diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go index 20f2915f36b..d13655c613f 100644 --- a/test/e2e/apimachinery/aggregator.go +++ b/test/e2e/apimachinery/aggregator.go @@ -46,6 +46,7 @@ import ( e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" samplev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1" "k8s.io/utils/pointer" @@ -70,6 +71,7 @@ var _ = SIGDescribe("Aggregator", func() { }) f := framework.NewDefaultFramework("aggregator") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // We want namespace initialization BeforeEach inserted by // NewDefaultFramework to happen before this, so we put this BeforeEach diff --git a/test/e2e/apimachinery/apply.go b/test/e2e/apimachinery/apply.go index 2a5a880e5a4..6d1cb1ebb58 100644 --- a/test/e2e/apimachinery/apply.go +++ b/test/e2e/apimachinery/apply.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" @@ -45,6 +46,7 @@ import ( var _ = SIGDescribe("ServerSideApply", func() { f := framework.NewDefaultFramework("apply") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var client clientset.Interface var ns string diff --git a/test/e2e/apimachinery/crd_conversion_webhook.go b/test/e2e/apimachinery/crd_conversion_webhook.go index 4898c8375a6..9c8ebefafd6 100644 --- a/test/e2e/apimachinery/crd_conversion_webhook.go +++ b/test/e2e/apimachinery/crd_conversion_webhook.go @@ -38,6 +38,7 @@ import ( e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment" "k8s.io/kubernetes/test/utils/crd" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -117,6 +118,7 @@ var alternativeAPIVersions = []apiextensionsv1.CustomResourceDefinitionVersion{ var _ = SIGDescribe("CustomResourceConversionWebhook [Privileged:ClusterAdmin]", func() { var certCtx *certContext f := framework.NewDefaultFramework("crd-webhook") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline servicePort := int32(9443) containerPort := int32(9444) diff --git a/test/e2e/apimachinery/garbage_collector.go b/test/e2e/apimachinery/garbage_collector.go index c6cf2440a5c..60d24f57bb2 100644 --- a/test/e2e/apimachinery/garbage_collector.go +++ b/test/e2e/apimachinery/garbage_collector.go @@ -43,6 +43,7 @@ import ( e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" imageutils "k8s.io/kubernetes/test/utils/image" @@ -301,6 +302,7 @@ func getUniqLabel(labelkey, labelvalue string) map[string]string { var _ = SIGDescribe("Garbage collector", func() { f := framework.NewDefaultFramework("gc") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/apimachinery/generated_clientset.go b/test/e2e/apimachinery/generated_clientset.go index 640b0061d9a..d728f9e8c69 100644 --- a/test/e2e/apimachinery/generated_clientset.go +++ b/test/e2e/apimachinery/generated_clientset.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/watch" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" imageutils "k8s.io/kubernetes/test/utils/image" @@ -100,6 +101,7 @@ func observerUpdate(w watch.Interface, expectedUpdate func(runtime.Object) bool) var _ = SIGDescribe("Generated clientset", func() { f := framework.NewDefaultFramework("clientset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("should create pods, set the deletionTimestamp and deletionGracePeriodSeconds of the pod", func() { podClient := f.ClientSet.CoreV1().Pods(f.Namespace.Name) ginkgo.By("constructing the pod") diff --git a/test/e2e/apimachinery/namespace.go b/test/e2e/apimachinery/namespace.go index bf32faeb331..f14f490f421 100644 --- a/test/e2e/apimachinery/namespace.go +++ b/test/e2e/apimachinery/namespace.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/apimachinery/pkg/types" @@ -226,6 +227,7 @@ func ensureServicesAreRemovedWhenNamespaceIsDeleted(f *framework.Framework) { var _ = SIGDescribe("Namespaces [Serial]", func() { f := framework.NewDefaultFramework("namespaces") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.11 diff --git a/test/e2e/apimachinery/resource_quota.go b/test/e2e/apimachinery/resource_quota.go index b2c1e5d4b68..2b87cfd846c 100644 --- a/test/e2e/apimachinery/resource_quota.go +++ b/test/e2e/apimachinery/resource_quota.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils/crd" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -51,6 +52,7 @@ var extendedResourceName = "example.com/dongle" var _ = SIGDescribe("ResourceQuota", func() { f := framework.NewDefaultFramework("resourcequota") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.16 @@ -917,6 +919,7 @@ var _ = SIGDescribe("ResourceQuota", func() { var _ = SIGDescribe("ResourceQuota [Feature:ScopeSelectors]", func() { f := framework.NewDefaultFramework("scope-selectors") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("should verify ResourceQuota with best effort scope using scope-selectors.", func() { ginkgo.By("Creating a ResourceQuota with best effort scope") resourceQuotaBestEffort, err := createResourceQuota(f.ClientSet, f.Namespace.Name, newTestResourceQuotaWithScopeSelector("quota-besteffort", v1.ResourceQuotaScopeBestEffort)) @@ -1097,6 +1100,7 @@ var _ = SIGDescribe("ResourceQuota [Feature:ScopeSelectors]", func() { var _ = SIGDescribe("ResourceQuota [Feature:PodPriority]", func() { f := framework.NewDefaultFramework("resourcequota-priorityclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("should verify ResourceQuota's priority class scope (quota set to pod count: 1) against a pod with same priority class.", func() { @@ -1438,6 +1442,7 @@ var _ = SIGDescribe("ResourceQuota [Feature:PodPriority]", func() { var _ = SIGDescribe("ResourceQuota", func() { f := framework.NewDefaultFramework("cross-namespace-pod-affinity") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("should verify ResourceQuota with cross namespace pod affinity scope using scope-selectors.", func() { ginkgo.By("Creating a ResourceQuota with cross namespace pod affinity scope") quota, err := createResourceQuota( diff --git a/test/e2e/apimachinery/table_conversion.go b/test/e2e/apimachinery/table_conversion.go index 959ea522a6d..4f092b5f20e 100644 --- a/test/e2e/apimachinery/table_conversion.go +++ b/test/e2e/apimachinery/table_conversion.go @@ -31,6 +31,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1" "k8s.io/client-go/util/workqueue" + admissionapi "k8s.io/pod-security-admission/api" utilversion "k8s.io/apimachinery/pkg/util/version" "k8s.io/cli-runtime/pkg/printers" @@ -43,6 +44,7 @@ var serverPrintVersion = utilversion.MustParseSemantic("v1.10.0") var _ = SIGDescribe("Servers with support for Table transformation", func() { f := framework.NewDefaultFramework("tables") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessServerVersionGTE(serverPrintVersion, f.ClientSet.Discovery()) diff --git a/test/e2e/apimachinery/webhook.go b/test/e2e/apimachinery/webhook.go index 360993e3889..83ede28d717 100644 --- a/test/e2e/apimachinery/webhook.go +++ b/test/e2e/apimachinery/webhook.go @@ -47,6 +47,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/utils/crd" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" @@ -78,6 +79,7 @@ const ( var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() { var certCtx *certContext f := framework.NewDefaultFramework("webhook") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline servicePort := int32(8443) containerPort := int32(8444) @@ -1155,6 +1157,8 @@ func testWebhook(f *framework.Framework) { Labels: map[string]string{ skipNamespaceLabelKey: skipNamespaceLabelValue, f.UniqueName: "true", + // TODO(https://github.com/kubernetes/kubernetes/issues/108298): route namespace creation via framework.Framework.CreateNamespace in 1.24 + admissionapi.EnforceLevelLabel: string(admissionapi.LevelRestricted), }, }}) framework.ExpectNoError(err, "creating namespace %q", skippedNamespaceName) @@ -2369,8 +2373,12 @@ func newMutateConfigMapWebhookFixture(f *framework.Framework, certCtx *certConte func createWebhookConfigurationReadyNamespace(f *framework.Framework) { ns, err := f.ClientSet.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ - Name: f.Namespace.Name + "-markers", - Labels: map[string]string{f.UniqueName + "-markers": "true"}, + Name: f.Namespace.Name + "-markers", + Labels: map[string]string{ + f.UniqueName + "-markers": "true", + // TODO(https://github.com/kubernetes/kubernetes/issues/108298): route namespace creation via framework.Framework.CreateNamespace in 1.24 + admissionapi.EnforceLevelLabel: string(admissionapi.LevelRestricted), + }, }, }, metav1.CreateOptions{}) framework.ExpectNoError(err, "creating namespace for webhook configuration ready markers") diff --git a/test/e2e/apps/cronjob.go b/test/e2e/apps/cronjob.go index f17025bc9cd..8fec9005cc5 100644 --- a/test/e2e/apps/cronjob.go +++ b/test/e2e/apps/cronjob.go @@ -43,6 +43,7 @@ import ( e2ejob "k8s.io/kubernetes/test/e2e/framework/job" e2eresource "k8s.io/kubernetes/test/e2e/framework/resource" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -52,6 +53,7 @@ const ( var _ = SIGDescribe("CronJob", func() { f := framework.NewDefaultFramework("cronjob") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline sleepCommand := []string{"sleep", "300"} diff --git a/test/e2e/apps/daemon_set.go b/test/e2e/apps/daemon_set.go index 646235e8c61..56d523de323 100644 --- a/test/e2e/apps/daemon_set.go +++ b/test/e2e/apps/daemon_set.go @@ -55,6 +55,7 @@ import ( e2edaemonset "k8s.io/kubernetes/test/e2e/framework/daemonset" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eresource "k8s.io/kubernetes/test/e2e/framework/resource" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -133,6 +134,7 @@ var _ = SIGDescribe("Daemon set [Serial]", func() { }) f = framework.NewDefaultFramework("daemonsets") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline image := WebserverImage dsName := "daemon-set" diff --git a/test/e2e/apps/deployment.go b/test/e2e/apps/deployment.go index 21f2694b01c..08ae90daa80 100644 --- a/test/e2e/apps/deployment.go +++ b/test/e2e/apps/deployment.go @@ -61,6 +61,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutil "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" ) @@ -85,6 +86,7 @@ var _ = SIGDescribe("Deployment", func() { }) f := framework.NewDefaultFramework("deployment") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/apps/disruption.go b/test/e2e/apps/disruption.go index c10d0588da5..e456bb926f5 100644 --- a/test/e2e/apps/disruption.go +++ b/test/e2e/apps/disruption.go @@ -46,6 +46,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) // schedulingTimeout is longer specifically because sometimes we need to wait @@ -62,6 +63,7 @@ var defaultLabels = map[string]string{"foo": "bar"} var _ = SIGDescribe("DisruptionController", func() { f := framework.NewDefaultFramework("disruption") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ns string var cs kubernetes.Interface var dc dynamic.Interface diff --git a/test/e2e/apps/job.go b/test/e2e/apps/job.go index a462522ab7d..0cd7fe46d6a 100644 --- a/test/e2e/apps/job.go +++ b/test/e2e/apps/job.go @@ -47,6 +47,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eresource "k8s.io/kubernetes/test/e2e/framework/resource" "k8s.io/kubernetes/test/e2e/scheduling" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -67,6 +68,7 @@ type watchEventConfig struct { var _ = SIGDescribe("Job", func() { f := framework.NewDefaultFramework("job") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged parallelism := int32(2) completions := int32(4) diff --git a/test/e2e/apps/rc.go b/test/e2e/apps/rc.go index 289e6232872..dfa63be39be 100644 --- a/test/e2e/apps/rc.go +++ b/test/e2e/apps/rc.go @@ -41,12 +41,14 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("ReplicationController", func() { f := framework.NewDefaultFramework("replication-controller") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var ns string var dc dynamic.Interface diff --git a/test/e2e/apps/replica_set.go b/test/e2e/apps/replica_set.go index f312914150b..61c87fc04cf 100644 --- a/test/e2e/apps/replica_set.go +++ b/test/e2e/apps/replica_set.go @@ -45,6 +45,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2ereplicaset "k8s.io/kubernetes/test/e2e/framework/replicaset" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" imageutils "k8s.io/kubernetes/test/utils/image" @@ -100,6 +101,7 @@ func newPodQuota(name, number string) *v1.ResourceQuota { var _ = SIGDescribe("ReplicaSet", func() { f := framework.NewDefaultFramework("replicaset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/apps/statefulset.go b/test/e2e/apps/statefulset.go index 6a347e171b1..6a02483da83 100644 --- a/test/e2e/apps/statefulset.go +++ b/test/e2e/apps/statefulset.go @@ -51,6 +51,7 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2estatefulset "k8s.io/kubernetes/test/e2e/framework/statefulset" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -88,6 +89,7 @@ var httpProbe = &v1.Probe{ // GCE Api requirements: nodes and master need storage r/w permissions. var _ = SIGDescribe("StatefulSet", func() { f := framework.NewDefaultFramework("statefulset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ns string var c clientset.Interface diff --git a/test/e2e/apps/ttl_after_finished.go b/test/e2e/apps/ttl_after_finished.go index f4aabe3106c..4e5b0e2248d 100644 --- a/test/e2e/apps/ttl_after_finished.go +++ b/test/e2e/apps/ttl_after_finished.go @@ -29,6 +29,7 @@ import ( "k8s.io/kubernetes/pkg/util/slice" "k8s.io/kubernetes/test/e2e/framework" e2ejob "k8s.io/kubernetes/test/e2e/framework/job" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ const ( var _ = SIGDescribe("TTLAfterFinished", func() { f := framework.NewDefaultFramework("ttlafterfinished") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("job should be deleted once it finishes after TTL seconds", func() { testFinishedJob(f) diff --git a/test/e2e/auth/node_authn.go b/test/e2e/auth/node_authn.go index d6ba011775e..e9ffde1fd15 100644 --- a/test/e2e/auth/node_authn.go +++ b/test/e2e/auth/node_authn.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/pkg/cluster/ports" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -36,6 +37,7 @@ import ( var _ = SIGDescribe("[Feature:NodeAuthenticator]", func() { f := framework.NewDefaultFramework("node-authn") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var ns string var nodeIPs []string ginkgo.BeforeEach(func() { diff --git a/test/e2e/auth/node_authz.go b/test/e2e/auth/node_authz.go index 12035ede272..ab238c0339a 100644 --- a/test/e2e/auth/node_authz.go +++ b/test/e2e/auth/node_authz.go @@ -29,6 +29,7 @@ import ( restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -41,6 +42,7 @@ const ( var _ = SIGDescribe("[Feature:NodeAuthorizer]", func() { f := framework.NewDefaultFramework("node-authz") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // client that will impersonate a node var c clientset.Interface var ns string diff --git a/test/e2e/auth/service_accounts.go b/test/e2e/auth/service_accounts.go index a8b3c269906..bbbba91f154 100644 --- a/test/e2e/auth/service_accounts.go +++ b/test/e2e/auth/service_accounts.go @@ -41,6 +41,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" utilptr "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -50,6 +51,7 @@ const rootCAConfigMapName = "kube-root-ca.crt" var _ = SIGDescribe("ServiceAccounts", func() { f := framework.NewDefaultFramework("svcaccounts") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("no secret-based service account token should be auto-generated", func() { { diff --git a/test/e2e/autoscaling/horizontal_pod_autoscaling.go b/test/e2e/autoscaling/horizontal_pod_autoscaling.go index fd1bdde2745..d518cabb1b2 100644 --- a/test/e2e/autoscaling/horizontal_pod_autoscaling.go +++ b/test/e2e/autoscaling/horizontal_pod_autoscaling.go @@ -17,6 +17,7 @@ limitations under the License. package autoscaling import ( + "k8s.io/pod-security-admission/api" "time" "k8s.io/apimachinery/pkg/runtime/schema" @@ -30,6 +31,7 @@ import ( // var _ = SIGDescribe("[Feature:HPA] Horizontal pod autoscaling (scale resource: CPU)", func() { f := framework.NewDefaultFramework("horizontal-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = api.LevelBaseline titleUp := "Should scale from 1 pod to 3 pods and from 3 to 5" titleDown := "Should scale from 5 pods to 3 pods and from 3 to 1" diff --git a/test/e2e/common/network/networking.go b/test/e2e/common/network/networking.go index 79f9c0f2355..7534cc2872e 100644 --- a/test/e2e/common/network/networking.go +++ b/test/e2e/common/network/networking.go @@ -22,10 +22,12 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/kubernetes/test/e2e/framework" e2enetwork "k8s.io/kubernetes/test/e2e/framework/network" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Networking", func() { f := framework.NewDefaultFramework("pod-network-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Granular Checks: Pods", func() { diff --git a/test/e2e/common/node/configmap.go b/test/e2e/common/node/configmap.go index b0ee3cbdcf7..8e2514f4ff7 100644 --- a/test/e2e/common/node/configmap.go +++ b/test/e2e/common/node/configmap.go @@ -27,12 +27,14 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("ConfigMap", func() { f := framework.NewDefaultFramework("configmap") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/node/container_probe.go b/test/e2e/common/node/container_probe.go index a59988f36fb..dfb49ce32af 100644 --- a/test/e2e/common/node/container_probe.go +++ b/test/e2e/common/node/container_probe.go @@ -37,6 +37,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -50,6 +51,7 @@ const ( var _ = SIGDescribe("Probing container", func() { f := framework.NewDefaultFramework("container-probe") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient probe := webserverProbeBuilder{} diff --git a/test/e2e/common/node/containers.go b/test/e2e/common/node/containers.go index fc34c6f8223..5c1ac026e1b 100644 --- a/test/e2e/common/node/containers.go +++ b/test/e2e/common/node/containers.go @@ -23,10 +23,12 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Containers", func() { f := framework.NewDefaultFramework("containers") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/node/downwardapi.go b/test/e2e/common/node/downwardapi.go index eea5004222d..7d0801e4ad3 100644 --- a/test/e2e/common/node/downwardapi.go +++ b/test/e2e/common/node/downwardapi.go @@ -28,12 +28,14 @@ import ( e2enetwork "k8s.io/kubernetes/test/e2e/framework/network" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Downward API", func() { f := framework.NewDefaultFramework("downward-api") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.9 @@ -287,6 +289,7 @@ var _ = SIGDescribe("Downward API", func() { var _ = SIGDescribe("Downward API [Serial] [Disruptive] [NodeFeature:DownwardAPIHugePages]", func() { f := framework.NewDefaultFramework("downward-api") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Downward API tests for hugepages", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/common/node/ephemeral_containers.go b/test/e2e/common/node/ephemeral_containers.go index 601577757c9..295d816a379 100644 --- a/test/e2e/common/node/ephemeral_containers.go +++ b/test/e2e/common/node/ephemeral_containers.go @@ -27,6 +27,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = SIGDescribe("Ephemeral Containers [NodeFeature:EphemeralContainers]", func() { f := framework.NewDefaultFramework("ephemeral-containers-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/common/node/expansion.go b/test/e2e/common/node/expansion.go index 05ed90e6c18..afdf240a126 100644 --- a/test/e2e/common/node/expansion.go +++ b/test/e2e/common/node/expansion.