b/test/e2e/apimachinery/protocol.go index 322b935615c..270bf58ea4c 100644 --- a/test/e2e/apimachinery/protocol.go +++ b/test/e2e/apimachinery/protocol.go @@ -29,12 +29,14 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/kubernetes" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" ) var _ = SIGDescribe("client-go should negotiate", func() { f := framework.NewDefaultFramework("protocol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged for _, s := range []string{ "application/json", diff --git a/test/e2e/apimachinery/request_timeout.go b/test/e2e/apimachinery/request_timeout.go index f7249b44ad3..5e596a524ba 100644 --- a/test/e2e/apimachinery/request_timeout.go +++ b/test/e2e/apimachinery/request_timeout.go @@ -24,6 +24,7 @@ import ( "github.com/onsi/ginkgo" "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -32,6 +33,7 @@ const ( var _ = SIGDescribe("Server request timeout", func() { f := framework.NewDefaultFramework("request-timeout") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should return HTTP status code 400 if the user specifies an invalid timeout in the request URL", func() { rt := getRoundTripper(f) diff --git a/test/e2e/apimachinery/server_version.go b/test/e2e/apimachinery/server_version.go index 19331773dca..c4b8069a80c 100644 --- a/test/e2e/apimachinery/server_version.go +++ b/test/e2e/apimachinery/server_version.go @@ -21,12 +21,14 @@ import ( "k8s.io/apimachinery/pkg/version" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("server version", func() { f := framework.NewDefaultFramework("server-version") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 diff --git a/test/e2e/apimachinery/storage_version.go b/test/e2e/apimachinery/storage_version.go index 9249b94edc7..0137ccbafab 100644 --- a/test/e2e/apimachinery/storage_version.go +++ b/test/e2e/apimachinery/storage_version.go @@ -25,6 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -37,6 +38,7 @@ const ( // This test requires that --feature-gates=APIServerIdentity=true,StorageVersionAPI=true be set on the apiserver and the controller manager var _ = SIGDescribe("StorageVersion resources [Feature:StorageVersionAPI]", func() { f := framework.NewDefaultFramework("storage-version") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("storage version with non-existing id should be GC'ed", func() { client := f.ClientSet diff --git a/test/e2e/apimachinery/watch.go b/test/e2e/apimachinery/watch.go index ade79817a0c..f711eee3ad1 100644 --- a/test/e2e/apimachinery/watch.go +++ b/test/e2e/apimachinery/watch.go @@ -31,6 +31,7 @@ import ( cachetools "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -47,6 +48,7 @@ const ( var _ = SIGDescribe("Watchers", func() { f := framework.NewDefaultFramework("watch") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.11 diff --git a/test/e2e/apps/daemon_restart.go b/test/e2e/apps/daemon_restart.go index 413606f4028..1d4976af375 100644 --- a/test/e2e/apps/daemon_restart.go +++ b/test/e2e/apps/daemon_restart.go @@ -41,6 +41,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -204,6 +205,7 @@ func getContainerRestarts(c clientset.Interface, ns string, labelSelector labels var _ = SIGDescribe("DaemonRestart [Disruptive]", func() { f := framework.NewDefaultFramework("daemonrestart") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged rcName := "daemonrestart" + strconv.Itoa(numPods) + "-" + string(uuid.NewUUID()) labelSelector := labels.Set(map[string]string{"name": rcName}).AsSelector() existingPods := cache.NewStore(cache.MetaNamespaceKeyFunc) diff --git a/test/e2e/apps/disruption.go b/test/e2e/apps/disruption.go index e456bb926f5..646db265313 100644 --- a/test/e2e/apps/disruption.go +++ b/test/e2e/apps/disruption.go @@ -76,6 +76,7 @@ var _ = SIGDescribe("DisruptionController", func() { ginkgo.Context("Listing PodDisruptionBudgets for all namespaces", func() { anotherFramework := framework.NewDefaultFramework("disruption-2") + anotherFramework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release : v1.21 diff --git a/test/e2e/architecture/conformance.go b/test/e2e/architecture/conformance.go index 3b0c6a591de..1c083081efc 100644 --- a/test/e2e/architecture/conformance.go +++ b/test/e2e/architecture/conformance.go @@ -23,10 +23,12 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Conformance Tests", func() { f := framework.NewDefaultFramework("conformance-tests") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.23 diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go index 26c0d9b6706..da6f1c68601 100644 --- a/test/e2e/auth/certificates.go +++ b/test/e2e/auth/certificates.go @@ -42,10 +42,12 @@ import ( "k8s.io/client-go/util/certificate/csr" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("certificates") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go index e6a295dbf43..651aeb4995d 100644 --- a/test/e2e/auth/pod_security_policy.go +++ b/test/e2e/auth/pod_security_policy.go @@ -36,6 +36,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -45,6 +46,7 @@ const nobodyUser = int64(65534) var _ = SIGDescribe("PodSecurityPolicy [Feature:PodSecurityPolicy]", func() { f := framework.NewDefaultFramework("podsecuritypolicy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged f.SkipPrivilegedPSPBinding = true // Client that will impersonate the default service account, in order to run diff --git a/test/e2e/autoscaling/autoscaling_timer.go b/test/e2e/autoscaling/autoscaling_timer.go index a6af3a4832a..4e900cd1c37 100644 --- a/test/e2e/autoscaling/autoscaling_timer.go +++ b/test/e2e/autoscaling/autoscaling_timer.go @@ -27,12 +27,14 @@ import ( e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:ClusterSizeAutoscalingScaleUp] [Slow] Autoscaling", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Autoscaling a service", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/autoscaling/cluster_autoscaler_scalability.go b/test/e2e/autoscaling/cluster_autoscaler_scalability.go index c9bfc195d0b..a763f492b5f 100644 --- a/test/e2e/autoscaling/cluster_autoscaler_scalability.go +++ b/test/e2e/autoscaling/cluster_autoscaler_scalability.go @@ -37,6 +37,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -61,6 +62,7 @@ type scaleUpTestConfig struct { var _ = SIGDescribe("Cluster size autoscaler scalability [Slow]", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var nodeCount int var coresPerNode int diff --git a/test/e2e/autoscaling/cluster_size_autoscaling.go b/test/e2e/autoscaling/cluster_size_autoscaling.go index 846c3197ea8..8aa0c2baf9f 100644 --- a/test/e2e/autoscaling/cluster_size_autoscaling.go +++ b/test/e2e/autoscaling/cluster_size_autoscaling.go @@ -53,6 +53,7 @@ import ( "k8s.io/kubernetes/test/e2e/scheduling" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -92,6 +93,7 @@ const ( var _ = SIGDescribe("Cluster size autoscaling [Slow]", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var nodeCount int var memAllocatableMb int diff --git a/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go b/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go index 2f3b280ea53..5f3135a0e49 100644 --- a/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go +++ b/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/instrumentation/monitoring" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -51,6 +52,7 @@ var _ = SIGDescribe("[HPA] Horizontal pod autoscaling (scale resource: Custom Me }) f := framework.NewDefaultFramework("horizontal-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should scale down with Custom Metric of type Pod from Stackdriver [Feature:CustomMetricsAutoscaling]", func() { initialReplicas := 2 diff --git a/test/e2e/autoscaling/dns_autoscaling.go b/test/e2e/autoscaling/dns_autoscaling.go index 87b57ae594d..28bf68cf6b2 100644 --- a/test/e2e/autoscaling/dns_autoscaling.go +++ b/test/e2e/autoscaling/dns_autoscaling.go @@ -33,6 +33,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -47,6 +48,7 @@ const ( var _ = SIGDescribe("DNS horizontal autoscaling", func() { f := framework.NewDefaultFramework("dns-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var previousParams map[string]string var originDNSReplicasCount int diff --git a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go index a86f4649d4e..396bfa07221 100644 --- a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go +++ b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go @@ -21,12 +21,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:HPA] [Serial] [Slow] Horizontal pod autoscaling (non-default behavior)", func() { f := framework.NewDefaultFramework("horizontal-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("with short downscale stabilization window", func() { ginkgo.It("should scale down soon after the stabilization period", func() { diff --git a/test/e2e/cloud/gcp/addon_update.go b/test/e2e/cloud/gcp/addon_update.go index 22b31b227bc..ab5353f9fd0 100644 --- a/test/e2e/cloud/gcp/addon_update.go +++ b/test/e2e/cloud/gcp/addon_update.go @@ -35,6 +35,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -217,6 +218,7 @@ var _ = SIGDescribe("Addon update", func() { var dir string var sshClient *ssh.Client f := framework.NewDefaultFramework("addon-update-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // This test requires: diff --git a/test/e2e/cloud/gcp/apps/stateful_apps.go b/test/e2e/cloud/gcp/apps/stateful_apps.go index fac55383e31..7072bf7f482 100644 --- a/test/e2e/cloud/gcp/apps/stateful_apps.go +++ b/test/e2e/cloud/gcp/apps/stateful_apps.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/apps" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -35,6 +36,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("stateful Upgrade [Feature:StatefulUpgrade]", func() { f := framework.NewDefaultFramework("stateful-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("stateful upgrade", func() { diff --git a/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go b/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go index e2a385c974b..6a523b3eba8 100644 --- a/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go +++ b/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go @@ -22,6 +22,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/auth" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("ServiceAccount admission controller migration [Feature:BoundServiceAccountTokenVolume]", func() { f := framework.NewDefaultFramework("serviceaccount-admission-controller-migration") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("master upgrade", func() { diff --git a/test/e2e/cloud/gcp/cluster_upgrade.go b/test/e2e/cloud/gcp/cluster_upgrade.go index 6fa2836ef41..ef7cecea9c5 100644 --- a/test/e2e/cloud/gcp/cluster_upgrade.go +++ b/test/e2e/cloud/gcp/cluster_upgrade.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades/node" "k8s.io/kubernetes/test/e2e/upgrades/storage" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -50,6 +51,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("Upgrade [Feature:Upgrade]", func() { f := framework.NewDefaultFramework("cluster-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) // Create the frameworks here because we can only create them @@ -88,6 +90,7 @@ var _ = SIGDescribe("Upgrade [Feature:Upgrade]", func() { var _ = SIGDescribe("Downgrade [Feature:Downgrade]", func() { f := framework.NewDefaultFramework("cluster-downgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("cluster downgrade", func() { diff --git a/test/e2e/cloud/gcp/gke_node_pools.go b/test/e2e/cloud/gcp/gke_node_pools.go index 19be0f6f22f..b00a1e8e7ce 100644 --- a/test/e2e/cloud/gcp/gke_node_pools.go +++ b/test/e2e/cloud/gcp/gke_node_pools.