From f578b9a40d26973cf4122ec5b04fa9164adea158 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Mon, 4 Apr 2022 13:58:59 +0200 Subject: [PATCH 1/2] test/e2e/framework: use restricted policy by default --- test/e2e/framework/framework.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 451ca684718..5743e1ce55b 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -534,8 +534,7 @@ func (f *Framework) CreateNamespace(baseName string, labels map[string]string) ( labels = labelsCopy } - // TODO(sur): set to restricted before 1.24 test freeze - enforceLevel := admissionapi.LevelPrivileged + enforceLevel := admissionapi.LevelRestricted if f.NamespacePodSecurityEnforceLevel != "" { enforceLevel = f.NamespacePodSecurityEnforceLevel } From 1495c9f2cd36fc1db92d0e7c50967b1d156b9558 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Mon, 4 Apr 2022 14:00:06 +0200 Subject: [PATCH 2/2] test/e2e/*: default existing tests to privileged pod security policy This is to ensure that all existing tests don't break when defaulting the pod security policy to restricted in the e2e test framework. --- test/e2e/apimachinery/chunking.go | 2 ++ test/e2e/apimachinery/crd_publish_openapi.go | 2 ++ test/e2e/apimachinery/crd_validation_rules.go | 2 ++ test/e2e/apimachinery/crd_watch.go | 2 ++ test/e2e/apimachinery/custom_resource_definition.go | 2 ++ test/e2e/apimachinery/discovery.go | 2 ++ test/e2e/apimachinery/etcd_failure.go | 2 ++ test/e2e/apimachinery/flowcontrol.go | 2 ++ test/e2e/apimachinery/generated_clientset.go | 1 + test/e2e/apimachinery/health_handlers.go | 2 ++ test/e2e/apimachinery/protocol.go | 2 ++ test/e2e/apimachinery/request_timeout.go | 2 ++ test/e2e/apimachinery/server_version.go | 2 ++ test/e2e/apimachinery/storage_version.go | 2 ++ test/e2e/apimachinery/watch.go | 2 ++ test/e2e/apps/daemon_restart.go | 2 ++ test/e2e/apps/disruption.go | 1 + test/e2e/architecture/conformance.go | 2 ++ test/e2e/auth/certificates.go | 2 ++ test/e2e/auth/pod_security_policy.go | 2 ++ test/e2e/autoscaling/autoscaling_timer.go | 2 ++ .../e2e/autoscaling/cluster_autoscaler_scalability.go | 2 ++ test/e2e/autoscaling/cluster_size_autoscaling.go | 2 ++ .../custom_metrics_stackdriver_autoscaling.go | 2 ++ test/e2e/autoscaling/dns_autoscaling.go | 2 ++ .../horizontal_pod_autoscaling_behavior.go | 2 ++ test/e2e/cloud/gcp/addon_update.go | 2 ++ test/e2e/cloud/gcp/apps/stateful_apps.go | 2 ++ .../service_account_admission_controller_migration.go | 2 ++ test/e2e/cloud/gcp/cluster_upgrade.go | 3 +++ test/e2e/cloud/gcp/gke_node_pools.go | 2 ++ test/e2e/cloud/gcp/ha_master.go | 2 ++ test/e2e/cloud/gcp/kubelet_security.go | 2 ++ test/e2e/cloud/gcp/network/kube_proxy_migration.go | 2 ++ test/e2e/cloud/gcp/node/gpu.go | 2 ++ test/e2e/cloud/gcp/node_lease.go | 2 ++ test/e2e/cloud/gcp/reboot.go | 2 ++ test/e2e/cloud/gcp/recreate_node.go | 2 ++ test/e2e/cloud/gcp/resize_nodes.go | 2 ++ test/e2e/cloud/gcp/restart.go | 2 ++ test/e2e/cloud/nodes.go | 2 ++ test/e2e/common/node/lease.go | 2 ++ test/e2e/common/node/node_lease.go | 2 ++ test/e2e/common/node/podtemplates.go | 2 ++ test/e2e/common/storage/downwardapi.go | 2 ++ test/e2e/instrumentation/core_events.go | 2 ++ test/e2e/instrumentation/events.go | 2 ++ test/e2e/instrumentation/logging/generic_soak.go | 2 ++ test/e2e/instrumentation/monitoring/accelerator.go | 2 ++ .../monitoring/custom_metrics_stackdriver.go | 2 ++ .../e2e/instrumentation/monitoring/metrics_grabber.go | 2 ++ test/e2e/instrumentation/monitoring/stackdriver.go | 2 ++ .../monitoring/stackdriver_metadata_agent.go | 2 ++ test/e2e/lifecycle/bootstrap/bootstrap_signer.go | 2 ++ .../lifecycle/bootstrap/bootstrap_token_cleaner.go | 2 ++ test/e2e/network/dns_common.go | 5 ++++- test/e2e/network/dns_scale_records.go | 2 ++ test/e2e/network/dual_stack.go | 2 ++ test/e2e/network/endpointslicemirroring.go | 2 ++ test/e2e/network/example_cluster_dns.go | 2 ++ test/e2e/network/firewall.go | 2 ++ test/e2e/network/ingress.go | 1 + test/e2e/network/ingress_scale.go | 2 ++ test/e2e/network/ingressclass.go | 3 +++ test/e2e/network/netpol/network_legacy.go | 2 ++ test/e2e/network/netpol/network_policy.go | 4 ++++ test/e2e/network/netpol/network_policy_api.go | 2 ++ test/e2e/network/network_tiers.go | 2 ++ test/e2e/network/no_snat.go | 2 ++ test/e2e/network/topology_hints.go | 2 ++ test/e2e/node/kubelet_perf.go | 2 ++ test/e2e/node/node_problem_detector.go | 2 ++ test/e2e/node/pod_gc.go | 2 ++ test/e2e/node/ssh.go | 2 ++ test/e2e/scheduling/nvidia-gpus.go | 3 +++ test/e2e/scheduling/preemption.go | 1 + test/e2e/storage/csistoragecapacity.go | 2 ++ test/e2e/storage/detach_mounted.go | 2 ++ test/e2e/storage/flexvolume_mounted_volume_resize.go | 2 ++ test/e2e/storage/flexvolume_online_resize.go | 2 ++ .../storage/generic_persistent_volume-disruptive.go | 2 ++ test/e2e/storage/gke_local_ssd.go | 2 ++ test/e2e/storage/mounted_volume_resize.go | 2 ++ test/e2e/storage/nfs_persistent_volume-disruptive.go | 2 ++ test/e2e/storage/pd.go | 2 ++ test/e2e/storage/persistent_volumes-gce.go | 2 ++ test/e2e/storage/persistent_volumes.go | 1 + test/e2e/storage/pv_protection.go | 2 ++ test/e2e/storage/regional_pd.go | 2 ++ test/e2e/storage/testsuites/capacity.go | 2 ++ test/e2e/storage/testsuites/volume_stress.go | 2 ++ test/e2e/storage/testsuites/volumeperf.go | 2 ++ test/e2e/storage/ubernetes_lite_volumes.go | 2 ++ test/e2e/storage/volume_limits.go | 2 ++ .../e2e/storage/vsphere/persistent_volumes-vsphere.go | 2 ++ test/e2e/storage/vsphere/pv_reclaimpolicy.go | 2 ++ test/e2e/storage/vsphere/pvc_label_selector.go | 2 ++ test/e2e/storage/vsphere/vsphere_scale.go | 2 ++ test/e2e/storage/vsphere/vsphere_statefulsets.go | 2 ++ test/e2e/storage/vsphere/vsphere_stress.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_datastore.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_diskformat.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_disksize.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_fstype.go | 2 ++ .../storage/vsphere/vsphere_volume_master_restart.go | 2 ++ .../e2e/storage/vsphere/vsphere_volume_node_delete.go | 2 ++ .../storage/vsphere/vsphere_volume_node_poweroff.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_ops_storm.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_perf.go | 2 ++ test/e2e/storage/vsphere/vsphere_volume_placement.go | 2 ++ .../storage/vsphere/vsphere_volume_vpxd_restart.go | 2 ++ .../e2e/storage/vsphere/vsphere_volume_vsan_policy.go | 2 ++ test/e2e/storage/vsphere/vsphere_zone_support.go | 2 ++ test/e2e/upgrades/upgrade_suite.go | 5 ++++- test/e2e/windows/cpu_limits.go | 2 ++ test/e2e/windows/density.go | 2 ++ test/e2e/windows/device_plugin.go | 2 ++ test/e2e/windows/dns.go | 2 ++ test/e2e/windows/gmsa_full.go | 2 ++ test/e2e/windows/gmsa_kubelet.go | 2 ++ test/e2e/windows/host_process.go | 2 ++ test/e2e/windows/hybrid_network.go | 2 ++ test/e2e/windows/kubelet_stats.go | 3 +++ test/e2e/windows/memory_limits.go | 2 ++ test/e2e/windows/reboot_node.go | 2 ++ test/e2e/windows/security_context.go | 2 ++ test/e2e/windows/service.go | 2 ++ test/e2e/windows/volumes.go | 2 ++ test/e2e_kubeadm/bootstrap_signer.go | 2 ++ test/e2e_kubeadm/bootstrap_token_test.go | 2 ++ test/e2e_kubeadm/cluster_info_test.go | 2 ++ test/e2e_kubeadm/controlplane_nodes_test.go | 2 ++ test/e2e_kubeadm/dns_addon_test.go | 2 ++ test/e2e_kubeadm/kubeadm_certs_test.go | 2 ++ test/e2e_kubeadm/kubeadm_config_test.go | 2 ++ test/e2e_kubeadm/kubelet_config_test.go | 2 ++ test/e2e_kubeadm/networking_test.go | 2 ++ test/e2e_kubeadm/nodes_test.go | 2 ++ test/e2e_kubeadm/proxy_addon_test.go | 2 ++ test/e2e_node/apparmor_test.go | 3 +++ test/e2e_node/container_log_rotation_test.go | 2 ++ test/e2e_node/container_manager_test.go | 2 ++ test/e2e_node/cpu_manager_test.go | 2 ++ test/e2e_node/critical_pod_test.go | 2 ++ test/e2e_node/density_test.go | 2 ++ test/e2e_node/device_manager_test.go | 2 ++ test/e2e_node/device_plugin_test.go | 2 ++ test/e2e_node/eviction_test.go | 11 +++++++++++ test/e2e_node/garbage_collector_test.go | 2 ++ test/e2e_node/hugepages_test.go | 2 ++ test/e2e_node/image_credential_provider.go | 2 ++ test/e2e_node/image_id_test.go | 2 ++ test/e2e_node/memory_manager_test.go | 2 ++ test/e2e_node/node_container_manager_test.go | 2 ++ test/e2e_node/node_perf_test.go | 2 ++ test/e2e_node/node_problem_detector_linux.go | 2 ++ test/e2e_node/node_shutdown_linux_test.go | 2 ++ test/e2e_node/os_label_rename_test.go | 2 ++ test/e2e_node/pids_test.go | 2 ++ test/e2e_node/podresources_test.go | 2 ++ test/e2e_node/quota_lsci_test.go | 2 ++ test/e2e_node/resource_metrics_test.go | 2 ++ test/e2e_node/resource_usage_test.go | 2 ++ test/e2e_node/restart_test.go | 2 ++ test/e2e_node/runtimeclass_test.go | 2 ++ test/e2e_node/system_node_critical_test.go | 2 ++ test/e2e_node/topology_manager_test.go | 2 ++ 168 files changed, 351 insertions(+), 2 deletions(-) diff --git a/test/e2e/apimachinery/chunking.go b/test/e2e/apimachinery/chunking.go index 34545e59268..1153246a71d 100644 --- a/test/e2e/apimachinery/chunking.go +++ b/test/e2e/apimachinery/chunking.go @@ -35,6 +35,7 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/util/workqueue" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) func shouldCheckRemainingItem() bool { @@ -45,6 +46,7 @@ const numberOfTotalResources = 400 var _ = SIGDescribe("Servers with support for API chunking", func() { f := framework.NewDefaultFramework("chunking") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { ns := f.Namespace.Name diff --git a/test/e2e/apimachinery/crd_publish_openapi.go b/test/e2e/apimachinery/crd_publish_openapi.go index ca77c70e22d..6109523f636 100644 --- a/test/e2e/apimachinery/crd_publish_openapi.go +++ b/test/e2e/apimachinery/crd_publish_openapi.go @@ -44,6 +44,7 @@ import ( "k8s.io/kube-openapi/pkg/validation/spec" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils/crd" + admissionapi "k8s.io/pod-security-admission/api" ) var ( @@ -52,6 +53,7 @@ var ( var _ = SIGDescribe("CustomResourcePublishOpenAPI [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("crd-publish-openapi") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.16 diff --git a/test/e2e/apimachinery/crd_validation_rules.go b/test/e2e/apimachinery/crd_validation_rules.go index 2a351b8b1fa..551a6991367 100644 --- a/test/e2e/apimachinery/crd_validation_rules.go +++ b/test/e2e/apimachinery/crd_validation_rules.go @@ -32,10 +32,12 @@ import ( "k8s.io/apiserver/pkg/storage/names" "k8s.io/client-go/dynamic" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("CustomResourceValidationRules [Privileged:ClusterAdmin][Alpha][Feature:CustomResourceValidationExpressions]", func() { f := framework.NewDefaultFramework("crd-validation-expressions") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var apiExtensionClient *clientset.Clientset ginkgo.BeforeEach(func() { diff --git a/test/e2e/apimachinery/crd_watch.go b/test/e2e/apimachinery/crd_watch.go index 929fde6b990..829c2489543 100644 --- a/test/e2e/apimachinery/crd_watch.go +++ b/test/e2e/apimachinery/crd_watch.