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ import ( // https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/expansion.md var _ = SIGDescribe("Variable Expansion", func() { f := framework.NewDefaultFramework("var-expansion") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/node/init_container.go b/test/e2e/common/node/init_container.go index 7164cbffd7c..498f21b7f35 100644 --- a/test/e2e/common/node/init_container.go +++ b/test/e2e/common/node/init_container.go @@ -40,6 +40,7 @@ import ( "k8s.io/kubernetes/pkg/client/conditions" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) func recordEvents(events []watch.Event, f func(watch.Event) (bool, error)) func(watch.Event) (bool, error) { @@ -158,6 +159,7 @@ func initContainersInvariants(pod *v1.Pod) error { var _ = SIGDescribe("InitContainer [NodeConformance]", func() { f := framework.NewDefaultFramework("init-container") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/common/node/kubelet.go b/test/e2e/common/node/kubelet.go index 8e5d722ec6e..c3a16ea67c0 100644 --- a/test/e2e/common/node/kubelet.go +++ b/test/e2e/common/node/kubelet.go @@ -27,6 +27,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = SIGDescribe("Kubelet", func() { f := framework.NewDefaultFramework("kubelet-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/common/node/kubelet_etc_hosts.go b/test/e2e/common/node/kubelet_etc_hosts.go index 1e0c860d173..4b6002852b8 100644 --- a/test/e2e/common/node/kubelet_etc_hosts.go +++ b/test/e2e/common/node/kubelet_etc_hosts.go @@ -26,6 +26,7 @@ import ( "k8s.io/klog/v2" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -45,6 +46,7 @@ type KubeletManagedHostConfig struct { var _ = SIGDescribe("KubeletManagedEtcHosts", func() { f := framework.NewDefaultFramework("e2e-kubelet-etc-hosts") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged config := &KubeletManagedHostConfig{ f: f, } diff --git a/test/e2e/common/node/lifecycle_hook.go b/test/e2e/common/node/lifecycle_hook.go index 587fb85d412..5704b22fe25 100644 --- a/test/e2e/common/node/lifecycle_hook.go +++ b/test/e2e/common/node/lifecycle_hook.go @@ -28,6 +28,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = SIGDescribe("Container Lifecycle Hook", func() { f := framework.NewDefaultFramework("container-lifecycle-hook") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient const ( podCheckInterval = 1 * time.Second diff --git a/test/e2e/common/node/pod_admission.go b/test/e2e/common/node/pod_admission.go index 6903be174ff..5e389a51082 100644 --- a/test/e2e/common/node/pod_admission.go +++ b/test/e2e/common/node/pod_admission.go @@ -28,10 +28,12 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("PodOSRejection [NodeConformance]", func() { f := framework.NewDefaultFramework("pod-os-rejection") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Context("Kubelet", func() { ginkgo.It("should reject pod when the node OS doesn't match pod's OS", func() { linuxNode, err := findLinuxNode(f) diff --git a/test/e2e/common/node/pods.go b/test/e2e/common/node/pods.go index 07d78364987..785eb4cc0e8 100644 --- a/test/e2e/common/node/pods.go +++ b/test/e2e/common/node/pods.go @@ -52,6 +52,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2ewebsocket "k8s.io/kubernetes/test/e2e/framework/websocket" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -183,6 +184,7 @@ func expectNoErrorWithRetries(fn func() error, maxRetries int, explain ...interf var _ = SIGDescribe("Pods", func() { f := framework.NewDefaultFramework("pods") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient var dc dynamic.Interface diff --git a/test/e2e/common/node/privileged.go b/test/e2e/common/node/privileged.go index 6f63b202261..d9b8c8ee8f1 100644 --- a/test/e2e/common/node/privileged.go +++ b/test/e2e/common/node/privileged.go @@ -24,6 +24,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) // PrivilegedPodTestConfig is configuration struct for privileged pod test @@ -39,8 +40,10 @@ type PrivilegedPodTestConfig struct { } var _ = SIGDescribe("PrivilegedPod [NodeConformance]", func() { + f := framework.NewDefaultFramework("e2e-privileged-pod") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged config := &PrivilegedPodTestConfig{ - f: framework.NewDefaultFramework("e2e-privileged-pod"), + f: f, privilegedPod: "privileged-pod", privilegedContainer: "privileged-container", notPrivilegedContainer: "not-privileged-container", diff --git a/test/e2e/common/node/runtime.go b/test/e2e/common/node/runtime.go index ebc72498a4c..45b43206deb 100644 --- a/test/e2e/common/node/runtime.go +++ b/test/e2e/common/node/runtime.go @@ -29,6 +29,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/images" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -37,6 +38,7 @@ import ( var _ = SIGDescribe("Container Runtime", func() { f := framework.NewDefaultFramework("container-runtime") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Describe("blackbox test", func() { ginkgo.Context("when starting a container that exits", func() { diff --git a/test/e2e/common/node/runtimeclass.go b/test/e2e/common/node/runtimeclass.go index 2c08475b68e..58f01f89133 100644 --- a/test/e2e/common/node/runtimeclass.go +++ b/test/e2e/common/node/runtimeclass.go @@ -38,12 +38,14 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("RuntimeClass", func() { f := framework.NewDefaultFramework("runtimeclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.20 diff --git a/test/e2e/common/node/secrets.go b/test/e2e/common/node/secrets.go index bcf60799b51..87f403b0188 100644 --- a/test/e2e/common/node/secrets.go +++ b/test/e2e/common/node/secrets.go @@ -30,10 +30,12 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Secrets", func() { f := framework.NewDefaultFramework("secrets") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/node/security_context.go b/test/e2e/common/node/security_context.go index a87378fcfa9..1f525517951 100644 --- a/test/e2e/common/node/security_context.go +++ b/test/e2e/common/node/security_context.go @@ -29,6 +29,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -42,6 +43,7 @@ var ( var _ = SIGDescribe("Security Context", func() { f := framework.NewDefaultFramework("security-context-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/common/node/sysctl.go b/test/e2e/common/node/sysctl.go index dc86a38a1cd..97cd2e27a19 100644 --- a/test/e2e/common/node/sysctl.go +++ b/test/e2e/common/node/sysctl.go @@ -26,6 +26,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -39,6 +40,7 @@ var _ = SIGDescribe("Sysctls [LinuxOnly] [NodeConformance]", func() { }) f := framework.NewDefaultFramework("sysctl") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var podClient *framework.PodClient testPod := func() *v1.Pod { diff --git a/test/e2e/common/storage/configmap_volume.go b/test/e2e/common/storage/configmap_volume.go index 2b9ea8de204..e856096983b 100644 --- a/test/e2e/common/storage/configmap_volume.go +++ b/test/e2e/common/storage/configmap_volume.go @@ -31,10 +31,12 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("ConfigMap", func() { f := framework.NewDefaultFramework("configmap") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/storage/downwardapi_volume.go b/test/e2e/common/storage/downwardapi_volume.go index bb442fcf613..82cbb5e6716 100644 --- a/test/e2e/common/storage/downwardapi_volume.go +++ b/test/e2e/common/storage/downwardapi_volume.go @@ -28,6 +28,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -37,6 +38,7 @@ var _ = SIGDescribe("Downward API volume", func() { // How long to wait for a log pod to be displayed const podLogTimeout = 3 * time.Minute f := framework.NewDefaultFramework("downward-api") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/common/storage/empty_dir.go b/test/e2e/common/storage/empty_dir.go index 06f7b1b3a17..e0cdcea2406 100644 --- a/test/e2e/common/storage/empty_dir.go +++ b/test/e2e/common/storage/empty_dir.go @@ -31,6 +31,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -43,6 +44,7 @@ var ( var _ = SIGDescribe("EmptyDir volumes", func() { f := framework.NewDefaultFramework("emptydir") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Context("when FSGroup is specified [LinuxOnly] [NodeFeature:FSGroup]", func() { diff --git a/test/e2e/common/storage/host_path.go b/test/e2e/common/storage/host_path.go index 11e2f194e3e..f56ff5f0485 100644 --- a/test/e2e/common/storage/host_path.go +++ b/test/e2e/common/storage/host_path.go @@ -25,6 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -33,6 +34,7 @@ import ( //This will require some smart. var _ = SIGDescribe("HostPath", func() { f := framework.NewDefaultFramework("hostpath") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // TODO permission denied cleanup failures diff --git a/test/e2e/common/storage/projected_combined.go b/test/e2e/common/storage/projected_combined.go index 6d4969382fe..4f88b683009 100644 --- a/test/e2e/common/storage/projected_combined.go +++ b/test/e2e/common/storage/projected_combined.go @@ -25,12 +25,14 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Projected combined", func() { f := framework.NewDefaultFramework("projected") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // Test multiple projections /* diff --git a/test/e2e/common/storage/projected_configmap.go b/test/e2e/common/storage/projected_configmap.go index 37f51279da7..4c006f84425 100644 --- a/test/e2e/common/storage/projected_configmap.go +++ b/test/e2e/common/storage/projected_configmap.go @@ -28,6 +28,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = SIGDescribe("Projected configMap", func() { f := framework.NewDefaultFramework("projected") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/storage/projected_downwardapi.go b/test/e2e/common/storage/projected_downwardapi.go index 3e89d990277..3f3c2afd1c1 100644 --- a/test/e2e/common/storage/projected_downwardapi.go +++ b/test/e2e/common/storage/projected_downwardapi.go @@ -27,6 +27,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = SIGDescribe("Projected downwardAPI", func() { f := framework.NewDefaultFramework("projected") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // How long to wait for a log pod to be displayed const podLogTimeout = 2 * time.Minute diff --git a/test/e2e/common/storage/projected_secret.go b/test/e2e/common/storage/projected_secret.go index af23f516b7e..43557b6fd1d 100644 --- a/test/e2e/common/storage/projected_secret.go +++ b/test/e2e/common/storage/projected_secret.go @@ -27,6 +27,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = SIGDescribe("Projected secret", func() { f := framework.NewDefaultFramework("projected") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/storage/secrets_volume.go b/test/e2e/common/storage/secrets_volume.go index 0eb64350110..cb1444c95d5 100644 --- a/test/e2e/common/storage/secrets_volume.go +++ b/test/e2e/common/storage/secrets_volume.go @@ -28,6 +28,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = SIGDescribe("Secrets", func() { f := framework.NewDefaultFramework("secrets") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/common/storage/volumes.go b/test/e2e/common/storage/volumes.go index 8b06118d73f..9b151fcfb9b 100644 --- a/test/e2e/common/storage/volumes.go +++ b/test/e2e/common/storage/volumes.go @@ -52,6 +52,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -59,6 +60,7 @@ import ( // TODO(#99468): Check if these tests are still needed. var _ = SIGDescribe("Volumes", func() { f := framework.NewDefaultFramework("volume") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // note that namespace deletion is handled by delete-namespace flag // filled in BeforeEach diff --git a/test/e2e/framework/pod/utils.go b/test/e2e/framework/pod/utils.go index fb034e4b316..af1a5903487 100644 --- a/test/e2e/framework/pod/utils.go +++ b/test/e2e/framework/pod/utils.go @@ -21,6 +21,7 @@ import ( v1 "k8s.io/api/core/v1" imageutils "k8s.io/kubernetes/test/utils/image" + "k8s.io/utils/pointer" ) // NodeOSDistroIs returns true if the distro is the same as `--node-os-distro` @@ -113,3 +114,19 @@ func GetLinuxLabel() *v1.SELinuxOptions { return &v1.SELinuxOptions{ Level: "s0:c0,c1"} } + +// GetRestrictedPodSecurityContext returns a minimal restricted pod security context. +func GetRestrictedPodSecurityContext() *v1.PodSecurityContext { + return &v1.PodSecurityContext{ + RunAsNonRoot: pointer.BoolPtr(true), + SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}, + } +} + +// GetRestrictedContainerSecurityContext returns a minimal restricted container security context. +func GetRestrictedContainerSecurityContext() *v1.SecurityContext { + return &v1.SecurityContext{ + AllowPrivilegeEscalation: pointer.BoolPtr(false), + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + } +} diff --git a/test/e2e/kubectl/kubectl.go b/test/e2e/kubectl/kubectl.go index 6fcc8fde06f..c0f238c4272 100644 --- a/test/e2e/kubectl/kubectl.go +++ b/test/e2e/kubectl/kubectl.go @@ -74,6 +74,7 @@ import ( testutils "k8s.io/kubernetes/test/utils" "k8s.io/kubernetes/test/utils/crd" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" uexec "k8s.io/utils/exec" "k8s.io/utils/pointer" @@ -225,6 +226,7 @@ func runKubectlRetryOrDie(ns string, args ...string) string { var _ = SIGDescribe("Kubectl client", func() { defer ginkgo.GinkgoRecover() f := framework.NewDefaultFramework("kubectl") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // Reusable cluster state function. This won't be adversely affected by lazy initialization of framework. clusterState := func() *framework.ClusterVerification { diff --git a/test/e2e/kubectl/portforward.go b/test/e2e/kubectl/portforward.go index c2b1c56e835..f085f617ec7 100644 --- a/test/e2e/kubectl/portforward.go +++ b/test/e2e/kubectl/portforward.go @@ -42,6 +42,7 @@ import ( e2ewebsocket "k8s.io/kubernetes/test/e2e/framework/websocket" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -448,6 +449,7 @@ func doTestOverWebSockets(bindAddress string, f *framework.Framework) { var _ = SIGDescribe("Kubectl Port forwarding", func() { f := framework.NewDefaultFramework("port-forwarding") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Describe("With a server listening on 0.0.0.0", func() { ginkgo.Describe("that expects a client request", func() { diff --git a/test/e2e/network/conntrack.go b/test/e2e/network/conntrack.go index ee45c50a5e6..2abaffcc23a 100644 --- a/test/e2e/network/conntrack.go +++ b/test/e2e/network/conntrack.go @@ -35,6 +35,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -67,6 +68,7 @@ const ( var _ = common.SIGDescribe("Conntrack", func() { fr := framework.NewDefaultFramework("conntrack") + fr.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged type nodeInfo struct { name string diff --git a/test/e2e/network/dns.go b/test/e2e/network/dns.go index 1dc3bb75950..c66c5e9cb34 100644 --- a/test/e2e/network/dns.go +++ b/test/e2e/network/dns.go @@ -30,6 +30,7 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -39,6 +40,7 @@ const dnsTestServiceName = "dns-test-service" var _ = common.SIGDescribe("DNS", func() { f := framework.NewDefaultFramework("dns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/network/endpointslice.go b/test/e2e/network/endpointslice.go index 7ccae3a5467..07a71e457f0 100644 --- a/test/e2e/network/endpointslice.go +++ b/test/e2e/network/endpointslice.go @@ -36,12 +36,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = common.SIGDescribe("EndpointSlice", func() { f := framework.NewDefaultFramework("endpointslice") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var cs clientset.Interface var podClient *framework.PodClient diff --git a/test/e2e/network/funny_ips.go b/test/e2e/network/funny_ips.go index 4b4d35a694b..05c440447cd 100644 --- a/test/e2e/network/funny_ips.go +++ b/test/e2e/network/funny_ips.go @@ -36,6 +36,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" ) @@ -72,6 +73,7 @@ var _ = common.SIGDescribe("CVE-2021-29923", func() { ) f := framework.NewDefaultFramework("funny-ips") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { if framework.TestContext.ClusterIsIPv6() { diff --git a/test/e2e/network/hostport.go b/test/e2e/network/hostport.go index 11fd3f7a672..dec0d359949 100644 --- a/test/e2e/network/hostport.go +++ b/test/e2e/network/hostport.go @@ -33,11 +33,13 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = common.SIGDescribe("HostPort", func() { f := framework.NewDefaultFramework("hostport") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( cs clientset.Interface diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go index 2773988850d..57999b847b0 100644 --- a/test/e2e/network/ingress.go +++ b/test/e2e/network/ingress.go @@ -42,6 +42,7 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -58,6 +59,7 @@ var _ = common.SIGDescribe("Loadbalancing: L7", func() { conformanceTests []e2eingress.ConformanceTests ) f := framework.NewDefaultFramework("ingress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { jig = e2eingress.NewIngressTestJig(f.ClientSet) diff --git a/test/e2e/network/kube_proxy.go b/test/e2e/network/kube_proxy.go index 82357de0732..3364cff0033 100644 --- a/test/e2e/network/kube_proxy.go +++ b/test/e2e/network/kube_proxy.go @@ -34,6 +34,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" "github.com/onsi/ginkgo" @@ -48,6 +49,7 @@ var _ = common.SIGDescribe("KubeProxy", func() { ) fr := framework.NewDefaultFramework("kube-proxy") + fr.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should set TCP CLOSE_WAIT timeout [Privileged]", func() { nodes, err := e2enode.GetBoundedReadySchedulableNodes(fr.ClientSet, 2) diff --git a/test/e2e/network/loadbalancer.go b/test/e2e/network/loadbalancer.go index 58d3241ce1a..10bfa1140b0 100644 --- a/test/e2e/network/loadbalancer.go +++ b/test/e2e/network/loadbalancer.go @@ -44,6 +44,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" gcecloud "k8s.io/legacy-cloud-providers/gce" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -52,6 +53,7 @@ import ( var _ = common.SIGDescribe("LoadBalancers", func() { f := framework.NewDefaultFramework("loadbalancers") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface serviceLBNames := []string{} @@ -980,6 +982,7 @@ var _ = common.SIGDescribe("LoadBalancers", func() { var _ = common.SIGDescribe("LoadBalancers ESIPP [Slow]", func() { f := framework.NewDefaultFramework("esipp") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var loadBalancerCreateTimeout time.Duration var cs clientset.Interface diff --git a/test/e2e/network/netpol/kubemanager.go b/test/e2e/network/netpol/kubemanager.go index 1ee0c9dba4a..bd4b523f241 100644 --- a/test/e2e/network/netpol/kubemanager.go +++ b/test/e2e/network/netpol/kubemanager.go @@ -31,6 +31,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) // probeConnectivityArgs is set of arguments for a probeConnectivity @@ -175,6 +176,7 @@ func (k *kubeManager) executeRemoteCommand(namespace string, pod string, contain // createNamespace is a convenience function for namespace setup. func (k *kubeManager) createNamespace(ns *v1.Namespace) (*v1.Namespace, error) { + enforcePodSecurityBaseline(ns) createdNamespace, err := k.clientSet.