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -30,6 +31,7 @@ import ( var _ = SIGDescribe("GKE node pools [Feature:GKENodePool]", func() { f := framework.NewDefaultFramework("node-pools") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("gke") diff --git a/test/e2e/cloud/gcp/ha_master.go b/test/e2e/cloud/gcp/ha_master.go index 416063c019f..b172eb64a0f 100644 --- a/test/e2e/cloud/gcp/ha_master.go +++ b/test/e2e/cloud/gcp/ha_master.go @@ -35,6 +35,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" ) func addMasterReplica(zone string) error { @@ -161,6 +162,7 @@ func waitForMasters(masterPrefix string, c clientset.Interface, size int, timeou var _ = SIGDescribe("HA-master [Feature:HAMaster]", func() { f := framework.NewDefaultFramework("ha-master") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var ns string var additionalReplicaZones []string diff --git a/test/e2e/cloud/gcp/kubelet_security.go b/test/e2e/cloud/gcp/kubelet_security.go index 99e9d2caf5f..1e12b2ccb58 100644 --- a/test/e2e/cloud/gcp/kubelet_security.go +++ b/test/e2e/cloud/gcp/kubelet_security.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2enode "k8s.io/kubernetes/test/e2e/framework/node" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Ports Security Check [Feature:KubeletSecurity]", func() { f := framework.NewDefaultFramework("kubelet-security") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var node *v1.Node var nodeName string diff --git a/test/e2e/cloud/gcp/network/kube_proxy_migration.go b/test/e2e/cloud/gcp/network/kube_proxy_migration.go index e74a590e7d9..f576da6b762 100644 --- a/test/e2e/cloud/gcp/network/kube_proxy_migration.go +++ b/test/e2e/cloud/gcp/network/kube_proxy_migration.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/network" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ func kubeProxyDaemonSetExtraEnvs(enableKubeProxyDaemonSet bool) []string { var _ = SIGDescribe("kube-proxy migration [Feature:KubeProxyDaemonSetMigration]", func() { f := framework.NewDefaultFramework("kube-proxy-ds-migration") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged upgradeTestFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) downgradeTestsFrameworks := upgrades.CreateUpgradeFrameworks(downgradeTests) diff --git a/test/e2e/cloud/gcp/node/gpu.go b/test/e2e/cloud/gcp/node/gpu.go index 91d57de433c..c2e50fb205e 100644 --- a/test/e2e/cloud/gcp/node/gpu.go +++ b/test/e2e/cloud/gcp/node/gpu.go @@ -22,6 +22,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/node" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("gpu Upgrade [Feature:GPUUpgrade]", func() { f := framework.NewDefaultFramework("gpu-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("master upgrade", func() { diff --git a/test/e2e/cloud/gcp/node_lease.go b/test/e2e/cloud/gcp/node_lease.go index 6d7479e85c0..5a5a7f6c264 100644 --- a/test/e2e/cloud/gcp/node_lease.go +++ b/test/e2e/cloud/gcp/node_lease.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -36,6 +37,7 @@ import ( var _ = SIGDescribe("[Disruptive]NodeLease", func() { f := framework.NewDefaultFramework("node-lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var systemPodsNo int32 var c clientset.Interface var ns string diff --git a/test/e2e/cloud/gcp/reboot.go b/test/e2e/cloud/gcp/reboot.go index 4a67b9b799d..d60d850e0d5 100644 --- a/test/e2e/cloud/gcp/reboot.go +++ b/test/e2e/cloud/gcp/reboot.go @@ -35,6 +35,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -91,6 +92,7 @@ var _ = SIGDescribe("Reboot [Disruptive] [Feature:Reboot]", func() { }) f = framework.NewDefaultFramework("reboot") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("each node by ordering clean reboot and ensure they function upon restart", func() { // clean shutdown and restart diff --git a/test/e2e/cloud/gcp/recreate_node.go b/test/e2e/cloud/gcp/recreate_node.go index 73a98644c99..4459faf1d77 100644 --- a/test/e2e/cloud/gcp/recreate_node.go +++ b/test/e2e/cloud/gcp/recreate_node.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework/providers/gce" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -43,6 +44,7 @@ const ( var _ = SIGDescribe("Recreate [Feature:Recreate]", func() { f := framework.NewDefaultFramework("recreate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var originalNodes []v1.Node var originalPodNames []string var ps *testutils.PodStore diff --git a/test/e2e/cloud/gcp/resize_nodes.go b/test/e2e/cloud/gcp/resize_nodes.go index d86b7161dfb..fe40d50c7e7 100644 --- a/test/e2e/cloud/gcp/resize_nodes.go +++ b/test/e2e/cloud/gcp/resize_nodes.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ func resizeRC(c clientset.Interface, ns, name string, replicas int32) error { var _ = SIGDescribe("Nodes [Disruptive]", func() { f := framework.NewDefaultFramework("resize-nodes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var systemPodsNo int32 var c clientset.Interface var ns string diff --git a/test/e2e/cloud/gcp/restart.go b/test/e2e/cloud/gcp/restart.go index de62d8345b3..17c6289b36d 100644 --- a/test/e2e/cloud/gcp/restart.go +++ b/test/e2e/cloud/gcp/restart.go @@ -29,6 +29,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -43,6 +44,7 @@ func nodeNames(nodes []v1.Node) []string { var _ = SIGDescribe("Restart [Disruptive]", func() { f := framework.NewDefaultFramework("restart") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ps *testutils.PodStore var originalNodes []v1.Node var originalPodNames []string diff --git a/test/e2e/cloud/nodes.go b/test/e2e/cloud/nodes.go index 11293d56a44..f2aa78bfbe6 100644 --- a/test/e2e/cloud/nodes.go +++ b/test/e2e/cloud/nodes.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:CloudProvider][Disruptive] Nodes", func() { f := framework.NewDefaultFramework("cloudprovider") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface ginkgo.BeforeEach(func() { diff --git a/test/e2e/common/node/lease.go b/test/e2e/common/node/lease.go index b33f8790512..3858752c00a 100644 --- a/test/e2e/common/node/lease.go +++ b/test/e2e/common/node/lease.go @@ -30,6 +30,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/strategicpatch" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" ) @@ -51,6 +52,7 @@ func getPatchBytes(oldLease, newLease *coordinationv1.Lease) ([]byte, error) { var _ = SIGDescribe("Lease", func() { f := framework.NewDefaultFramework("lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.17 diff --git a/test/e2e/common/node/node_lease.go b/test/e2e/common/node/node_lease.go index ed8d799f428..c2c06ee2876 100644 --- a/test/e2e/common/node/node_lease.go +++ b/test/e2e/common/node/node_lease.go @@ -31,6 +31,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -39,6 +40,7 @@ import ( var _ = SIGDescribe("NodeLease", func() { var nodeName string f := framework.NewDefaultFramework("node-lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { node, err := e2enode.GetRandomReadySchedulableNode(f.ClientSet) diff --git a/test/e2e/common/node/podtemplates.go b/test/e2e/common/node/podtemplates.go index e85602bc5f8..28db75e60b3 100644 --- a/test/e2e/common/node/podtemplates.go +++ b/test/e2e/common/node/podtemplates.go @@ -31,6 +31,7 @@ import ( "k8s.io/client-go/util/retry" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ const ( var _ = SIGDescribe("PodTemplates", func() { f := framework.NewDefaultFramework("podtemplate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 Testname: PodTemplate lifecycle diff --git a/test/e2e/common/storage/downwardapi.go b/test/e2e/common/storage/downwardapi.go index 1fc05160b58..47e3a36b92f 100644 --- a/test/e2e/common/storage/downwardapi.go +++ b/test/e2e/common/storage/downwardapi.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Downward API [Serial] [Disruptive] [NodeFeature:EphemeralStorage]", func() { f := framework.NewDefaultFramework("downward-api") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Downward API tests for local ephemeral storage", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/instrumentation/core_events.go b/test/e2e/instrumentation/core_events.go index 9be6f06ea6e..72af05e9de7 100644 --- a/test/e2e/instrumentation/core_events.go +++ b/test/e2e/instrumentation/core_events.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/apimachinery/pkg/types" @@ -38,6 +39,7 @@ const ( var _ = common.SIGDescribe("Events", func() { f := framework.NewDefaultFramework("events") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 diff --git a/test/e2e/instrumentation/events.go b/test/e2e/instrumentation/events.go index f0486a35df8..b3e590434ab 100644 --- a/test/e2e/instrumentation/events.go +++ b/test/e2e/instrumentation/events.go @@ -32,6 +32,7 @@ import ( typedeventsv1 "k8s.io/client-go/kubernetes/typed/events/v1" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/apimachinery/pkg/types" @@ -75,6 +76,7 @@ func eventExistsInList(client typedeventsv1.EventInterface, namespace, name stri var _ = common.SIGDescribe("Events API", func() { f := framework.NewDefaultFramework("events") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var coreClient corev1.EventInterface var client typedeventsv1.EventInterface var clientAllNamespaces typedeventsv1.EventInterface diff --git a/test/e2e/instrumentation/logging/generic_soak.go b/test/e2e/instrumentation/logging/generic_soak.go index 742aff717ba..696460f4bde 100644 --- a/test/e2e/instrumentation/logging/generic_soak.go +++ b/test/e2e/instrumentation/logging/generic_soak.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ var _ = e2econfig.AddOptions(&loggingSoak, "instrumentation.logging.soak") var _ = instrumentation.SIGDescribe("Logging soak [Performance] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("logging-soak") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Not a global constant (irrelevant outside this test), also not a parameter (if you want more logs, use --scale=). kbRateInSeconds := 1 * time.Second diff --git a/test/e2e/instrumentation/monitoring/accelerator.go b/test/e2e/instrumentation/monitoring/accelerator.go index 90047e46ea1..cd371b9a464 100644 --- a/test/e2e/instrumentation/monitoring/accelerator.go +++ b/test/e2e/instrumentation/monitoring/accelerator.go @@ -31,6 +31,7 @@ import ( instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" "k8s.io/kubernetes/test/e2e/scheduling" "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -52,6 +53,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should have accelerator metrics [Feature:StackdriverAcceleratorMonitoring]", func() { testStackdriverAcceleratorMonitoring(f) diff --git a/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go b/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go index d340b4cf0af..9a88d7fb84f 100644 --- a/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go +++ b/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go @@ -35,6 +35,7 @@ import ( instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" customclient "k8s.io/metrics/pkg/client/custom_metrics" externalclient "k8s.io/metrics/pkg/client/external_metrics" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -53,6 +54,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run Custom Metrics - Stackdriver Adapter for old resource model [Feature:StackdriverCustomMetrics]", func() { kubeClient := f.ClientSet diff --git a/test/e2e/instrumentation/monitoring/metrics_grabber.go b/test/e2e/instrumentation/monitoring/metrics_grabber.go index efe230ab4ee..a08039a94a3 100644 --- a/test/e2e/instrumentation/monitoring/metrics_grabber.go +++ b/test/e2e/instrumentation/monitoring/metrics_grabber.go @@ -30,10 +30,12 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = instrumentation.SIGDescribe("MetricsGrabber", func() { f := framework.NewDefaultFramework("metrics-grabber") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c, ec clientset.Interface var grabber *e2emetrics.Grabber ginkgo.BeforeEach(func() { diff --git a/test/e2e/instrumentation/monitoring/stackdriver.go b/test/e2e/instrumentation/monitoring/stackdriver.go index 6683df510e1..658ec887212 100644 --- a/test/e2e/instrumentation/monitoring/stackdriver.go +++ b/test/e2e/instrumentation/monitoring/stackdriver.go @@ -28,6 +28,7 @@ import ( e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -65,6 +66,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should have cluster metrics [Feature:StackdriverMonitoring]", func() { testStackdriverMonitoring(f, 1, 100, 200) diff --git a/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go b/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go index 34d1b95f6ed..7df81d90de1 100644 --- a/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go +++ b/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go @@ -31,6 +31,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -50,6 +51,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var kubeClient clientset.Interface ginkgo.It("should run Stackdriver Metadata Agent [Feature:StackdriverMetadataAgent]", func() { diff --git a/test/e2e/lifecycle/bootstrap/bootstrap_signer.go b/test/e2e/lifecycle/bootstrap/bootstrap_signer.go index beb046335a4..90e2ee15d5f 100644 --- a/test/e2e/lifecycle/bootstrap/bootstrap_signer.go +++ b/test/e2e/lifecycle/bootstrap/bootstrap_signer.go @@ -26,6 +26,7 @@ import ( bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/lifecycle" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -41,6 +42,7 @@ var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() { var c clientset.Interface f := framework.NewDefaultFramework("bootstrap-signer") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.AfterEach(func() { if len(secretNeedClean) > 0 { ginkgo.By("delete the bootstrap token secret") diff --git a/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go b/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go index c0c136d7e77..96cb8a5e049 100644 --- a/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go +++ b/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go @@ -27,6 +27,7 @@ import ( bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/lifecycle" + admissionapi "k8s.io/pod-security-admission/api" ) var secretNeedClean string @@ -35,6 +36,7 @@ var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() { var c clientset.Interface f := framework.NewDefaultFramework("bootstrap-token-cleaner") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/network/dns_common.go b/test/e2e/network/dns_common.go index 5c95a97957c..75ac489fb05 100644 --- a/test/e2e/network/dns_common.go +++ b/test/e2e/network/dns_common.go @@ -36,6 +36,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" dnsclient "k8s.io/kubernetes/third_party/forked/golang/net" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -59,8 +60,10 @@ type dnsTestCommon struct { } func newDNSTestCommon() dnsTestCommon { + framework := framework.NewDefaultFramework("dns-config-map") + framework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged return dnsTestCommon{ - f: framework.NewDefaultFramework("dns-config-map"), + f: framework, ns: "kube-system", } } diff --git a/test/e2e/network/dns_scale_records.go b/test/e2e/network/dns_scale_records.go index d79c3dc98bb..7d111fa15c5 100644 --- a/test/e2e/network/dns_scale_records.go +++ b/test/e2e/network/dns_scale_records.go @@ -30,6 +30,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" "k8s.io/kubernetes/test/e2e/network/common" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -43,6 +44,7 @@ const ( var _ = common.SIGDescribe("[Feature:PerformanceDNS][Serial]", func() { f := framework.NewDefaultFramework("performancedns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { framework.ExpectNoError(framework.WaitForAllNodesSchedulable(f.ClientSet, framework.TestContext.NodeSchedulableTimeout)) diff --git a/test/e2e/network/dual_stack.go b/test/e2e/network/dual_stack.go index 448852e1428..3299a748cf2 100644 --- a/test/e2e/network/dual_stack.go +++ b/test/e2e/network/dual_stack.go @@ -38,12 +38,14 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" ) // Tests for ipv4-ipv6 dual-stack feature var _ = common.SIGDescribe("[Feature:IPv6DualStack]", func() { f := framework.NewDefaultFramework("dualstack") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface var podClient *framework.PodClient diff --git a/test/e2e/network/endpointslicemirroring.go b/test/e2e/network/endpointslicemirroring.go index 0c56f538ad2..a745abee72d 100644 --- a/test/e2e/network/endpointslicemirroring.go +++ b/test/e2e/network/endpointslicemirroring.go @@ -29,10 +29,12 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = common.SIGDescribe("EndpointSliceMirroring", func() { f := framework.NewDefaultFramework("endpointslicemirroring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/network/example_cluster_dns.go b/test/e2e/network/example_cluster_dns.go index 97c6f34768e..b5e73ee130a 100644 --- a/test/e2e/network/example_cluster_dns.go +++ b/test/e2e/network/example_cluster_dns.go @@ -38,6 +38,7 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -57,6 +58,7 @@ except: var _ = common.SIGDescribe("ClusterDns [Feature:Example]", func() { f := framework.NewDefaultFramework("cluster-dns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface ginkgo.BeforeEach(func() { diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go index 97b67fc492a..9e05edea59b 100644 --- a/test/e2e/network/firewall.go +++ b/test/e2e/network/firewall.go @@ -39,6 +39,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" gcecloud "k8s.io/legacy-cloud-providers/gce" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -53,6 +54,7 @@ const ( var _ = common.SIGDescribe("Firewall rule", func() { var firewallTestName = "firewall-test" f := framework.NewDefaultFramework(firewallTestName) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface var cloudConfig framework.CloudConfig diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go index 57999b847b0..a5a070f9cb5 100644 --- a/test/e2e/network/ingress.go +++ b/test/e2e/network/ingress.go @@ -537,6 +537,7 @@ func detectNegAnnotation(f *framework.Framework, jig *e2eingress.TestJig, gceCon var _ = common.SIGDescribe("Ingress API", func() { f := framework.NewDefaultFramework("ingress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 Testname: Ingress API diff --git a/test/e2e/network/ingress_scale.go b/test/e2e/network/ingress_scale.go index a21e5508b33..81488a28066 100644 --- a/test/e2e/network/ingress_scale.go +++ b/test/e2e/network/ingress_scale.go @@ -21,6 +21,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" "k8s.io/kubernetes/test/e2e/network/scale" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -31,6 +32,7 @@ var _ = common.SIGDescribe("Loadbalancing: L7 Scalability", func() { ns string ) f := framework.NewDefaultFramework("ingress-scale") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { ns = f.Namespace.Name diff --git a/test/e2e/network/ingressclass.go b/test/e2e/network/ingressclass.go index 249a87ec1ad..38170067ad1 100644 --- a/test/e2e/network/ingressclass.go +++ b/test/e2e/network/ingressclass.go @@ -31,6 +31,7 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -38,6 +39,7 @@ import ( var _ = common.SIGDescribe("IngressClass [Feature:Ingress]", func() { f := framework.NewDefaultFramework("ingressclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface ginkgo.BeforeEach(func() { cs = f.ClientSet @@ -181,6 +183,7 @@ func deleteIngressClass(cs clientset.Interface, name string) { var _ = common.SIGDescribe("IngressClass API", func() { f := framework.NewDefaultFramework("ingressclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface ginkgo.BeforeEach(func() { cs = f.ClientSet diff --git a/test/e2e/network/netpol/network_legacy.go b/test/e2e/network/netpol/network_legacy.go index 6db4d97cdbd..8ec0381ecc5 100644 --- a/test/e2e/network/netpol/network_legacy.go +++ b/test/e2e/network/netpol/network_legacy.go @@ -1733,6 +1733,7 @@ var _ = common.SIGDescribe("NetworkPolicy [Feature:SCTPConnectivity][LinuxOnly][ var podServer *v1.Pod var podServerLabelSelector string f := framework.NewDefaultFramework("sctp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // Windows does not support network policies. @@ -2186,6 +2187,7 @@ func cleanupNetworkPolicy(f *framework.Framework, policy *networkingv1.NetworkPo var _ = common.SIGDescribe("NetworkPolicy API", func() { f := framework.NewDefaultFramework("networkpolicies") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 Testname: NetworkPolicies API diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 9fca76aebf5..45cde9918aa 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" utilnet "k8s.io/utils/net" ) @@ -116,6 +117,7 @@ and what is happening in practice: var _ = common.SIGDescribe("Netpol", func() { f := framework.NewDefaultFramework("netpol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.Context("NetworkPolicy between server and client", func() { @@ -1254,6 +1256,7 @@ var _ = common.SIGDescribe("Netpol", func() { var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { f := framework.NewDefaultFramework("udp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.BeforeEach(func() { // Windows does not support UDP testing via agnhost. @@ -1339,6 +1342,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disruptive]", func() { f := framework.NewDefaultFramework("sctp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.BeforeEach(func() { // Windows does not support network policies. diff --git a/test/e2e/network/netpol/network_policy_api.go b/test/e2e/network/netpol/network_policy_api.go index e3825770194..35eaa664b9a 100644 --- a/test/e2e/network/netpol/network_policy_api.go +++ b/test/e2e/network/netpol/network_policy_api.go @@ -25,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" networkingv1 "k8s.io/api/networking/v1" @@ -35,6 +36,7 @@ import ( var _ = common.SIGDescribe("Netpol API", func() { f := framework.NewDefaultFramework("netpol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 Testname: NetworkPolicies API diff --git a/test/e2e/network/network_tiers.go b/test/e2e/network/network_tiers.go index ae948f79458..abc3f3d36cb 100644 --- a/test/e2e/network/network_tiers.go +++ b/test/e2e/network/network_tiers.go @@ -34,12 +34,14 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" gcecloud "k8s.io/legacy-cloud-providers/gce" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = common.SIGDescribe("Services GCE [Slow]", func() { f := framework.NewDefaultFramework("services") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface serviceLBNames := []string{} diff --git a/test/e2e/network/no_snat.go b/test/e2e/network/no_snat.go index 1799914cfff..c98dd6d6148 100644 --- a/test/e2e/network/no_snat.go +++ b/test/e2e/network/no_snat.go @@ -26,6 +26,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -63,6 +64,7 @@ var ( // We use the [Feature:NoSNAT] tag so that most jobs will skip this test by default. var _ = common.SIGDescribe("NoSNAT [Feature:NoSNAT] [Slow]", func() { f := framework.NewDefaultFramework("no-snat-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("Should be able to send traffic between Pods without SNAT", func() { cs := f.ClientSet pc := cs.CoreV1().Pods(f.Namespace.Name) diff --git a/test/e2e/network/topology_hints.go b/test/e2e/network/topology_hints.go index c929a7e48e4..39d0f9fe4ba 100644 --- a/test/e2e/network/topology_hints.go +++ b/test/e2e/network/topology_hints.go @@ -37,10 +37,12 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = common.SIGDescribe("[Feature:Topology Hints]", func() { f := framework.NewDefaultFramework("topology-hints") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // filled in BeforeEach var c clientset.Interface diff --git a/test/e2e/node/kubelet_perf.go b/test/e2e/node/kubelet_perf.go index df8e2d79d04..3d09a537fe3 100644 --- a/test/e2e/node/kubelet_perf.go +++ b/test/e2e/node/kubelet_perf.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/perftype" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -196,6 +197,7 @@ func verifyCPULimits(expected e2ekubelet.ContainersCPUSummary, actual e2ekubelet var _ = SIGDescribe("Kubelet [Serial] [Slow]", func() { var nodeNames sets.String f := framework.NewDefaultFramework("kubelet-perf") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var om *e2ekubelet.RuntimeOperationMonitor var rm *e2ekubelet.ResourceMonitor diff --git a/test/e2e/node/node_problem_detector.go b/test/e2e/node/node_problem_detector.go index 1529229e6b6..a61a894d5b6 100644 --- a/test/e2e/node/node_problem_detector.go +++ b/test/e2e/node/node_problem_detector.go @@ -34,6 +34,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = SIGDescribe("NodeProblemDetector", func() { maxNodesToProcess = 10 ) f := framework.NewDefaultFramework("node-problem-detector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessSSHKeyPresent() diff --git a/test/e2e/node/pod_gc.go b/test/e2e/node/pod_gc.go index 4b63235d980..517360cdabd 100644 --- a/test/e2e/node/pod_gc.go +++ b/test/e2e/node/pod_gc.go @@ -29,6 +29,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) // This test requires that --terminated-pod-gc-threshold=100 be set on the controller manager @@ -36,6 +37,7 @@ import ( // Slow by design (7 min) var _ = SIGDescribe("Pod garbage collector [Feature:PodGarbageCollector] [Slow]", func() { f := framework.NewDefaultFramework("pod-garbage-collector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should handle the creation of 1000 pods", func() { var count int for count < 1000 { diff --git a/test/e2e/node/ssh.go b/test/e2e/node/ssh.go index 901bc45d110..ac4f1b822c7 100644 --- a/test/e2e/node/ssh.go +++ b/test/e2e/node/ssh.