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/dynamic" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -38,6 +39,7 @@ import ( var _ = SIGDescribe("CustomResourceDefinition Watch [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("crd-watch") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("CustomResourceDefinition Watch", func() { /* diff --git a/test/e2e/apimachinery/custom_resource_definition.go b/test/e2e/apimachinery/custom_resource_definition.go index 4f636940ac8..4ae999e7856 100644 --- a/test/e2e/apimachinery/custom_resource_definition.go +++ b/test/e2e/apimachinery/custom_resource_definition.go @@ -39,11 +39,13 @@ import ( "k8s.io/client-go/dynamic" "k8s.io/client-go/util/retry" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("custom-resource-definition") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Simple CustomResourceDefinition", func() { /* diff --git a/test/e2e/apimachinery/discovery.go b/test/e2e/apimachinery/discovery.go index 04103aeeb5f..8c73032337f 100644 --- a/test/e2e/apimachinery/discovery.go +++ b/test/e2e/apimachinery/discovery.go @@ -28,6 +28,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/utils/crd" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -35,6 +36,7 @@ import ( var storageVersionServerVersion = utilversion.MustParseSemantic("v1.13.99") var _ = SIGDescribe("Discovery", func() { f := framework.NewDefaultFramework("discovery") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var namespaceName string diff --git a/test/e2e/apimachinery/etcd_failure.go b/test/e2e/apimachinery/etcd_failure.go index ed0c6c15145..e963b1c062a 100644 --- a/test/e2e/apimachinery/etcd_failure.go +++ b/test/e2e/apimachinery/etcd_failure.go @@ -31,6 +31,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -38,6 +39,7 @@ import ( var _ = SIGDescribe("Etcd failure [Disruptive]", func() { f := framework.NewDefaultFramework("etcd-failure") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // This test requires: diff --git a/test/e2e/apimachinery/flowcontrol.go b/test/e2e/apimachinery/flowcontrol.go index 8c4120e2089..95c745caebc 100644 --- a/test/e2e/apimachinery/flowcontrol.go +++ b/test/e2e/apimachinery/flowcontrol.go @@ -39,6 +39,7 @@ import ( "k8s.io/client-go/rest" clientsideflowcontrol "k8s.io/client-go/util/flowcontrol" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -52,6 +53,7 @@ var ( var _ = SIGDescribe("API priority and fairness", func() { f := framework.NewDefaultFramework("apf") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should ensure that requests can be classified by adding FlowSchema and PriorityLevelConfiguration", func() { testingFlowSchemaName := "e2e-testing-flowschema" diff --git a/test/e2e/apimachinery/generated_clientset.go b/test/e2e/apimachinery/generated_clientset.go index d728f9e8c69..05fd24eedf9 100644 --- a/test/e2e/apimachinery/generated_clientset.go +++ b/test/e2e/apimachinery/generated_clientset.go @@ -214,6 +214,7 @@ func newTestingCronJob(name string, value string) *batchv1.CronJob { var _ = SIGDescribe("Generated clientset", func() { f := framework.NewDefaultFramework("clientset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should create v1 cronJobs, delete cronJobs, watch cronJobs", func() { cronJobClient := f.ClientSet.BatchV1().CronJobs(f.Namespace.Name) diff --git a/test/e2e/apimachinery/health_handlers.go b/test/e2e/apimachinery/health_handlers.go index b67aa01945c..29fe083eaf6 100644 --- a/test/e2e/apimachinery/health_handlers.go +++ b/test/e2e/apimachinery/health_handlers.go @@ -27,6 +27,7 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -116,6 +117,7 @@ func testPath(client clientset.Interface, path string, requiredChecks sets.Strin var _ = SIGDescribe("health handlers", func() { f := framework.NewDefaultFramework("health") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should contain necessary checks", func() { ginkgo.By("/health") diff --git a/test/e2e/apimachinery/protocol.go b/test/e2e/apimachinery/protocol.go index 322b935615c..270bf58ea4c 100644 --- a/test/e2e/apimachinery/protocol.go +++ b/test/e2e/apimachinery/protocol.go @@ -29,12 +29,14 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/kubernetes" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" ) var _ = SIGDescribe("client-go should negotiate", func() { f := framework.NewDefaultFramework("protocol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged for _, s := range []string{ "application/json", diff --git a/test/e2e/apimachinery/request_timeout.go b/test/e2e/apimachinery/request_timeout.go index f7249b44ad3..5e596a524ba 100644 --- a/test/e2e/apimachinery/request_timeout.go +++ b/test/e2e/apimachinery/request_timeout.go @@ -24,6 +24,7 @@ import ( "github.com/onsi/ginkgo" "k8s.io/client-go/rest" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -32,6 +33,7 @@ const ( var _ = SIGDescribe("Server request timeout", func() { f := framework.NewDefaultFramework("request-timeout") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should return HTTP status code 400 if the user specifies an invalid timeout in the request URL", func() { rt := getRoundTripper(f) diff --git a/test/e2e/apimachinery/server_version.go b/test/e2e/apimachinery/server_version.go index 19331773dca..c4b8069a80c 100644 --- a/test/e2e/apimachinery/server_version.go +++ b/test/e2e/apimachinery/server_version.go @@ -21,12 +21,14 @@ import ( "k8s.io/apimachinery/pkg/version" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("server version", func() { f := framework.NewDefaultFramework("server-version") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 diff --git a/test/e2e/apimachinery/storage_version.go b/test/e2e/apimachinery/storage_version.go index 9249b94edc7..0137ccbafab 100644 --- a/test/e2e/apimachinery/storage_version.go +++ b/test/e2e/apimachinery/storage_version.go @@ -25,6 +25,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -37,6 +38,7 @@ const ( // This test requires that --feature-gates=APIServerIdentity=true,StorageVersionAPI=true be set on the apiserver and the controller manager var _ = SIGDescribe("StorageVersion resources [Feature:StorageVersionAPI]", func() { f := framework.NewDefaultFramework("storage-version") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("storage version with non-existing id should be GC'ed", func() { client := f.ClientSet diff --git a/test/e2e/apimachinery/watch.go b/test/e2e/apimachinery/watch.go index ade79817a0c..f711eee3ad1 100644 --- a/test/e2e/apimachinery/watch.go +++ b/test/e2e/apimachinery/watch.go @@ -31,6 +31,7 @@ import ( cachetools "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -47,6 +48,7 @@ const ( var _ = SIGDescribe("Watchers", func() { f := framework.NewDefaultFramework("watch") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.11 diff --git a/test/e2e/apps/daemon_restart.go b/test/e2e/apps/daemon_restart.go index 413606f4028..1d4976af375 100644 --- a/test/e2e/apps/daemon_restart.go +++ b/test/e2e/apps/daemon_restart.go @@ -41,6 +41,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -204,6 +205,7 @@ func getContainerRestarts(c clientset.Interface, ns string, labelSelector labels var _ = SIGDescribe("DaemonRestart [Disruptive]", func() { f := framework.NewDefaultFramework("daemonrestart") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged rcName := "daemonrestart" + strconv.Itoa(numPods) + "-" + string(uuid.NewUUID()) labelSelector := labels.Set(map[string]string{"name": rcName}).AsSelector() existingPods := cache.NewStore(cache.MetaNamespaceKeyFunc) diff --git a/test/e2e/apps/disruption.go b/test/e2e/apps/disruption.go index e456bb926f5..646db265313 100644 --- a/test/e2e/apps/disruption.go +++ b/test/e2e/apps/disruption.go @@ -76,6 +76,7 @@ var _ = SIGDescribe("DisruptionController", func() { ginkgo.Context("Listing PodDisruptionBudgets for all namespaces", func() { anotherFramework := framework.NewDefaultFramework("disruption-2") + anotherFramework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release : v1.21 diff --git a/test/e2e/architecture/conformance.go b/test/e2e/architecture/conformance.go index 3b0c6a591de..1c083081efc 100644 --- a/test/e2e/architecture/conformance.go +++ b/test/e2e/architecture/conformance.go @@ -23,10 +23,12 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Conformance Tests", func() { f := framework.NewDefaultFramework("conformance-tests") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.23 diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go index 26c0d9b6706..da6f1c68601 100644 --- a/test/e2e/auth/certificates.go +++ b/test/e2e/auth/certificates.go @@ -42,10 +42,12 @@ import ( "k8s.io/client-go/util/certificate/csr" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { f := framework.NewDefaultFramework("certificates") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go index e6a295dbf43..651aeb4995d 100644 --- a/test/e2e/auth/pod_security_policy.go +++ b/test/e2e/auth/pod_security_policy.go @@ -36,6 +36,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -45,6 +46,7 @@ const nobodyUser = int64(65534) var _ = SIGDescribe("PodSecurityPolicy [Feature:PodSecurityPolicy]", func() { f := framework.NewDefaultFramework("podsecuritypolicy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged f.SkipPrivilegedPSPBinding = true // Client that will impersonate the default service account, in order to run diff --git a/test/e2e/autoscaling/autoscaling_timer.go b/test/e2e/autoscaling/autoscaling_timer.go index a6af3a4832a..4e900cd1c37 100644 --- a/test/e2e/autoscaling/autoscaling_timer.go +++ b/test/e2e/autoscaling/autoscaling_timer.go @@ -27,12 +27,14 @@ import ( e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:ClusterSizeAutoscalingScaleUp] [Slow] Autoscaling", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Autoscaling a service", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/autoscaling/cluster_autoscaler_scalability.go b/test/e2e/autoscaling/cluster_autoscaler_scalability.go index c9bfc195d0b..a763f492b5f 100644 --- a/test/e2e/autoscaling/cluster_autoscaler_scalability.go +++ b/test/e2e/autoscaling/cluster_autoscaler_scalability.go @@ -37,6 +37,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -61,6 +62,7 @@ type scaleUpTestConfig struct { var _ = SIGDescribe("Cluster size autoscaler scalability [Slow]", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var nodeCount int var coresPerNode int diff --git a/test/e2e/autoscaling/cluster_size_autoscaling.go b/test/e2e/autoscaling/cluster_size_autoscaling.go index 846c3197ea8..8aa0c2baf9f 100644 --- a/test/e2e/autoscaling/cluster_size_autoscaling.go +++ b/test/e2e/autoscaling/cluster_size_autoscaling.go @@ -53,6 +53,7 @@ import ( "k8s.io/kubernetes/test/e2e/scheduling" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -92,6 +93,7 @@ const ( var _ = SIGDescribe("Cluster size autoscaling [Slow]", func() { f := framework.NewDefaultFramework("autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var nodeCount int var memAllocatableMb int diff --git a/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go b/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go index 2f3b280ea53..5f3135a0e49 100644 --- a/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go +++ b/test/e2e/autoscaling/custom_metrics_stackdriver_autoscaling.