github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 19:31:44 +00:00
Code Issues Projects Releases Wiki Activity

Make scheduling e2e tests run PSa-restricted pods

Browse Source 
The "pause" pods that are being run in the scheduling tests are
sometimes launched in system namespaces. Therefore even if a test
is considered to be running on a "baseline" Pod Security admission
level, its "baseline" pods would fail to run if the global PSa
enforcement policy is set to "restricted" - the system namespaces
have no PSa labels.

The "pause" pods run by this test can actually easily run with
"restricted" security context, and so this patch turns them
into just that.
This commit is contained in:
Stanislav Laznicka 2022-07-20 15:53:34 +02:00
parent 303f47c0c0
commit 682ee2908a
No known key found for this signature in database
GPG Key ID: C98C414936B1A7F3
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
test/e2e/scheduling/predicates.go
View File

@ -828,15 +828,17 @@ func initPausePod(f *framework.Framework, conf pausePodConfig) *v1.Pod {
OwnerReferences: conf.OwnerReferences,
},
Spec: v1.PodSpec{
SecurityContext: e2epod.GetRestrictedPodSecurityContext(),
NodeSelector: conf.NodeSelector,
Affinity: conf.Affinity,
TopologySpreadConstraints: conf.TopologySpreadConstraints,
RuntimeClassName: conf.RuntimeClassHandler,
Containers: []v1.Container{
{
Name: conf.Name,
Image: imageutils.GetPauseImageName(),
Ports: conf.Ports,
Name: conf.Name,
Image: imageutils.GetPauseImageName(),
Ports: conf.Ports,
SecurityContext: e2epod.GetRestrictedContainerSecurityContext(),
},
},
Tolerations: conf.Tolerations,