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ const maxNodes = 100 var _ = SIGDescribe("SSH", func() { f := framework.NewDefaultFramework("ssh") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // When adding more providers here, also implement their functionality in e2essh.GetSigner(...). diff --git a/test/e2e/scheduling/nvidia-gpus.go b/test/e2e/scheduling/nvidia-gpus.go index 313e773b8e2..0e2c1d70011 100644 --- a/test/e2e/scheduling/nvidia-gpus.go +++ b/test/e2e/scheduling/nvidia-gpus.go @@ -39,6 +39,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -221,6 +222,7 @@ func logContainers(f *framework.Framework, pod *v1.Pod) { var _ = SIGDescribe("[Feature:GPUDevicePlugin]", func() { f := framework.NewDefaultFramework("device-plugin-gpus") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("run Nvidia GPU Device Plugin tests", func() { testNvidiaGPUs(f) }) @@ -322,6 +324,7 @@ var _ = SIGDescribe("GPUDevicePluginAcrossRecreate [Feature:Recreate]", func() { e2eskipper.SkipUnlessProviderIs("gce", "gke") }) f := framework.NewDefaultFramework("device-plugin-gpus-recreate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("run Nvidia GPU Device Plugin tests with a recreation", func() { testNvidiaGPUsJob(f) }) diff --git a/test/e2e/scheduling/preemption.go b/test/e2e/scheduling/preemption.go index 06a14036277..a59ddc41a2b 100644 --- a/test/e2e/scheduling/preemption.go +++ b/test/e2e/scheduling/preemption.go @@ -683,6 +683,7 @@ var _ = SIGDescribe("SchedulerPreemption [Serial]", func() { ginkgo.Context("PriorityClass endpoints", func() { var cs clientset.Interface f := framework.NewDefaultFramework("sched-preemption-path") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testUUID := uuid.New().String() var pcs []*schedulingv1.PriorityClass diff --git a/test/e2e/storage/csistoragecapacity.go b/test/e2e/storage/csistoragecapacity.go index 9c5401f85a4..3d91de3c06e 100644 --- a/test/e2e/storage/csistoragecapacity.go +++ b/test/e2e/storage/csistoragecapacity.go @@ -28,12 +28,14 @@ import ( "k8s.io/apimachinery/pkg/watch" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = utils.SIGDescribe("CSIStorageCapacity", func() { f := framework.NewDefaultFramework("csistoragecapacity") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.24 diff --git a/test/e2e/storage/detach_mounted.go b/test/e2e/storage/detach_mounted.go index 54ec3f59e13..2ca1377903f 100644 --- a/test/e2e/storage/detach_mounted.go +++ b/test/e2e/storage/detach_mounted.go @@ -33,6 +33,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ var ( var _ = utils.SIGDescribe("[Feature:Flexvolumes] Detaching volumes", func() { f := framework.NewDefaultFramework("flexvolume") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // note that namespace deletion is handled by delete-namespace flag diff --git a/test/e2e/storage/flexvolume_mounted_volume_resize.go b/test/e2e/storage/flexvolume_mounted_volume_resize.go index 33ab803486b..8d54db382a8 100644 --- a/test/e2e/storage/flexvolume_mounted_volume_resize.go +++ b/test/e2e/storage/flexvolume_mounted_volume_resize.go @@ -38,6 +38,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -61,6 +62,7 @@ var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume expand[Slow] ) f := framework.NewDefaultFramework("mounted-flexvolume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "local") e2eskipper.SkipUnlessMasterOSDistroIs("debian", "ubuntu", "gci", "custom") diff --git a/test/e2e/storage/flexvolume_online_resize.go b/test/e2e/storage/flexvolume_online_resize.go index 4b2721e0b8e..7e121cfee11 100644 --- a/test/e2e/storage/flexvolume_online_resize.go +++ b/test/e2e/storage/flexvolume_online_resize.go @@ -37,6 +37,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume volume expand [Slow]", func() { @@ -55,6 +56,7 @@ var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume volume expan ) f := framework.NewDefaultFramework("mounted-flexvolume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "local") e2eskipper.SkipUnlessMasterOSDistroIs("debian", "ubuntu", "gci", "custom") diff --git a/test/e2e/storage/generic_persistent_volume-disruptive.go b/test/e2e/storage/generic_persistent_volume-disruptive.go index 6a19ba51217..fed257e9136 100644 --- a/test/e2e/storage/generic_persistent_volume-disruptive.go +++ b/test/e2e/storage/generic_persistent_volume-disruptive.go @@ -30,10 +30,12 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("GenericPersistentVolume[Disruptive]", func() { f := framework.NewDefaultFramework("generic-disruptive-pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/gke_local_ssd.go b/test/e2e/storage/gke_local_ssd.go index e57bde08e3a..cc47ba3a809 100644 --- a/test/e2e/storage/gke_local_ssd.go +++ b/test/e2e/storage/gke_local_ssd.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -33,6 +34,7 @@ import ( var _ = utils.SIGDescribe("GKE local SSD [Feature:GKELocalSSD]", func() { f := framework.NewDefaultFramework("localssd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("gke") diff --git a/test/e2e/storage/mounted_volume_resize.go b/test/e2e/storage/mounted_volume_resize.go index 45a8b03e4fb..9cfca647223 100644 --- a/test/e2e/storage/mounted_volume_resize.go +++ b/test/e2e/storage/mounted_volume_resize.go @@ -28,6 +28,7 @@ import ( storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + admissionapi "k8s.io/pod-security-admission/api" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/wait" @@ -58,6 +59,7 @@ var _ = utils.SIGDescribe("Mounted volume expand [Feature:StorageProvider]", fun ) f := framework.NewDefaultFramework("mounted-volume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce") c = f.ClientSet diff --git a/test/e2e/storage/nfs_persistent_volume-disruptive.go b/test/e2e/storage/nfs_persistent_volume-disruptive.go index 35876be3c4c..efe1ed90109 100644 --- a/test/e2e/storage/nfs_persistent_volume-disruptive.go +++ b/test/e2e/storage/nfs_persistent_volume-disruptive.go @@ -39,6 +39,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type testBody func(c clientset.Interface, f *framework.Framework, clientPod *v1.Pod) @@ -77,6 +78,7 @@ func checkForControllerManagerHealthy(duration time.Duration) error { var _ = utils.SIGDescribe("NFSPersistentVolumes[Disruptive][Flaky]", func() { f := framework.NewDefaultFramework("disruptive-pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/pd.go b/test/e2e/storage/pd.go index c7ffa4fe164..706885feaa3 100644 --- a/test/e2e/storage/pd.go +++ b/test/e2e/storage/pd.go @@ -48,6 +48,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -70,6 +71,7 @@ var _ = utils.SIGDescribe("Pod Disks [Feature:StorageProvider]", func() { nodes *v1.NodeList ) f := framework.NewDefaultFramework("pod-disks") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessNodeCountIsAtLeast(minNodes) diff --git a/test/e2e/storage/persistent_volumes-gce.go b/test/e2e/storage/persistent_volumes-gce.go index cd479b7c913..238c4eb568c 100644 --- a/test/e2e/storage/persistent_volumes-gce.go +++ b/test/e2e/storage/persistent_volumes-gce.go @@ -32,6 +32,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // verifyGCEDiskAttached performs a sanity check to verify the PD attached to the node @@ -74,6 +75,7 @@ var _ = utils.SIGDescribe("PersistentVolumes GCEPD [Feature:StorageProvider]", f ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { c = f.ClientSet ns = f.Namespace.Name diff --git a/test/e2e/storage/persistent_volumes.go b/test/e2e/storage/persistent_volumes.go index df6a787c8e8..c8c11a8ead9 100644 --- a/test/e2e/storage/persistent_volumes.go +++ b/test/e2e/storage/persistent_volumes.go @@ -97,6 +97,7 @@ var _ = utils.SIGDescribe("PersistentVolumes", func() { // global vars for the ginkgo.Context()s and ginkgo.It()'s below f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/pv_protection.go b/test/e2e/storage/pv_protection.go index fc63531070c..570b85ea0d3 100644 --- a/test/e2e/storage/pv_protection.go +++ b/test/e2e/storage/pv_protection.go @@ -32,6 +32,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epv "k8s.io/kubernetes/test/e2e/framework/pv" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("PV Protection", func() { @@ -48,6 +49,7 @@ var _ = utils.SIGDescribe("PV Protection", func() { ) f := framework.NewDefaultFramework("pv-protection") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { client = f.ClientSet nameSpace = f.Namespace.Name diff --git a/test/e2e/storage/regional_pd.go b/test/e2e/storage/regional_pd.go index e2cace65ddb..1ad6768ba94 100644 --- a/test/e2e/storage/regional_pd.go +++ b/test/e2e/storage/regional_pd.go @@ -48,6 +48,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -60,6 +61,7 @@ const ( var _ = utils.SIGDescribe("Regional PD", func() { f := framework.NewDefaultFramework("regional-pd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // filled in BeforeEach var c clientset.Interface diff --git a/test/e2e/storage/testsuites/capacity.go b/test/e2e/storage/testsuites/capacity.go index 8dcfe0747e7..098768da307 100644 --- a/test/e2e/storage/testsuites/capacity.go +++ b/test/e2e/storage/testsuites/capacity.go @@ -34,6 +34,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type capacityTestSuite struct { @@ -89,6 +90,7 @@ func (p *capacityTestSuite) DefineTests(driver storageframework.TestDriver, patt // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("capacity", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { dDriver, _ = driver.(storageframework.DynamicPVTestDriver) diff --git a/test/e2e/storage/testsuites/volume_stress.go b/test/e2e/storage/testsuites/volume_stress.go index 289c9d154de..c25d0c0cd0c 100644 --- a/test/e2e/storage/testsuites/volume_stress.go +++ b/test/e2e/storage/testsuites/volume_stress.go @@ -34,6 +34,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type volumeStressTestSuite struct { @@ -113,6 +114,7 @@ func (t *volumeStressTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("stress", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { cs = f.ClientSet diff --git a/test/e2e/storage/testsuites/volumeperf.go b/test/e2e/storage/testsuites/volumeperf.go index baabe0ab8bc..b2634bbeef9 100644 --- a/test/e2e/storage/testsuites/volumeperf.go +++ b/test/e2e/storage/testsuites/volumeperf.go @@ -37,6 +37,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" + admissionapi "k8s.io/pod-security-admission/api" ) type volumePerformanceTestSuite struct { @@ -126,6 +127,7 @@ func (t *volumePerformanceTestSuite) DefineTests(driver storageframework.TestDri ClientBurst: 400, } f := framework.NewFramework("volume-lifecycle-performance", frameworkOptions, nil) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged f.AddAfterEach("cleanup", func(f *framework.Framework, failed bool) { ginkgo.By("Closing informer channel") close(l.stopCh) diff --git a/test/e2e/storage/ubernetes_lite_volumes.go b/test/e2e/storage/ubernetes_lite_volumes.go index c3028614164..90f28cb406c 100644 --- a/test/e2e/storage/ubernetes_lite_volumes.go +++ b/test/e2e/storage/ubernetes_lite_volumes.go @@ -30,10 +30,12 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Multi-AZ Cluster Volumes", func() { f := framework.NewDefaultFramework("multi-az") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var zoneCount int var err error image := framework.ServeHostnameImage diff --git a/test/e2e/storage/volume_limits.go b/test/e2e/storage/volume_limits.go index 5d443bc978c..8d87c2c182b 