From c5b01a30d3fac1dab14b13ae026478312151ce87 Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Wed, 17 Jul 2024 19:10:54 -0400 Subject: [PATCH] test/e2e/windows: drop securityContext test for ProcMount Fixes https://github.com/kubernetes/kubernetes/issues/126180 As the ProcMountType feature is disabled by default in beta and relies on the UserNamespacesSupport feature, which is also set to false in beta, running this test is unnecessary. Signed-off-by: Sohan Kunkerkar --- test/e2e/windows/security_context.go | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/test/e2e/windows/security_context.go b/test/e2e/windows/security_context.go index a793859fa72..ebb62dbbaa0 100644 --- a/test/e2e/windows/security_context.go +++ b/test/e2e/windows/security_context.go @@ -136,7 +136,7 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func() e2eoutput.TestContainerOutput(ctx, f, "check pod SecurityContext username", pod, 1, []string{"ContainerAdministrator"}) }) - ginkgo.It("should ignore SELinux Specific SecurityContext if set", func(ctx context.Context) { + ginkgo.It("should ignore Linux Specific SecurityContext if set", func(ctx context.Context) { ginkgo.By("Creating a pod with SELinux options") // It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux // security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the @@ -160,30 +160,6 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func() f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name) }) - ginkgo.It("should ignore ProcMount Specific SecurityContext if set", func(ctx context.Context) { - ginkgo.By("Creating a pod with ProcMount options") - // It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux - // security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the - // pod object to not have those security contexts. However the pod coming to running state is a sufficient - // enough condition for us to validate since prior to https://github.com/kubernetes/kubernetes/pull/93475 - // the pod would have failed to come up. - windowsPodWithSELinux := createTestPod(f, imageutils.GetE2EImage(imageutils.Agnhost), windowsOS) - windowsPodWithSELinux.Spec.Containers[0].Args = []string{"test-webserver-with-selinux"} - windowsPodWithSELinux.Spec.SecurityContext = &v1.PodSecurityContext{} - pmt := v1.UnmaskedProcMount - containerUserName := "ContainerAdministrator" - windowsPodWithSELinux.Spec.Containers[0].SecurityContext = &v1.SecurityContext{ - ProcMount: &pmt, - WindowsOptions: &v1.WindowsSecurityContextOptions{RunAsUserName: &containerUserName}} - windowsPodWithSELinux.Spec.Tolerations = []v1.Toleration{{Key: "os", Value: "Windows"}} - windowsPodWithSELinux, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, - windowsPodWithSELinux, metav1.CreateOptions{}) - framework.ExpectNoError(err) - framework.Logf("Created pod %v", windowsPodWithSELinux) - framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(ctx, f.ClientSet, windowsPodWithSELinux.Name, - f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name) - }) - ginkgo.It("should not be able to create pods with containers running as ContainerAdministrator when runAsNonRoot is true", func(ctx context.Context) { ginkgo.By("Creating a pod")