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) if err != nil { return nil, fmt.Errorf("unable to update namespace %s: %w", ns.Name, err) @@ -263,6 +265,7 @@ func (k *kubeManager) setNamespaceLabels(ns string, labels map[string]string) er return err } selectedNameSpace.ObjectMeta.Labels = labels + enforcePodSecurityBaseline(selectedNameSpace) _, err = k.clientSet.CoreV1().Namespaces().Update(context.TODO(), selectedNameSpace, metav1.UpdateOptions{}) if err != nil { return fmt.Errorf("unable to update namespace %s: %w", ns, err) @@ -280,3 +283,11 @@ func (k *kubeManager) deleteNamespaces(namespaces []string) error { } return nil } + +func enforcePodSecurityBaseline(ns *v1.Namespace) { + if len(ns.ObjectMeta.Labels) == 0 { + ns.ObjectMeta.Labels = make(map[string]string) + } + // TODO(https://github.com/kubernetes/kubernetes/issues/108298): route namespace creation via framework.Framework.CreateNamespace + ns.ObjectMeta.Labels[admissionapi.EnforceLevelLabel] = string(admissionapi.LevelBaseline) +} diff --git a/test/e2e/network/netpol/model.go b/test/e2e/network/netpol/model.go index dbcc008dfcf..4474cb109cd 100644 --- a/test/e2e/network/netpol/model.go +++ b/test/e2e/network/netpol/model.go @@ -167,7 +167,9 @@ func (ns *Namespace) Spec() *v1.Namespace { // LabelSelector returns the default labels that should be placed on a namespace // in order for it to be uniquely selectable by label selectors func (ns *Namespace) LabelSelector() map[string]string { - return map[string]string{"ns": ns.Name} + return map[string]string{ + "ns": ns.Name, + } } // Pod is the abstract representation of what matters to network policy tests for diff --git a/test/e2e/network/netpol/network_legacy.go b/test/e2e/network/netpol/network_legacy.go index 2719bd5dcb3..6db4d97cdbd 100644 --- a/test/e2e/network/netpol/network_legacy.go +++ b/test/e2e/network/netpol/network_legacy.go @@ -43,6 +43,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" ) @@ -65,6 +66,7 @@ var _ = common.SIGDescribe("NetworkPolicyLegacy [LinuxOnly]", func() { var podServer *v1.Pod var podServerLabelSelector string f := framework.NewDefaultFramework("network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // Windows does not support network policies. diff --git a/test/e2e/network/networking.go b/test/e2e/network/networking.go index 2d1f960c1bb..61fba907198 100644 --- a/test/e2e/network/networking.go +++ b/test/e2e/network/networking.go @@ -33,6 +33,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -79,6 +80,7 @@ func checkConnectivityToHost(f *framework.Framework, nodeName, podName, host str var _ = common.SIGDescribe("Networking", func() { var svcname = "nettest" f := framework.NewDefaultFramework(svcname) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should provide Internet connection for containers [Feature:Networking-IPv4]", func() { ginkgo.By("Running container which tries to connect to 8.8.8.8") diff --git a/test/e2e/network/networking_perf.go b/test/e2e/network/networking_perf.go index 136888bd83b..7db62b152e7 100644 --- a/test/e2e/network/networking_perf.go +++ b/test/e2e/network/networking_perf.go @@ -35,6 +35,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -137,6 +138,7 @@ func iperf2ClientDaemonSet(client clientset.Interface, namespace string) (*appsv var _ = common.SIGDescribe("Networking IPerf2 [Feature:Networking-Performance]", func() { // this test runs iperf2: one pod as a server, and a daemonset of clients f := framework.NewDefaultFramework("network-perf") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It(fmt.Sprintf("should run iperf2"), func() { readySchedulableNodes, err := e2enode.GetReadySchedulableNodes(f.ClientSet) diff --git a/test/e2e/network/proxy.go b/test/e2e/network/proxy.go index 54080060851..bf77a941eb8 100644 --- a/test/e2e/network/proxy.go +++ b/test/e2e/network/proxy.go @@ -44,6 +44,7 @@ import ( "k8s.io/kubernetes/test/e2e/network/common" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -75,6 +76,7 @@ var _ = common.SIGDescribe("Proxy", func() { ClientQPS: -1.0, } f := framework.NewFramework("proxy", options, nil) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline prefix := "/api/" + version /* diff --git a/test/e2e/network/scale/localrun/ingress_scale.go b/test/e2e/network/scale/localrun/ingress_scale.go index 2e2c39884da..bea981c8888 100644 --- a/test/e2e/network/scale/localrun/ingress_scale.go +++ b/test/e2e/network/scale/localrun/ingress_scale.go @@ -37,6 +37,7 @@ import ( e2eingress "k8s.io/kubernetes/test/e2e/framework/ingress" "k8s.io/kubernetes/test/e2e/framework/providers/gce" "k8s.io/kubernetes/test/e2e/network/scale" + admissionapi "k8s.io/pod-security-admission/api" ) var ( @@ -133,6 +134,10 @@ func main() { ns := &v1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: testNamespace, + Labels: map[string]string{ + // TODO(https://github.com/kubernetes/kubernetes/issues/108298): route namespace creation via framework.Framework.CreateNamespace in 1.24 + admissionapi.EnforceLevelLabel: string(admissionapi.LevelPrivileged), + }, }, } klog.Infof("Creating namespace %s...", ns.Name) diff --git a/test/e2e/network/service.go b/test/e2e/network/service.go index 01874097685..ab6e712bbd5 100644 --- a/test/e2e/network/service.go +++ b/test/e2e/network/service.go @@ -43,6 +43,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" watch "k8s.io/apimachinery/pkg/watch" + admissionapi "k8s.io/pod-security-admission/api" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" @@ -746,6 +747,7 @@ func getEndpointNodesWithInternalIP(jig *e2eservice.TestJig) (map[string]string, var _ = common.SIGDescribe("Services", func() { f := framework.NewDefaultFramework("services") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface serviceLBNames := []string{} @@ -3255,6 +3257,7 @@ func restartComponent(cs clientset.Interface, cName, ns string, matchLabels map[ var _ = common.SIGDescribe("SCTP [LinuxOnly]", func() { f := framework.NewDefaultFramework("sctp") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/network/service_latency.go b/test/e2e/network/service_latency.go index f08394e10e4..9fd68f5edc7 100644 --- a/test/e2e/network/service_latency.go +++ b/test/e2e/network/service_latency.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/test/e2e/network/common" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -48,6 +49,7 @@ func (d durations) Swap(i, j int) { d[i], d[j] = d[j], d[i] } var _ = common.SIGDescribe("Service endpoints latency", func() { f := framework.NewDefaultFramework("svc-latency") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.9 diff --git a/test/e2e/node/apparmor.go b/test/e2e/node/apparmor.go index 6239050fa6d..0d01879e71f 100644 --- a/test/e2e/node/apparmor.go +++ b/test/e2e/node/apparmor.go @@ -21,12 +21,14 @@ import ( e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2esecurity "k8s.io/kubernetes/test/e2e/framework/security" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("AppArmor", func() { f := framework.NewDefaultFramework("apparmor") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("load AppArmor profiles", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/node/crictl.go b/test/e2e/node/crictl.go index a841032e824..059420c6b7d 100644 --- a/test/e2e/node/crictl.go +++ b/test/e2e/node/crictl.go @@ -23,12 +23,14 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("crictl", func() { f := framework.NewDefaultFramework("crictl") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // `crictl` is not available on all cloud providers. diff --git a/test/e2e/node/events.go b/test/e2e/node/events.go index 86aa54d064b..aa1b2f39e2a 100644 --- a/test/e2e/node/events.go +++ b/test/e2e/node/events.go @@ -29,12 +29,14 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Events", func() { f := framework.NewDefaultFramework("events") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.It("should be sent by kubelets and the scheduler about pods scheduling and running ", func() { diff --git a/test/e2e/node/examples.go b/test/e2e/node/examples.go index ae948a399a2..1c2fcd6ecc2 100644 --- a/test/e2e/node/examples.go +++ b/test/e2e/node/examples.go @@ -34,6 +34,7 @@ import ( e2eauth "k8s.io/kubernetes/test/e2e/framework/auth" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -44,6 +45,7 @@ const ( var _ = SIGDescribe("[Feature:Example]", func() { f := framework.NewDefaultFramework("examples") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var c clientset.Interface var ns string diff --git a/test/e2e/node/kubelet.go b/test/e2e/node/kubelet.go index 999bbfe6412..0dd1959adc2 100644 --- a/test/e2e/node/kubelet.go +++ b/test/e2e/node/kubelet.go @@ -39,6 +39,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -270,6 +271,7 @@ var _ = SIGDescribe("kubelet", func() { ns string ) f := framework.NewDefaultFramework("kubelet") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/node/mount_propagation.go b/test/e2e/node/mount_propagation.go index b1fa8fc4e37..a4b2e127164 100644 --- a/test/e2e/node/mount_propagation.go +++ b/test/e2e/node/mount_propagation.go @@ -27,6 +27,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -79,6 +80,7 @@ func preparePod(name string, node *v1.Node, propagation *v1.MountPropagationMode var _ = SIGDescribe("Mount propagation", func() { f := framework.NewDefaultFramework("mount-propagation") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should propagate mounts within defined scopes", func() { // This test runs two pods: master and slave with respective mount diff --git a/test/e2e/node/pods.go b/test/e2e/node/pods.go index 79a4c488647..9fdfa935eb3 100644 --- a/test/e2e/node/pods.go +++ b/test/e2e/node/pods.go @@ -43,6 +43,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/prometheus/client_golang/prometheus" @@ -51,6 +52,7 @@ import ( var _ = SIGDescribe("Pods Extended", func() { f := framework.NewDefaultFramework("pods") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Describe("Delete Grace Period", func() { var podClient *framework.PodClient diff --git a/test/e2e/node/pre_stop.go b/test/e2e/node/pre_stop.go index 14960d92869..518e2a99e6f 100644 --- a/test/e2e/node/pre_stop.go +++ b/test/e2e/node/pre_stop.go @@ -33,6 +33,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -153,6 +154,7 @@ func testPreStop(c clientset.Interface, ns string) { var _ = SIGDescribe("PreStop", func() { f := framework.NewDefaultFramework("prestop") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e/node/runtimeclass.go b/test/e2e/node/runtimeclass.go index de77766814f..da7023eb01b 100644 --- a/test/e2e/node/runtimeclass.go +++ b/test/e2e/node/runtimeclass.go @@ -19,6 +19,7 @@ package node import ( "context" "fmt" + "k8s.io/pod-security-admission/api" v1 "k8s.io/api/core/v1" nodev1 "k8s.io/api/node/v1" @@ -38,6 +39,7 @@ import ( var _ = SIGDescribe("RuntimeClass", func() { f := framework.NewDefaultFramework("runtimeclass") + f.NamespacePodSecurityEnforceLevel = api.LevelBaseline ginkgo.It("should reject a Pod requesting a RuntimeClass with conflicting node selector", func() { labelFooName := "foo-" + string(uuid.NewUUID()) diff --git a/test/e2e/node/security_context.go b/test/e2e/node/security_context.go index e5bd636049e..49dd3e5b616 100644 --- a/test/e2e/node/security_context.go +++ b/test/e2e/node/security_context.go @@ -33,6 +33,7 @@ import ( e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -65,6 +66,7 @@ func scTestPod(hostIPC bool, hostPID bool) *v1.Pod { var _ = SIGDescribe("Security Context", func() { f := framework.NewDefaultFramework("security-context") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should support pod.Spec.SecurityContext.SupplementalGroups [LinuxOnly]", func() { pod := scTestPod(false, false) diff --git a/test/e2e/node/taints.go b/test/e2e/node/taints.go index dd06d36b07e..db605349183 100644 --- a/test/e2e/node/taints.go +++ b/test/e2e/node/taints.go @@ -32,6 +32,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" // ensure libs have a chance to initialize @@ -160,6 +161,7 @@ var _ = SIGDescribe("NoExecuteTaintManager Single Pod [Serial]", func() { var cs clientset.Interface var ns string f := framework.NewDefaultFramework("taint-single-pod") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { cs = f.ClientSet @@ -341,6 +343,7 @@ var _ = SIGDescribe("NoExecuteTaintManager Multiple Pods [Serial]", func() { var cs clientset.Interface var ns string f := framework.NewDefaultFramework("taint-multiple-pods") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { cs = f.ClientSet diff --git a/test/e2e/scheduling/limit_range.go b/test/e2e/scheduling/limit_range.go index 667f0c4417b..7bcb20db76b 100644 --- a/test/e2e/scheduling/limit_range.go +++ b/test/e2e/scheduling/limit_range.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eservice "k8s.io/kubernetes/test/e2e/framework/service" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -46,6 +47,7 @@ const ( var _ = SIGDescribe("LimitRange", func() { f := framework.NewDefaultFramework("limitrange") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.18 diff --git a/test/e2e/scheduling/predicates.go b/test/e2e/scheduling/predicates.go index dc68b03ef11..bb1ec02290e 100644 --- a/test/e2e/scheduling/predicates.go +++ b/test/e2e/scheduling/predicates.go @@ -38,6 +38,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" @@ -77,6 +78,7 @@ var _ = SIGDescribe("SchedulerPredicates [Serial]", func() { var RCName string var ns string f := framework.NewDefaultFramework("sched-pred") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.AfterEach(func() { rc, err := cs.CoreV1().ReplicationControllers(ns).Get(context.TODO(), RCName, metav1.GetOptions{}) diff --git a/test/e2e/scheduling/preemption.go b/test/e2e/scheduling/preemption.go index d119570a823..06a14036277 100644 --- a/test/e2e/scheduling/preemption.go +++ b/test/e2e/scheduling/preemption.go @@ -44,6 +44,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2ereplicaset "k8s.io/kubernetes/test/e2e/framework/replicaset" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -64,6 +65,7 @@ var _ = SIGDescribe("SchedulerPreemption [Serial]", func() { var nodeList *v1.NodeList var ns string f := framework.NewDefaultFramework("sched-preemption") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline lowPriority, mediumPriority, highPriority := int32(1), int32(100), int32(1000) lowPriorityClassName := f.BaseName + "-low-priority" @@ -461,6 +463,7 @@ var _ = SIGDescribe("SchedulerPreemption [Serial]", func() { var node *v1.Node var ns, nodeHostNameLabel string f := framework.NewDefaultFramework("sched-preemption-path") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline priorityPairs := make([]priorityPair, 0) diff --git a/test/e2e/scheduling/priorities.go b/test/e2e/scheduling/priorities.go index 6e9c12474a5..db4570ad4f2 100644 --- a/test/e2e/scheduling/priorities.go +++ b/test/e2e/scheduling/priorities.go @@ -43,6 +43,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // Resource is a collection of compute resource. @@ -90,6 +91,7 @@ var _ = SIGDescribe("SchedulerPriorities [Serial]", func() { var systemPodsNo int var ns string f := framework.NewDefaultFramework("sched-priority") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.AfterEach(func() { }) diff --git a/test/e2e/scheduling/ubernetes_lite.go b/test/e2e/scheduling/ubernetes_lite.go index ed77b803fa6..29e0138cb6e 100644 --- a/test/e2e/scheduling/ubernetes_lite.go +++ b/test/e2e/scheduling/ubernetes_lite.go @@ -37,10 +37,12 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Multi-AZ Clusters", func() { f := framework.NewDefaultFramework("multi-az") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var zoneCount int var err error var cleanUp func() diff --git a/test/e2e/storage/csi_mock_volume.go b/test/e2e/storage/csi_mock_volume.go index 8233bddf6bc..6e42847e0d2 100644 --- a/test/e2e/storage/csi_mock_volume.go +++ b/test/e2e/storage/csi_mock_volume.go @@ -56,6 +56,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" utilptr "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -129,6 +130,7 @@ var _ = utils.SIGDescribe("CSI mock volume", func() { var m mockDriverSetup f := framework.NewDefaultFramework("csi-mock-volumes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func(tp testParameters) { m = mockDriverSetup{ diff --git a/test/e2e/storage/empty_dir_wrapper.go b/test/e2e/storage/empty_dir_wrapper.go index ed79810cc3d..a5db26756b3 100644 --- a/test/e2e/storage/empty_dir_wrapper.go +++ b/test/e2e/storage/empty_dir_wrapper.go @@ -31,6 +31,7 @@ import ( e2erc "k8s.io/kubernetes/test/e2e/framework/rc" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -56,6 +57,7 @@ const ( var _ = utils.SIGDescribe("EmptyDir wrapper volumes", func() { f := framework.NewDefaultFramework("emptydir-wrapper") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.13 diff --git a/test/e2e/storage/ephemeral_volume.go b/test/e2e/storage/ephemeral_volume.go index c72b826c452..0b7251f3eba 100644 --- a/test/e2e/storage/ephemeral_volume.go +++ b/test/e2e/storage/ephemeral_volume.go @@ -30,6 +30,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ var _ = utils.SIGDescribe("Ephemeralstorage", func() { ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/storage/flexvolume.go b/test/e2e/storage/flexvolume.go index 45e0181327b..10972707f38 100644 --- a/test/e2e/storage/flexvolume.go +++ b/test/e2e/storage/flexvolume.go @@ -35,6 +35,7 @@ import ( e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -157,6 +158,7 @@ func getHostFromHostPort(hostPort string) string { var _ = utils.SIGDescribe("Flexvolumes", func() { f := framework.NewDefaultFramework("flexvolume") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // note that namespace deletion is handled by delete-namespace flag diff --git a/test/e2e/storage/host_path_type.go b/test/e2e/storage/host_path_type.go index 140ee432480..390bb951a88 100644 --- a/test/e2e/storage/host_path_type.go +++ b/test/e2e/storage/host_path_type.go @@ -31,12 +31,14 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = utils.SIGDescribe("HostPathType Directory [Slow]", func() { f := framework.NewDefaultFramework("host-path-type-directory") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( ns string @@ -103,6 +105,7 @@ var _ = utils.SIGDescribe("HostPathType Directory [Slow]", func() { var _ = utils.SIGDescribe("HostPathType File [Slow]", func() { f := framework.NewDefaultFramework("host-path-type-file") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( ns string @@ -171,6 +174,7 @@ var _ = utils.SIGDescribe("HostPathType File [Slow]", func() { var _ = utils.SIGDescribe("HostPathType Socket [Slow]", func() { f := framework.NewDefaultFramework("host-path-type-socket") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( ns string @@ -236,6 +240,7 @@ var _ = utils.SIGDescribe("HostPathType Socket [Slow]", func() { var _ = utils.SIGDescribe("HostPathType Character Device [Slow]", func() { f := framework.NewDefaultFramework("host-path-type-char-dev") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( ns string @@ -305,6 +310,7 @@ var _ = utils.SIGDescribe("HostPathType Character Device [Slow]", func() { var _ = utils.SIGDescribe("HostPathType Block Device [Slow]", func() { f := framework.NewDefaultFramework("host-path-type-block-dev") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( ns string diff --git a/test/e2e/storage/local_volume_resize.go b/test/e2e/storage/local_volume_resize.go index 8ac3e81cae6..c159ac2ec53 100644 --- a/test/e2e/storage/local_volume_resize.go +++ b/test/e2e/storage/local_volume_resize.go @@ -36,10 +36,12 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("PersistentVolumes-expansion ", func() { f := framework.NewDefaultFramework("persistent-local-volumes-expansion") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("loopback local block volume", func() { var ( config *localTestConfig diff --git a/test/e2e/storage/persistent_volumes-local.go b/test/e2e/storage/persistent_volumes-local.go index 6c2d94f0661..65e28b254ac 100644 --- a/test/e2e/storage/persistent_volumes-local.go +++ b/test/e2e/storage/persistent_volumes-local.go @@ -49,6 +49,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) type localTestConfig struct { @@ -149,6 +150,7 @@ var ( var _ = utils.SIGDescribe("PersistentVolumes-local ", func() { f := framework.NewDefaultFramework("persistent-local-volumes-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( config *localTestConfig diff --git a/test/e2e/storage/persistent_volumes.go b/test/e2e/storage/persistent_volumes.go index 329e967ab0d..df6a787c8e8 100644 --- a/test/e2e/storage/persistent_volumes.go +++ b/test/e2e/storage/persistent_volumes.go @@ -36,6 +36,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) // Validate PV/PVC, create and verify writer pod, delete the PVC, and validate the PV's @@ -107,6 +108,7 @@ var _ = utils.SIGDescribe("PersistentVolumes", func() { pvc *v1.PersistentVolumeClaim err error ) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/storage/pvc_protection.go b/test/e2e/storage/pvc_protection.go index d9294be6ee2..a7e6f1758c7 100644 --- a/test/e2e/storage/pvc_protection.go +++ b/test/e2e/storage/pvc_protection.go @@ -35,6 +35,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -69,6 +70,7 @@ var _ = utils.SIGDescribe("PVC Protection", func() { ) f := framework.NewDefaultFramework("pvc-protection") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { client = f.ClientSet nameSpace = f.Namespace.Name diff --git a/test/e2e/storage/subpath.go b/test/e2e/storage/subpath.go index 01f92551322..0fff7b908a1 100644 --- a/test/e2e/storage/subpath.go +++ b/test/e2e/storage/subpath.go @@ -26,10 +26,12 @@ import ( "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Subpath", func() { f := framework.NewDefaultFramework("subpath") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Context("Atomic writer volumes", func() { var err error diff --git a/test/e2e/storage/testsuites/disruptive.go b/test/e2e/storage/testsuites/disruptive.go index 5f167cbe2ef..c8a7318b6b1 100644 --- a/test/e2e/storage/testsuites/disruptive.go +++ b/test/e2e/storage/testsuites/disruptive.go @@ -29,6 +29,7 @@ import ( storageframework "k8s.io/kubernetes/test/e2e/storage/framework" "k8s.io/kubernetes/test/e2e/storage/utils" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type disruptiveTestSuite struct { @@ -89,6 +90,7 @@ func (s *disruptiveTestSuite) DefineTests(driver storageframework.TestDriver, pa // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("disruptive", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/ephemeral.go b/test/e2e/storage/testsuites/ephemeral.go index 7f5b552d068..2dafdc15811 100644 --- a/test/e2e/storage/testsuites/ephemeral.go +++ b/test/e2e/storage/testsuites/ephemeral.go @@ -36,6 +36,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type ephemeralTestSuite struct { @@ -117,6 +118,7 @@ func (p *ephemeralTestSuite) DefineTests(driver storageframework.TestDriver, pat // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("ephemeral", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { if pattern.VolType == storageframework.CSIInlineVolume { diff --git a/test/e2e/storage/testsuites/fsgroupchangepolicy.go b/test/e2e/storage/testsuites/fsgroupchangepolicy.go index f323830facc..542956e95f7 100644 --- a/test/e2e/storage/testsuites/fsgroupchangepolicy.go +++ b/test/e2e/storage/testsuites/fsgroupchangepolicy.go @@ -29,6 +29,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" ) @@ -105,6 +106,7 @@ func (s *fsGroupChangePolicyTestSuite) DefineTests(driver storageframework.TestD // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("fsgroupchangepolicy", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { e2eskipper.SkipIfNodeOSDistroIs("windows") diff --git a/test/e2e/storage/testsuites/multivolume.go b/test/e2e/storage/testsuites/multivolume.go index ac06e5c61f8..c6db22459dc 100644 --- a/test/e2e/storage/testsuites/multivolume.go +++ b/test/e2e/storage/testsuites/multivolume.go @@ -35,6 +35,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/utils" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) type multiVolumeTestSuite struct { @@ -104,6 +105,7 @@ func (t *multiVolumeTestSuite) DefineTests(driver storageframework.TestDriver, p // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("multivolume", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/provisioning.go b/test/e2e/storage/testsuites/provisioning.go index de8a71b1651..6a085b85a23 100644 --- a/test/e2e/storage/testsuites/provisioning.go +++ b/test/e2e/storage/testsuites/provisioning.go @@ -40,6 +40,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // StorageClassTest represents parameters to be used by provisioning tests. @@ -129,6 +130,7 @@ func (p *provisioningTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("provisioning", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/snapshottable.go b/test/e2e/storage/testsuites/snapshottable.go index 4ae31799762..bd2f80bf922 100644 --- a/test/e2e/storage/testsuites/snapshottable.go +++ b/test/e2e/storage/testsuites/snapshottable.go @@ -41,6 +41,7 @@ import ( storageframework "k8s.io/kubernetes/test/e2e/storage/framework" "k8s.io/kubernetes/test/e2e/storage/utils" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // data file name @@ -107,6 +108,7 @@ func (s *snapshottableTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewDefaultFramework("snapshotting") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("volume snapshot controller", func() { var ( diff --git a/test/e2e/storage/testsuites/snapshottable_stress.go b/test/e2e/storage/testsuites/snapshottable_stress.go index 392e51e9c57..b388a3cab35 100644 --- a/test/e2e/storage/testsuites/snapshottable_stress.go +++ b/test/e2e/storage/testsuites/snapshottable_stress.go @@ -35,6 +35,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type snapshottableStressTestSuite struct { @@ -121,6 +122,7 @@ func (t *snapshottableStressTestSuite) DefineTests(driver storageframework.TestD // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewDefaultFramework("snapshottable-stress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { driverInfo = driver.GetDriverInfo() diff --git a/test/e2e/storage/testsuites/subpath.go b/test/e2e/storage/testsuites/subpath.go index 4bc48d1898a..075aaf7b69d 100644 --- a/test/e2e/storage/testsuites/subpath.go +++ b/test/e2e/storage/testsuites/subpath.go @@ -43,6 +43,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/utils" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var ( @@ -116,6 +117,7 @@ func (s *subPathTestSuite) DefineTests(driver storageframework.TestDriver, patte // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("provisioning", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/topology.go b/test/e2e/storage/testsuites/topology.go index 1d24ffdb6a0..6ac3173bb4c 100644 --- a/test/e2e/storage/testsuites/topology.go +++ b/test/e2e/storage/testsuites/topology.go @@ -36,6 +36,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type topologyTestSuite struct { @@ -104,6 +105,7 @@ func (t *topologyTestSuite) DefineTests(driver storageframework.TestDriver, patt // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("topology", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() topologyTest { dDriver, _ = driver.