100644 --- a/test/e2e/storage/volume_limits.go +++ b/test/e2e/storage/volume_limits.go @@ -26,6 +26,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Volume limits", func() { @@ -33,6 +34,7 @@ var _ = utils.SIGDescribe("Volume limits", func() { c clientset.Interface ) f := framework.NewDefaultFramework("volume-limits-on-node") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "gke") // If CSIMigration is enabled, then the limits should be on CSINodes, not Nodes, and another test checks this diff --git a/test/e2e/storage/vsphere/persistent_volumes-vsphere.go b/test/e2e/storage/vsphere/persistent_volumes-vsphere.go index 8cd8eaf2dbf..6ca8d8c78c0 100644 --- a/test/e2e/storage/vsphere/persistent_volumes-vsphere.go +++ b/test/e2e/storage/vsphere/persistent_volumes-vsphere.go @@ -30,6 +30,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // Testing configurations of single a PV/PVC pair attached to a vSphere Disk @@ -51,6 +52,7 @@ var _ = utils.SIGDescribe("PersistentVolumes:vsphere [Feature:vsphere]", func() ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Test Setup diff --git a/test/e2e/storage/vsphere/pv_reclaimpolicy.go b/test/e2e/storage/vsphere/pv_reclaimpolicy.go index b8f1d0f4b93..ed9298783e7 100644 --- a/test/e2e/storage/vsphere/pv_reclaimpolicy.go +++ b/test/e2e/storage/vsphere/pv_reclaimpolicy.go @@ -31,10 +31,12 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("PersistentVolumes [Feature:vsphere][Feature:ReclaimPolicy]", func() { f := framework.NewDefaultFramework("persistentvolumereclaim") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/vsphere/pvc_label_selector.go b/test/e2e/storage/vsphere/pvc_label_selector.go index 3245f18569b..50763f9e67e 100644 --- a/test/e2e/storage/vsphere/pvc_label_selector.go +++ b/test/e2e/storage/vsphere/pvc_label_selector.go @@ -28,6 +28,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -49,6 +50,7 @@ import ( */ var _ = utils.SIGDescribe("PersistentVolumes [Feature:vsphere][Feature:LabelSelector]", func() { f := framework.NewDefaultFramework("pvclabelselector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/vsphere/vsphere_scale.go b/test/e2e/storage/vsphere/vsphere_scale.go index 36db34cf143..70d144b9d04 100644 --- a/test/e2e/storage/vsphere/vsphere_scale.go +++ b/test/e2e/storage/vsphere/vsphere_scale.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -57,6 +58,7 @@ type NodeSelector struct { var _ = utils.SIGDescribe("vcp at scale [Feature:vsphere] ", func() { f := framework.NewDefaultFramework("vcp-at-scale") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_statefulsets.go b/test/e2e/storage/vsphere/vsphere_statefulsets.go index 1e186447553..3966c1144d2 100644 --- a/test/e2e/storage/vsphere/vsphere_statefulsets.go +++ b/test/e2e/storage/vsphere/vsphere_statefulsets.go @@ -30,6 +30,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2estatefulset "k8s.io/kubernetes/test/e2e/framework/statefulset" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -56,6 +57,7 @@ const ( var _ = utils.SIGDescribe("vsphere statefulset [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vsphere-statefulset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( namespace string client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_stress.go b/test/e2e/storage/vsphere/vsphere_stress.go index 1a742f256c3..27ca884891d 100644 --- a/test/e2e/storage/vsphere/vsphere_stress.go +++ b/test/e2e/storage/vsphere/vsphere_stress.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -47,6 +48,7 @@ import ( */ var _ = utils.SIGDescribe("vsphere cloud provider stress [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vcp-stress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go b/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go index b9651ac5c63..b3d670cc9b8 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go +++ b/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go @@ -26,6 +26,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -40,6 +41,7 @@ import ( */ var _ = utils.SIGDescribe("Volume Provisioning On Clustered Datastore [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-provision") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_datastore.go b/test/e2e/storage/vsphere/vsphere_volume_datastore.go index d0bb4ac5276..6fdfb885161 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_datastore.go +++ b/test/e2e/storage/vsphere/vsphere_volume_datastore.go @@ -26,6 +26,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientset "k8s.io/client-go/kubernetes" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -51,6 +52,7 @@ const ( var _ = utils.SIGDescribe("Volume Provisioning on Datastore [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-datastore") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_diskformat.go b/test/e2e/storage/vsphere/vsphere_volume_diskformat.go index efbed401e9c..7f392bddde1 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_diskformat.go +++ b/test/e2e/storage/vsphere/vsphere_volume_diskformat.go @@ -34,6 +34,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -56,6 +57,7 @@ import ( var _ = utils.SIGDescribe("Volume Disk Format [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-disk-format") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const ( NodeLabelKey = "vsphere_e2e_label_volume_diskformat" ) diff --git a/test/e2e/storage/vsphere/vsphere_volume_disksize.go b/test/e2e/storage/vsphere/vsphere_volume_disksize.go index c74159e8805..6d146c7d257 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_disksize.go +++ b/test/e2e/storage/vsphere/vsphere_volume_disksize.go @@ -29,6 +29,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -46,6 +47,7 @@ const ( var _ = utils.SIGDescribe("Volume Disk Size [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-disksize") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_fstype.go b/test/e2e/storage/vsphere/vsphere_volume_fstype.go index 226b20cf50d..5c4e811b191 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_fstype.go +++ b/test/e2e/storage/vsphere/vsphere_volume_fstype.go @@ -31,6 +31,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -68,6 +69,7 @@ const ( var _ = utils.SIGDescribe("Volume FStype [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-fstype") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_master_restart.go b/test/e2e/storage/vsphere/vsphere_volume_master_restart.go index 7c8b4b4f261..deadfe4b098 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_master_restart.go +++ b/test/e2e/storage/vsphere/vsphere_volume_master_restart.go @@ -37,6 +37,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // waitForKubeletUp waits for the kubelet on the given host to be up. @@ -101,6 +102,7 @@ func restartKubelet(host string) error { */ var _ = utils.SIGDescribe("Volume Attach Verify [Feature:vsphere][Serial][Disruptive]", func() { f := framework.NewDefaultFramework("restart-master") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const labelKey = "vsphere_e2e_label" var ( diff --git a/test/e2e/storage/vsphere/vsphere_volume_node_delete.go b/test/e2e/storage/vsphere/vsphere_volume_node_delete.go index 3ba80ced120..423c9924000 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_node_delete.go +++ b/test/e2e/storage/vsphere/vsphere_volume_node_delete.go @@ -28,10 +28,12 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Node Unregister [Feature:vsphere] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-unregister") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go b/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go index 7e47ed4c899..1e29b46d78c 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go +++ b/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go @@ -37,6 +37,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -46,6 +47,7 @@ import ( */ var _ = utils.SIGDescribe("Node Poweroff [Feature:vsphere] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-poweroff") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go b/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go index 1d93c30dfb6..07261a3a5da 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go +++ b/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -53,6 +54,7 @@ import ( var _ = utils.SIGDescribe("Volume Operations Storm [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-ops-storm") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const defaultVolumeOpsScale = 30 var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_perf.go b/test/e2e/storage/vsphere/vsphere_volume_perf.go index dcc9625675a..3b6ce31ad7e 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_perf.go +++ b/test/e2e/storage/vsphere/vsphere_volume_perf.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* This test calculates latency numbers for volume lifecycle operations @@ -54,6 +55,7 @@ const ( var _ = utils.SIGDescribe("vcp-performance [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vcp-performance") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_placement.go b/test/e2e/storage/vsphere/vsphere_volume_placement.go index 36b8ba3259e..cf9ac489e21 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_placement.go +++ b/test/e2e/storage/vsphere/vsphere_volume_placement.go @@ -33,10 +33,12 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Volume Placement [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-placement") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const ( NodeLabelKey = "vsphere_e2e_label_volume_placement" ) diff --git a/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go b/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go index f6d39166c01..bcd87f8d6d9 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go +++ b/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go @@ -34,6 +34,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -53,6 +54,7 @@ import ( */ var _ = utils.SIGDescribe("Verify Volume Attach Through vpxd Restart [Feature:vsphere][Serial][Disruptive]", func() { f := framework.NewDefaultFramework("restart-vpxd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged type node struct { name string diff --git a/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go b/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go index bbb245c8a9a..e8e06e568d0 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go +++ b/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go @@ -36,6 +36,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -76,6 +77,7 @@ const ( var _ = utils.SIGDescribe("Storage Policy Based Volume Provisioning [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-vsan-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_zone_support.go b/test/e2e/storage/vsphere/vsphere_zone_support.go index 12b6640d5ee..2f13a1ded65 100644 --- a/test/e2e/storage/vsphere/vsphere_zone_support.go +++ b/test/e2e/storage/vsphere/vsphere_zone_support.go @@ -36,6 +36,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -87,6 +88,7 @@ import ( var _ = utils.SIGDescribe("Zone Support [Feature:vsphere]", func() { f := framework.NewDefaultFramework("zone-support") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/upgrades/upgrade_suite.go b/test/e2e/upgrades/upgrade_suite.go index eac3b0f5a66..9ac435c2d71 100644 --- a/test/e2e/upgrades/upgrade_suite.go +++ b/test/e2e/upgrades/upgrade_suite.go @@ -31,6 +31,7 @@ import ( e2eginkgowrapper "k8s.io/kubernetes/test/e2e/framework/ginkgowrapper" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -101,7 +102,9 @@ func CreateUpgradeFrameworks(tests []Test) map[string]*framework.Framework { for _, t := range tests { ns := nsFilter.ReplaceAllString(t.Name(), "-") // and replace with a single hyphen ns = strings.Trim(ns, "-") - testFrameworks[t.Name()] = framework.NewDefaultFramework(ns) + f := framework.NewDefaultFramework(ns) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + testFrameworks[t.Name()] = f } return testFrameworks } diff --git a/test/e2e/windows/cpu_limits.go b/test/e2e/windows/cpu_limits.go index 18fcfc7e5bd..d35fdf438cd 100644 --- a/test/e2e/windows/cpu_limits.go +++ b/test/e2e/windows/cpu_limits.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "time" "github.com/onsi/ginkgo" @@ -33,6 +34,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Cpu Resources [Serial]", func() { f := framework.NewDefaultFramework("cpu-resources-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // The Windows 'BusyBox' image is PowerShell plus a collection of scripts and utilities to mimic common busybox commands powershellImage := imageutils.GetConfig(imageutils.BusyBox) diff --git a/test/e2e/windows/density.go b/test/e2e/windows/density.go index 11eb75d26b0..9ebc0559117 100644 --- a/test/e2e/windows/density.go +++ b/test/e2e/windows/density.go @@ -34,6 +34,7 @@ import ( e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -41,6 +42,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Density [Serial] [Slow]", func() { f := framework.NewDefaultFramework("density-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("create a batch of pods", func() { // TODO(coufon): the values are generous, set more precise limits with benchmark data diff --git a/test/e2e/windows/device_plugin.go b/test/e2e/windows/device_plugin.go index 76390530608..5e362bc7dae 100644 --- a/test/e2e/windows/device_plugin.go +++ b/test/e2e/windows/device_plugin.go @@ -29,6 +29,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -39,6 +40,7 @@ const ( var _ = SIGDescribe("[Feature:GPUDevicePlugin] Device Plugin", func() { f := framework.NewDefaultFramework("device-plugin") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/windows/dns.go b/test/e2e/windows/dns.go index 79ec33822d0..ef2cbbf6537 100644 --- a/test/e2e/windows/dns.go +++ b/test/e2e/windows/dns.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -36,6 +37,7 @@ var _ = SIGDescribe("[Feature:Windows] DNS", func() { }) f := framework.NewDefaultFramework("dns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should support configurable pod DNS servers", func() { ginkgo.By("Getting the IP address of the internal Kubernetes service") diff --git a/test/e2e/windows/gmsa_full.go b/test/e2e/windows/gmsa_full.go index 6667f1e38d6..326dd39e3ca 100644 --- a/test/e2e/windows/gmsa_full.go +++ b/test/e2e/windows/gmsa_full.go @@ -60,6 +60,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -90,6 +91,7 @@ const ( var _ = SIGDescribe("[Feature:Windows] GMSA Full [Serial] [Slow]", func() { f := framework.NewDefaultFramework("gmsa-full-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("GMSA support", func() { ginkgo.It("works end to end", func() { diff --git a/test/e2e/windows/gmsa_kubelet.go b/test/e2e/windows/gmsa_kubelet.go index f92775de50d..17c5e32c554 100644 --- a/test/e2e/windows/gmsa_kubelet.go +++ b/test/e2e/windows/gmsa_kubelet.go @@ -30,6 +30,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -37,6 +38,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] GMSA Kubelet [Slow]", func() { f := framework.NewDefaultFramework("gmsa-kubelet-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("kubelet GMSA support", func() { ginkgo.Context("when creating a pod with correct GMSA credential specs", func() { diff --git a/test/e2e/windows/host_process.go b/test/e2e/windows/host_process.go index faac52041d5..44fb4a2bd49 100644 --- a/test/e2e/windows/host_process.go +++ b/test/e2e/windows/host_process.go @@ -32,6 +32,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -82,6 +83,7 @@ var _ = SIGDescribe("[Feature:WindowsHostProcessContainers] [MinimumKubeletVersi }) f := framework.NewDefaultFramework("host-process-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run as a process on the host/node", func() { diff --git a/test/e2e/windows/hybrid_network.go b/test/e2e/windows/hybrid_network.go index f54ffbf5760..ad1c04e856b 100644 --- a/test/e2e/windows/hybrid_network.go +++ b/test/e2e/windows/hybrid_network.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" imageutils "k8s.io/kubernetes/test/utils/image" @@ -43,6 +44,7 @@ var ( var _ = SIGDescribe("Hybrid cluster network", func() { f := framework.NewDefaultFramework("hybrid-network") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessNodeOSDistroIs("windows") diff --git a/test/e2e/windows/kubelet_stats.go b/test/e2e/windows/kubelet_stats.go index 23d003ec17e..04bf382a593 100644 --- a/test/e2e/windows/kubelet_stats.go +++ b/test/e2e/windows/kubelet_stats.go @@ -31,12 +31,14 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats [Serial]", func() { f := framework.NewDefaultFramework("kubelet-stats-test-windows-serial") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Kubelet stats collection for Windows nodes", func() { @@ -112,6 +114,7 @@ var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats [Serial]", func() { }) var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats", func() { f := framework.NewDefaultFramework("kubelet-stats-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Kubelet stats collection for Windows nodes", func() { diff --git a/test/e2e/windows/memory_limits.go b/test/e2e/windows/memory_limits.go index 43ee92a1973..02d74c026ae 100644 --- a/test/e2e/windows/memory_limits.go +++ b/test/e2e/windows/memory_limits.go @@ -34,6 +34,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -42,6 +43,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Memory Limits [Serial] [Slow]", func() { f := framework.NewDefaultFramework("memory-limit-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // NOTE(vyta): these tests are Windows specific diff --git a/test/e2e/windows/reboot_node.go b/test/e2e/windows/reboot_node.go index 55ac6e9176a..fbd62f27b7b 100644 --- a/test/e2e/windows/reboot_node.go +++ b/test/e2e/windows/reboot_node.go @@ -29,6 +29,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("[Feature:Windows] [Excluded:WindowsDocker] [MinimumKubeletVersion:1.22] RebootHost containers [Serial] [Disruptive] [Slow]", func() { @@ -37,6 +38,7 @@ var _ = SIGDescribe("[Feature:Windows] [Excluded:WindowsDocker] [MinimumKubeletV }) f := framework.NewDefaultFramework("reboot-host-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run as a reboot process on the host/node", func() { diff --git a/test/e2e/windows/security_context.go b/test/e2e/windows/security_context.go index 1f8fbd9e0f6..04188758b6b 100644 --- a/test/e2e/windows/security_context.go +++ b/test/e2e/windows/security_context.go @@ -34,12 +34,14 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const runAsUserNameContainerName = "run-as-username-container" var _ = SIGDescribe("[Feature:Windows] SecurityContext", func() { f := framework.NewDefaultFramework("windows-run-as-username") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should be able create pods and run containers with a given username", func() { ginkgo.By("Creating 2 pods: 1 with the default user, and one with a custom one.") diff --git a/test/e2e/windows/service.go b/test/e2e/windows/service.go index b3e650bba20..61cb0b95f40 100644 --- a/test/e2e/windows/service.go +++ b/test/e2e/windows/service.go @@ -25,12 +25,14 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Services", func() { f := framework.NewDefaultFramework("services") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/windows/volumes.go b/test/e2e/windows/volumes.go index cf4b229ffc7..069c690c34e 100644 --- a/test/e2e/windows/volumes.go +++ b/test/e2e/windows/volumes.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ var ( var _ = SIGDescribe("[Feature:Windows] Windows volume mounts ", func() { f := framework.NewDefaultFramework("windows-volumes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( emptyDirSource = v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{ diff --git a/test/e2e_kubeadm/bootstrap_signer.go b/test/e2e_kubeadm/bootstrap_signer.go index 412c54459aa..cf192116103 100644 --- a/test/e2e_kubeadm/bootstrap_signer.go +++ b/test/e2e_kubeadm/bootstrap_signer.go @@ -18,6 +18,7 @@ package kubeadm import ( "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var _ = Describe("bootstrap signer", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("bootstrap token") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/bootstrap_token_test.go b/test/e2e_kubeadm/bootstrap_token_test.go index 8e4d4aaf12a..4dc7f98e28f 100644 --- a/test/e2e_kubeadm/bootstrap_token_test.go +++ b/test/e2e_kubeadm/bootstrap_token_test.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -43,6 +44,7 @@ var _ = Describe("bootstrap token", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("bootstrap token") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/cluster_info_test.go b/test/e2e_kubeadm/cluster_info_test.go index ec182722740..2bdbfffe6ee 100644 --- a/test/e2e_kubeadm/cluster_info_test.go +++ b/test/e2e_kubeadm/cluster_info_test.go @@ -21,6 +21,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = Describe("cluster-info ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("cluster-info") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/controlplane_nodes_test.go b/test/e2e_kubeadm/controlplane_nodes_test.go index b886bb049ba..71625d12eef 100644 --- a/test/e2e_kubeadm/controlplane_nodes_test.go +++ b/test/e2e_kubeadm/controlplane_nodes_test.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/labels" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -42,6 +43,7 @@ var _ = Describe("control-plane node", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("control-plane node") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/dns_addon_test.go b/test/e2e_kubeadm/dns_addon_test.go index 3a5272fa557..564c6e6513f 100644 --- a/test/e2e_kubeadm/dns_addon_test.go +++ b/test/e2e_kubeadm/dns_addon_test.go @@ -19,6 +19,7 @@ package kubeadm import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = Describe("DNS addon", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("DNS") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubeadm_certs_test.go b/test/e2e_kubeadm/kubeadm_certs_test.go index d6a66d15848..9b388cec643 100644 --- a/test/e2e_kubeadm/kubeadm_certs_test.go +++ b/test/e2e_kubeadm/kubeadm_certs_test.go @@ -23,6 +23,7 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -54,6 +55,7 @@ var _ = Describe("kubeadm-certs [copy-certs]", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubeadm-certs") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubeadm_config_test.go b/test/e2e_kubeadm/kubeadm_config_test.go index 3e4b3677072..f0eb5ccaff0 100644 --- a/test/e2e_kubeadm/kubeadm_config_test.go +++ b/test/e2e_kubeadm/kubeadm_config_test.go @@ -22,6 +22,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -50,6 +51,7 @@ var _ = Describe("kubeadm-config ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubeadm-config") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubelet_config_test.go b/test/e2e_kubeadm/kubelet_config_test.go index 09f6de02cb6..7ccc778d360 100644 --- a/test/e2e_kubeadm/kubelet_config_test.go +++ b/test/e2e_kubeadm/kubelet_config_test.go @@ -24,6 +24,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/version" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -53,6 +54,7 @@ var _ = Describe("kubelet-config ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubelet-config") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/networking_test.go b/test/e2e_kubeadm/networking_test.go index 9810a9aa7bf..3f4b77273e9 100644 --- a/test/e2e_kubeadm/networking_test.go +++ b/test/e2e_kubeadm/networking_test.