(storageframework.DynamicPVTestDriver) diff --git a/test/e2e/storage/testsuites/volume_expand.go b/test/e2e/storage/testsuites/volume_expand.go index 704f4bd2aa3..6a562550191 100644 --- a/test/e2e/storage/testsuites/volume_expand.go +++ b/test/e2e/storage/testsuites/volume_expand.go @@ -36,6 +36,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -115,6 +116,7 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("volume-expand", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/volume_io.go b/test/e2e/storage/testsuites/volume_io.go index fb84162e0d4..25bb2e44e29 100644 --- a/test/e2e/storage/testsuites/volume_io.go +++ b/test/e2e/storage/testsuites/volume_io.go @@ -42,6 +42,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // MD5 hashes of the test file corresponding to each file size. @@ -112,6 +113,7 @@ func (t *volumeIOTestSuite) DefineTests(driver storageframework.TestDriver, patt // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("volumeio", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/volumelimits.go b/test/e2e/storage/testsuites/volumelimits.go index dd0acbd0264..4c7ebfe0369 100644 --- a/test/e2e/storage/testsuites/volumelimits.go +++ b/test/e2e/storage/testsuites/volumelimits.go @@ -41,6 +41,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type volumeLimitsTestSuite struct { @@ -113,6 +114,7 @@ func (t *volumeLimitsTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("volumelimits", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // This checks that CSIMaxVolumeLimitChecker works as expected. // A randomly chosen node should be able to handle as many CSI volumes as diff --git a/test/e2e/storage/testsuites/volumemode.go b/test/e2e/storage/testsuites/volumemode.go index 50cb5f4ecd8..42abf99e2c6 100644 --- a/test/e2e/storage/testsuites/volumemode.go +++ b/test/e2e/storage/testsuites/volumemode.go @@ -41,6 +41,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -107,6 +108,7 @@ func (t *volumeModeTestSuite) DefineTests(driver storageframework.TestDriver, pa // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("volumemode", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/testsuites/volumes.go b/test/e2e/storage/testsuites/volumes.go index cef61af2c3e..7e3d71d08ea 100644 --- a/test/e2e/storage/testsuites/volumes.go +++ b/test/e2e/storage/testsuites/volumes.go @@ -37,6 +37,7 @@ import ( storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) type volumesTestSuite struct { @@ -129,6 +130,7 @@ func (t *volumesTestSuite) DefineTests(driver storageframework.TestDriver, patte // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("volume", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { l = local{} diff --git a/test/e2e/storage/volume_metrics.go b/test/e2e/storage/volume_metrics.go index 74e85951368..29f4fcb0458 100644 --- a/test/e2e/storage/volume_metrics.go +++ b/test/e2e/storage/volume_metrics.go @@ -40,6 +40,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // This test needs to run in serial because other tests could interfere @@ -56,6 +57,7 @@ var _ = utils.SIGDescribe("[Serial] Volume metrics", func() { err error ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/storage/volume_provisioning.go b/test/e2e/storage/volume_provisioning.go index 1b300d203c2..18772c0a31e 100644 --- a/test/e2e/storage/volume_provisioning.go +++ b/test/e2e/storage/volume_provisioning.go @@ -52,6 +52,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -135,6 +136,7 @@ func checkGCEPD(volume *v1.PersistentVolume, volumeType string) error { var _ = utils.SIGDescribe("Dynamic Provisioning", func() { f := framework.NewDefaultFramework("volume-provisioning") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // filled in BeforeEach var c clientset.Interface diff --git a/test/e2e/storage/volumes.go b/test/e2e/storage/volumes.go index cee36957608..0949b426f57 100644 --- a/test/e2e/storage/volumes.go +++ b/test/e2e/storage/volumes.go @@ -28,11 +28,13 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // These tests need privileged containers, which are disabled by default. var _ = utils.SIGDescribe("Volumes", func() { f := framework.NewDefaultFramework("volume") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline // note that namespace deletion is handled by delete-namespace flag // filled inside BeforeEach diff --git a/test/e2e_node/log_path_test.go b/test/e2e_node/log_path_test.go index 26342aa9c1a..cdbc2b6d8ae 100644 --- a/test/e2e_node/log_path_test.go +++ b/test/e2e_node/log_path_test.go @@ -26,6 +26,7 @@ import ( kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -37,6 +38,7 @@ const ( var _ = SIGDescribe("ContainerLogPath [NodeConformance]", func() { f := framework.NewDefaultFramework("kubelet-container-log-path") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var podClient *framework.PodClient ginkgo.Describe("Pod with a container", func() { diff --git a/test/e2e_node/mirror_pod_grace_period_test.go b/test/e2e_node/mirror_pod_grace_period_test.go index 51c5b31b0d0..fa6216d0f56 100644 --- a/test/e2e_node/mirror_pod_grace_period_test.go +++ b/test/e2e_node/mirror_pod_grace_period_test.go @@ -31,10 +31,12 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("MirrorPodWithGracePeriod", func() { f := framework.NewDefaultFramework("mirror-pod-with-grace-period") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Context("when create a mirror pod ", func() { var ns, podPath, staticPodName, mirrorPodName string ginkgo.BeforeEach(func() { diff --git a/test/e2e_node/mirror_pod_test.go b/test/e2e_node/mirror_pod_test.go index 84633b64d4a..d5cff23a248 100644 --- a/test/e2e_node/mirror_pod_test.go +++ b/test/e2e_node/mirror_pod_test.go @@ -35,6 +35,7 @@ import ( kubetypes "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/google/go-cmp/cmp" "github.com/onsi/ginkgo" @@ -43,6 +44,7 @@ import ( var _ = SIGDescribe("MirrorPod", func() { f := framework.NewDefaultFramework("mirror-pod") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Context("when create a mirror pod ", func() { var ns, podPath, staticPodName, mirrorPodName string ginkgo.BeforeEach(func() { diff --git a/test/e2e_node/pod_hostnamefqdn_test.go b/test/e2e_node/pod_hostnamefqdn_test.go index 2779ec4f22c..2d3450f6db1 100644 --- a/test/e2e_node/pod_hostnamefqdn_test.go +++ b/test/e2e_node/pod_hostnamefqdn_test.go @@ -30,6 +30,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/kubernetes/pkg/kubelet/events" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2eevents "k8s.io/kubernetes/test/e2e/framework/events" @@ -71,6 +72,7 @@ func testPod(podnamebase string) *v1.Pod { var _ = SIGDescribe("Hostname of Pod [NodeConformance]", func() { f := framework.NewDefaultFramework("hostfqdn") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline /* Release: v1.19 Testname: Create Pod without fully qualified domain name (FQDN) diff --git a/test/e2e_node/pods_container_manager_test.go b/test/e2e_node/pods_container_manager_test.go index bf194e65ce8..9234f82ec27 100644 --- a/test/e2e_node/pods_container_manager_test.go +++ b/test/e2e_node/pods_container_manager_test.go @@ -28,6 +28,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/klog/v2" @@ -165,6 +166,8 @@ func makePodToVerifyCgroupRemoved(baseName string) *v1.Pod { var _ = SIGDescribe("Kubelet Cgroup Manager", func() { f := framework.NewDefaultFramework("kubelet-cgroup-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + ginkgo.Describe("QOS containers", func() { ginkgo.Context("On enabling QOS cgroup hierarchy", func() { ginkgo.It("Top level QoS containers should have been created [NodeConformance]", func() { diff --git a/test/e2e_node/runtime_conformance_test.go b/test/e2e_node/runtime_conformance_test.go index 5d21a11569c..46f17a09fe7 100644 --- a/test/e2e_node/runtime_conformance_test.go +++ b/test/e2e_node/runtime_conformance_test.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/common/node" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e_node/services" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Container Runtime Conformance Test", func() { f := framework.NewDefaultFramework("runtime-conformance") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline ginkgo.Describe("container runtime conformance blackbox test", func() { diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index 8432bbdeded..33f6f9fb31d 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -29,12 +29,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Security Context", func() { f := framework.NewDefaultFramework("security-context-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline var podClient *framework.PodClient ginkgo.BeforeEach(func() { podClient = f.PodClient() diff --git a/test/e2e_node/summary_test.go b/test/e2e_node/summary_test.go index 31574ab06fe..c0768072bcf 100644 --- a/test/e2e_node/summary_test.go +++ b/test/e2e_node/summary_test.go @@ -29,6 +29,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" + admissionapi "k8s.io/pod-security-admission/api" systemdutil "github.com/coreos/go-systemd/v22/util" "github.com/onsi/ginkgo" @@ -39,6 +40,7 @@ import ( var _ = SIGDescribe("Summary API [NodeConformance]", func() { f := framework.NewDefaultFramework("summary-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when querying /stats/summary", func() { ginkgo.AfterEach(func() { if !ginkgo.CurrentGinkgoTestDescription().Failed { diff --git a/test/e2e_node/volume_manager_test.go b/test/e2e_node/volume_manager_test.go index 1a164edc4d8..1e3ca713372 100644 --- a/test/e2e_node/volume_manager_test.go +++ b/test/e2e_node/volume_manager_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "fmt" @@ -33,6 +34,7 @@ import ( var _ = SIGDescribe("Kubelet Volume Manager", func() { f := framework.NewDefaultFramework("kubelet-volume-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Volume Manager", func() { ginkgo.Context("On termination of pod with memory backed volume", func() { ginkgo.It("should remove the volume from the node [NodeConformance]", func() {