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" "github.com/onsi/ginkgo" @@ -41,6 +42,7 @@ var _ = Describe("networking [setup-networking]", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("networking") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/nodes_test.go b/test/e2e_kubeadm/nodes_test.go index f3937f5a52a..dbf1d4eb3fa 100644 --- a/test/e2e_kubeadm/nodes_test.go +++ b/test/e2e_kubeadm/nodes_test.go @@ -21,6 +21,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -39,6 +40,7 @@ var _ = Describe("nodes", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("nodes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/proxy_addon_test.go b/test/e2e_kubeadm/proxy_addon_test.go index 47c2595c25e..04042caa997 100644 --- a/test/e2e_kubeadm/proxy_addon_test.go +++ b/test/e2e_kubeadm/proxy_addon_test.go @@ -20,6 +20,7 @@ import ( authv1 "k8s.io/api/authorization/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -52,6 +53,7 @@ var _ = Describe("proxy addon", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("proxy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index cbc06e41e87..686a49c0653 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -20,6 +20,7 @@ import ( "bytes" "context" "fmt" + admissionapi "k8s.io/pod-security-admission/api" "os" "os/exec" "regexp" @@ -54,6 +55,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func() }) ginkgo.Context("when running with AppArmor", func() { f := framework.NewDefaultFramework("apparmor-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should reject an unloaded profile", func() { status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") @@ -84,6 +86,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func() } else { ginkgo.Context("when running without AppArmor", func() { f := framework.NewDefaultFramework("apparmor-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should reject a pod with an AppArmor profile", func() { status := runAppArmorTest(f, false, v1.AppArmorBetaProfileRuntimeDefault) diff --git a/test/e2e_node/container_log_rotation_test.go b/test/e2e_node/container_log_rotation_test.go index 96713e05278..6b1fe3d87d9 100644 --- a/test/e2e_node/container_log_rotation_test.go +++ b/test/e2e_node/container_log_rotation_test.go @@ -25,6 +25,7 @@ import ( kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubelogs "k8s.io/kubernetes/pkg/kubelet/logs" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -40,6 +41,7 @@ const ( var _ = SIGDescribe("ContainerLogRotation [Slow] [Serial] [Disruptive]", func() { f := framework.NewDefaultFramework("container-log-rotation-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when a container generates a lot of log", func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { initialConfig.ContainerLogMaxFiles = testContainerLogMaxFiles diff --git a/test/e2e_node/container_manager_test.go b/test/e2e_node/container_manager_test.go index 75f0589749f..fe04413f4d4 100644 --- a/test/e2e_node/container_manager_test.go +++ b/test/e2e_node/container_manager_test.go @@ -35,6 +35,7 @@ import ( runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -76,6 +77,7 @@ func validateOOMScoreAdjSettingIsInRange(pid int, expectedMinOOMScoreAdj, expect var _ = SIGDescribe("Container Manager Misc [Serial]", func() { f := framework.NewDefaultFramework("kubelet-container-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Validate OOM score adjustments [NodeFeature:OOMScoreAdj]", func() { ginkgo.Context("once the node is setup", func() { ginkgo.It("container runtime's oom-score-adj should be -999", func() { diff --git a/test/e2e_node/cpu_manager_test.go b/test/e2e_node/cpu_manager_test.go index 30706ebf72c..f4099e98988 100644 --- a/test/e2e_node/cpu_manager_test.go +++ b/test/e2e_node/cpu_manager_test.go @@ -34,6 +34,7 @@ import ( cpumanagerstate "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state" "k8s.io/kubernetes/pkg/kubelet/cm/cpuset" "k8s.io/kubernetes/pkg/kubelet/types" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -784,6 +785,7 @@ func isSMTAlignmentError(pod *v1.Pod) bool { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("CPU Manager [Serial] [Feature:CPUManager]", func() { f := framework.NewDefaultFramework("cpu-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With kubeconfig updated with static CPU Manager policy run the CPU Manager tests", func() { runCPUManagerTests(f) diff --git a/test/e2e_node/critical_pod_test.go b/test/e2e_node/critical_pod_test.go index 474f4b7c66a..38d69118e16 100644 --- a/test/e2e_node/critical_pod_test.go +++ b/test/e2e_node/critical_pod_test.go @@ -28,6 +28,7 @@ import ( kubelettypes "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -41,6 +42,7 @@ const ( var _ = SIGDescribe("CriticalPod [Serial] [Disruptive] [NodeFeature:CriticalPod]", func() { f := framework.NewDefaultFramework("critical-pod-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when we need to admit a critical pod", func() { ginkgo.It("[Flaky] should be able to create and delete a critical pod", func() { // because adminssion Priority enable, If the priority class is not found, the Pod is rejected. diff --git a/test/e2e_node/density_test.go b/test/e2e_node/density_test.go index 61d0f60893f..c430bb6757d 100644 --- a/test/e2e_node/density_test.go +++ b/test/e2e_node/density_test.go @@ -41,6 +41,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -63,6 +64,7 @@ var _ = SIGDescribe("Density [Serial] [Slow]", func() { ) f := framework.NewDefaultFramework("density-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // Start a standalone cadvisor pod using 'createSync', the pod is running when it returns diff --git a/test/e2e_node/device_manager_test.go b/test/e2e_node/device_manager_test.go index 148fd852855..1ec4df2ac03 100644 --- a/test/e2e_node/device_manager_test.go +++ b/test/e2e_node/device_manager_test.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/checkpointmanager" "k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/checkpoint" "k8s.io/kubernetes/pkg/kubelet/util" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -52,6 +53,7 @@ const ( var _ = SIGDescribe("Device Manager [Serial] [Feature:DeviceManager][NodeFeature:DeviceManager]", func() { checkpointFullPath := filepath.Join(devicePluginDir, checkpointName) f := framework.NewDefaultFramework("devicemanager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With SRIOV devices in the system", func() { // this test wants to reproduce what happened in https://github.com/kubernetes/kubernetes/issues/102880 diff --git a/test/e2e_node/device_plugin_test.go b/test/e2e_node/device_plugin_test.go index 56ba767162b..9d3ece3a92f 100644 --- a/test/e2e_node/device_plugin_test.go +++ b/test/e2e_node/device_plugin_test.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" + admissionapi "k8s.io/pod-security-admission/api" "regexp" @@ -61,6 +62,7 @@ var ( // Serial because the test restarts Kubelet var _ = SIGDescribe("Device Plugin [Feature:DevicePluginProbe][NodeFeature:DevicePluginProbe][Serial]", func() { f := framework.NewDefaultFramework("device-plugin-errors") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testDevicePlugin(f, "/var/lib/kubelet/plugins_registry") }) diff --git a/test/e2e_node/eviction_test.go b/test/e2e_node/eviction_test.go index 499d9d8819f..03fe45a393b 100644 --- a/test/e2e_node/eviction_test.go +++ b/test/e2e_node/eviction_test.go @@ -40,6 +40,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -68,6 +69,7 @@ const ( // Node disk pressure is induced by consuming all inodes on the node. var _ = SIGDescribe("InodeEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("inode-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := resourceInodes pressureTimeout := 15 * time.Minute @@ -104,6 +106,7 @@ var _ = SIGDescribe("InodeEviction [Slow] [Serial] [Disruptive][NodeFeature:Evic // Disk pressure is induced by pulling large images var _ = SIGDescribe("ImageGCNoEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("image-gc-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 10 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := resourceInodes @@ -134,6 +137,7 @@ var _ = SIGDescribe("ImageGCNoEviction [Slow] [Serial] [Disruptive][NodeFeature: // Node memory pressure is only encountered because we reserve the majority of the node's capacity via kube-reserved. var _ = SIGDescribe("MemoryAllocatableEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("memory-allocatable-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeMemoryPressure expectedStarvedResource := v1.ResourceMemory pressureTimeout := 10 * time.Minute @@ -167,6 +171,7 @@ var _ = SIGDescribe("MemoryAllocatableEviction [Slow] [Serial] [Disruptive][Node // Disk pressure is induced by running pods which consume disk space. var _ = SIGDescribe("LocalStorageEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 15 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage @@ -205,6 +210,7 @@ var _ = SIGDescribe("LocalStorageEviction [Slow] [Serial] [Disruptive][NodeFeatu // Note: This test's purpose is to test Soft Evictions. Local storage was chosen since it is the least costly to run. var _ = SIGDescribe("LocalStorageSoftEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 10 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage @@ -243,6 +249,7 @@ var _ = SIGDescribe("LocalStorageSoftEviction [Slow] [Serial] [Disruptive][NodeF // not possible to exhaust the quota. var _ = SIGDescribe("LocalStorageCapacityIsolationMemoryBackedVolumeEviction [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolation][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged evictionTestTimeout := 7 * time.Minute ginkgo.Context(fmt.Sprintf(testContextFmt, "evictions due to pod local storage violations"), func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { @@ -282,6 +289,7 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationMemoryBackedVolumeEviction [Sl // LocalStorageCapacityIsolationEviction tests that container and volume local storage limits are enforced through evictions var _ = SIGDescribe("LocalStorageCapacityIsolationEviction [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolation][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged evictionTestTimeout := 10 * time.Minute ginkgo.Context(fmt.Sprintf(testContextFmt, "evictions due to pod local storage violations"), func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { @@ -334,6 +342,7 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationEviction [Slow] [Serial] [Disr // the higher priority pod. var _ = SIGDescribe("PriorityMemoryEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("priority-memory-eviction-ordering-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeMemoryPressure expectedStarvedResource := v1.ResourceMemory pressureTimeout := 10 * time.Minute @@ -391,6 +400,7 @@ var _ = SIGDescribe("PriorityMemoryEvictionOrdering [Slow] [Serial] [Disruptive] // the higher priority pod. var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("priority-disk-eviction-ordering-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage pressureTimeout := 15 * time.Minute @@ -447,6 +457,7 @@ var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering [Slow] [Serial] [Disru // PriorityPidEvictionOrdering tests that the node emits pid pressure in response to a fork bomb, and evicts pods by priority var _ = SIGDescribe("PriorityPidEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("pidpressure-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 2 * time.Minute expectedNodeCondition := v1.NodePIDPressure expectedStarvedResource := noStarvedResource diff --git a/test/e2e_node/garbage_collector_test.go b/test/e2e_node/garbage_collector_test.go index 5ad982dd31e..6e1711e4e13 100644 --- a/test/e2e_node/garbage_collector_test.go +++ b/test/e2e_node/garbage_collector_test.go @@ -28,6 +28,7 @@ import ( runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -72,6 +73,7 @@ type testRun struct { // http://kubernetes.io/docs/admin/garbage-collection/ var _ = SIGDescribe("GarbageCollect [Serial][NodeFeature:GarbageCollect]", func() { f := framework.NewDefaultFramework("garbage-collect-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged containerNamePrefix := "gc-test-container-" podNamePrefix := "gc-test-pod-" diff --git a/test/e2e_node/hugepages_test.go b/test/e2e_node/hugepages_test.go index 773bbc3d308..9f9968fc218 100644 --- a/test/e2e_node/hugepages_test.go +++ b/test/e2e_node/hugepages_test.go @@ -37,6 +37,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -201,6 +202,7 @@ func getHugepagesTestPod(f *framework.Framework, limits v1.ResourceList, mounts // Serial because the test updates kubelet configuration. var _ = SIGDescribe("HugePages [Serial] [Feature:HugePages][NodeSpecialFeature:HugePages]", func() { f := framework.NewDefaultFramework("hugepages-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should remove resources for huge page sizes no longer supported", func() { ginkgo.By("mimicking support for 9Mi of 3Mi huge page memory by patching the node status") diff --git a/test/e2e_node/image_credential_provider.go b/test/e2e_node/image_credential_provider.go index b94917f3c7c..11a2104a32b 100644 --- a/test/e2e_node/image_credential_provider.go +++ b/test/e2e_node/image_credential_provider.go @@ -24,10 +24,12 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("ImageCredentialProvider [Feature:KubeletCredentialProviders]", func() { f := framework.NewDefaultFramework("image-credential-provider") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var podClient *framework.PodClient ginkgo.BeforeEach(func() { diff --git a/test/e2e_node/image_id_test.go b/test/e2e_node/image_id_test.go index 1d9102f51c0..42d47b547b2 100644 --- a/test/e2e_node/image_id_test.go +++ b/test/e2e_node/image_id_test.go @@ -22,6 +22,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/davecgh/go-spew/spew" "github.com/onsi/ginkgo" @@ -33,6 +34,7 @@ var _ = SIGDescribe("ImageID [NodeFeature: ImageID]", func() { busyBoxImage := "k8s.gcr.io/busybox@sha256:4bdd623e848417d96127e16037743f0cd8b528c026e9175e22a84f639eca58ff" f := framework.NewDefaultFramework("image-id-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should be set to the manifest digest (from RepoDigests) when available", func() { podDesc := &v1.Pod{ diff --git a/test/e2e_node/memory_manager_test.go b/test/e2e_node/memory_manager_test.go index bba3b5dc602..219a0a854f9 100644 --- a/test/e2e_node/memory_manager_test.go +++ b/test/e2e_node/memory_manager_test.go @@ -42,6 +42,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/util" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -253,6 +254,7 @@ var _ = SIGDescribe("Memory Manager [Disruptive] [Serial] [Feature:MemoryManager ) f := framework.NewDefaultFramework("memory-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged memoryQuantity := resource.MustParse("1100Mi") defaultKubeParams := &kubeletParams{ diff --git a/test/e2e_node/node_container_manager_test.go b/test/e2e_node/node_container_manager_test.go index ca2c59a1ef5..65a2e3eda7d 100644 --- a/test/e2e_node/node_container_manager_test.go +++ b/test/e2e_node/node_container_manager_test.go @@ -34,6 +34,7 @@ import ( kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" "k8s.io/kubernetes/pkg/kubelet/cm" "k8s.io/kubernetes/pkg/kubelet/stats/pidlimit" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" @@ -64,6 +65,7 @@ func setDesiredConfiguration(initialConfig *kubeletconfig.KubeletConfiguration) var _ = SIGDescribe("Node Container Manager [Serial]", func() { f := framework.NewDefaultFramework("node-container-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Validate Node Allocatable [NodeFeature:NodeAllocatable]", func() { ginkgo.It("sets up the node and runs the test", func() { framework.ExpectNoError(runTest(f)) diff --git a/test/e2e_node/node_perf_test.go b/test/e2e_node/node_perf_test.go index e5c064da122..3a76cd9e5ac 100644 --- a/test/e2e_node/node_perf_test.go +++ b/test/e2e_node/node_perf_test.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -80,6 +81,7 @@ func setKubeletConfig(f *framework.Framework, cfg *kubeletconfig.KubeletConfigur // Slow by design. var _ = SIGDescribe("Node Performance Testing [Serial] [Slow]", func() { f := framework.NewDefaultFramework("node-performance-testing") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( wl workloads.NodePerfWorkload oldCfg *kubeletconfig.KubeletConfiguration diff --git a/test/e2e_node/node_problem_detector_linux.go b/test/e2e_node/node_problem_detector_linux.go index 6b6bf676f5d..6f079ea5048 100644 --- a/test/e2e_node/node_problem_detector_linux.go +++ b/test/e2e_node/node_problem_detector_linux.go @@ -36,6 +36,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" clientset "k8s.io/client-go/kubernetes" coreclientset "k8s.io/client-go/kubernetes/typed/core/v1" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/pkg/kubelet/util" "k8s.io/kubernetes/test/e2e/framework" @@ -50,6 +51,7 @@ var _ = SIGDescribe("NodeProblemDetector [NodeFeature:NodeProblemDetector] [Seri pollTimeout = 1 * time.Minute ) f := framework.NewDefaultFramework("node-problem-detector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var uid string var ns, name, configName, eventNamespace string diff --git a/test/e2e_node/node_shutdown_linux_test.go b/test/e2e_node/node_shutdown_linux_test.go index f8b672a463a..e93fbb8db39 100644 --- a/test/e2e_node/node_shutdown_linux_test.go +++ b/test/e2e_node/node_shutdown_linux_test.go @@ -31,6 +31,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/fields" "k8s.io/kubectl/pkg/util/podutils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -49,6 +50,7 @@ import ( var _ = SIGDescribe("GracefulNodeShutdown [Serial] [NodeFeature:GracefulNodeShutdown] [NodeFeature:GracefulNodeShutdownBasedOnPodPriority]", func() { f := framework.NewDefaultFramework("graceful-node-shutdown") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when gracefully shutting down", func() { const ( diff --git a/test/e2e_node/os_label_rename_test.go b/test/e2e_node/os_label_rename_test.go index 080f73f3780..8c4fc24fdb1 100644 --- a/test/e2e_node/os_label_rename_test.go +++ b/test/e2e_node/os_label_rename_test.go @@ -34,10 +34,12 @@ import ( v1core "k8s.io/client-go/kubernetes/typed/core/v1" nodeutil "k8s.io/component-helpers/node/util" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("OSArchLabelReconciliation [Serial] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-label-reconciliation") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Kubelet", func() { ginkgo.It("should reconcile the OS and Arch labels when restarted", func() { node := getLocalNode(f) diff --git a/test/e2e_node/pids_test.go b/test/e2e_node/pids_test.go index b455e0945ac..60eb7907570 100644 --- a/test/e2e_node/pids_test.go +++ b/test/e2e_node/pids_test.go @@ -23,6 +23,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/uuid" + admissionapi "k8s.io/pod-security-admission/api" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" "k8s.io/kubernetes/pkg/kubelet/cm" @@ -120,6 +121,7 @@ func runPodPidsLimitTests(f *framework.Framework) { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("PodPidsLimit [Serial]", func() { f := framework.NewDefaultFramework("pids-limit-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With config updated with pids limits", func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { initialConfig.PodPidsLimit = int64(1024) diff --git a/test/e2e_node/podresources_test.go b/test/e2e_node/podresources_test.go index bf12c7bcb0f..aff1d0800b2 100644 --- a/test/e2e_node/podresources_test.go +++ b/test/e2e_node/podresources_test.go @@ -35,6 +35,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/cm/cpuset" "k8s.io/kubernetes/pkg/kubelet/util" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -551,6 +552,7 @@ func podresourcesGetAllocatableResourcesTests(cli kubeletpodresourcesv1.PodResou // Serial because the test updates kubelet configuration. var _ = SIGDescribe("POD Resources [Serial] [Feature:PodResources][NodeFeature:PodResources]", func() { f := framework.NewDefaultFramework("podresources-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged reservedSystemCPUs := cpuset.MustParse("1") diff --git a/test/e2e_node/quota_lsci_test.go b/test/e2e_node/quota_lsci_test.go index 5e470c27cdf..e5441147a53 100644 --- a/test/e2e_node/quota_lsci_test.go +++ b/test/e2e_node/quota_lsci_test.go @@ -31,6 +31,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" "k8s.io/mount-utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -96,6 +97,7 @@ func runOneQuotaTest(f *framework.Framework, quotasRequested bool) { // file; if du is used to monitor, it will not detect this. var _ = SIGDescribe("LocalStorageCapacityIsolationQuotaMonitoring [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolationQuota][NodeFeature:LSCIQuotaMonitoring]", func() { f := framework.NewDefaultFramework("localstorage-quota-monitoring-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged runOneQuotaTest(f, true) runOneQuotaTest(f, false) }) diff --git a/test/e2e_node/resource_metrics_test.go b/test/e2e_node/resource_metrics_test.go index 014f5093f78..42727284fb9 100644 --- a/test/e2e_node/resource_metrics_test.go +++ b/test/e2e_node/resource_metrics_test.go @@ -25,6 +25,7 @@ import ( e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" + admissionapi "k8s.io/pod-security-admission/api" "github.com/prometheus/common/model" @@ -42,6 +43,7 @@ const ( var _ = SIGDescribe("ResourceMetricsAPI [NodeFeature:ResourceMetrics]", func() { f := framework.NewDefaultFramework("resource-metrics") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when querying /resource/metrics", func() { ginkgo.BeforeEach(func() { ginkgo.By("Creating test pods to measure their resource usage") diff --git a/test/e2e_node/resource_usage_test.go b/test/e2e_node/resource_usage_test.go index fa7c1660334..b83fc3f2e88 100644 --- a/test/e2e_node/resource_usage_test.go +++ b/test/e2e_node/resource_usage_test.go @@ -30,6 +30,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2eperf "k8s.io/kubernetes/test/e2e/framework/perf" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -46,6 +47,7 @@ var _ = SIGDescribe("Resource-usage [Serial] [Slow]", func() { ) f := framework.NewDefaultFramework("resource-usage") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { om = e2ekubelet.NewRuntimeOperationMonitor(f.ClientSet) diff --git a/test/e2e_node/restart_test.go b/test/e2e_node/restart_test.go index 52f0e244e2f..421c2e85de5 100644 --- a/test/e2e_node/restart_test.go +++ b/test/e2e_node/restart_test.go @@ -32,6 +32,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -81,6 +82,7 @@ var _ = SIGDescribe("Restart [Serial] [Slow] [Disruptive]", func() { ) f := framework.NewDefaultFramework("restart-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Container Runtime", func() { ginkgo.Context("Network", func() { ginkgo.It("should recover from ip leak", func() { diff --git a/test/e2e_node/runtimeclass_test.go b/test/e2e_node/runtimeclass_test.go index 4e563dc5b45..416eb20540b 100644 --- a/test/e2e_node/runtimeclass_test.go +++ b/test/e2e_node/runtimeclass_test.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -91,6 +92,7 @@ func makePodToVerifyCgroupSize(cgroupNames []string, expectedCPU string, expecte var _ = SIGDescribe("Kubelet PodOverhead handling [LinuxOnly]", func() { f := framework.NewDefaultFramework("podoverhead-handling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("PodOverhead cgroup accounting", func() { ginkgo.Context("On running pod with PodOverhead defined", func() { ginkgo.It("Pod cgroup should be sum of overhead and resource limits", func() { diff --git a/test/e2e_node/system_node_critical_test.go b/test/e2e_node/system_node_critical_test.go index fcecccaf28f..ad68b58a20d 100644 --- a/test/e2e_node/system_node_critical_test.go +++ b/test/e2e_node/system_node_critical_test.go @@ -28,6 +28,7 @@ import ( kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = SIGDescribe("SystemNodeCriticalPod [Slow] [Serial] [Disruptive] [NodeFeature:SystemNodeCriticalPod]", func() { f := framework.NewDefaultFramework("system-node-critical-pod-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // this test only manipulates pods in kube-system f.SkipNamespaceCreation = true diff --git a/test/e2e_node/topology_manager_test.go b/test/e2e_node/topology_manager_test.go index 83ea629cdb5..dc51c347a25 100644 --- a/test/e2e_node/topology_manager_test.go +++ b/test/e2e_node/topology_manager_test.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager" "k8s.io/kubernetes/pkg/kubelet/cm/topologymanager" "k8s.io/kubernetes/pkg/kubelet/types" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -972,6 +973,7 @@ func hostPrecheck() (int, int) { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("Topology Manager [Serial] [Feature:TopologyManager][NodeFeature:TopologyManager]", func() { f := framework.NewDefaultFramework("topology-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With kubeconfig updated to static CPU Manager policy run the Topology Manager tests", func() { runTopologyManagerTests(f)