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/instrumentation/monitoring" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -51,6 +52,7 @@ var _ = SIGDescribe("[HPA] Horizontal pod autoscaling (scale resource: Custom Me }) f := framework.NewDefaultFramework("horizontal-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should scale down with Custom Metric of type Pod from Stackdriver [Feature:CustomMetricsAutoscaling]", func() { initialReplicas := 2 diff --git a/test/e2e/autoscaling/dns_autoscaling.go b/test/e2e/autoscaling/dns_autoscaling.go index 87b57ae594d..28bf68cf6b2 100644 --- a/test/e2e/autoscaling/dns_autoscaling.go +++ b/test/e2e/autoscaling/dns_autoscaling.go @@ -33,6 +33,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -47,6 +48,7 @@ const ( var _ = SIGDescribe("DNS horizontal autoscaling", func() { f := framework.NewDefaultFramework("dns-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var previousParams map[string]string var originDNSReplicasCount int diff --git a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go index a86f4649d4e..396bfa07221 100644 --- a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go +++ b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go @@ -21,12 +21,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:HPA] [Serial] [Slow] Horizontal pod autoscaling (non-default behavior)", func() { f := framework.NewDefaultFramework("horizontal-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("with short downscale stabilization window", func() { ginkgo.It("should scale down soon after the stabilization period", func() { diff --git a/test/e2e/cloud/gcp/addon_update.go b/test/e2e/cloud/gcp/addon_update.go index 22b31b227bc..ab5353f9fd0 100644 --- a/test/e2e/cloud/gcp/addon_update.go +++ b/test/e2e/cloud/gcp/addon_update.go @@ -35,6 +35,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -217,6 +218,7 @@ var _ = SIGDescribe("Addon update", func() { var dir string var sshClient *ssh.Client f := framework.NewDefaultFramework("addon-update-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // This test requires: diff --git a/test/e2e/cloud/gcp/apps/stateful_apps.go b/test/e2e/cloud/gcp/apps/stateful_apps.go index fac55383e31..7072bf7f482 100644 --- a/test/e2e/cloud/gcp/apps/stateful_apps.go +++ b/test/e2e/cloud/gcp/apps/stateful_apps.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/apps" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -35,6 +36,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("stateful Upgrade [Feature:StatefulUpgrade]", func() { f := framework.NewDefaultFramework("stateful-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("stateful upgrade", func() { diff --git a/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go b/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go index e2a385c974b..6a523b3eba8 100644 --- a/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go +++ b/test/e2e/cloud/gcp/auth/service_account_admission_controller_migration.go @@ -22,6 +22,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/auth" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("ServiceAccount admission controller migration [Feature:BoundServiceAccountTokenVolume]", func() { f := framework.NewDefaultFramework("serviceaccount-admission-controller-migration") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("master upgrade", func() { diff --git a/test/e2e/cloud/gcp/cluster_upgrade.go b/test/e2e/cloud/gcp/cluster_upgrade.go index 6fa2836ef41..ef7cecea9c5 100644 --- a/test/e2e/cloud/gcp/cluster_upgrade.go +++ b/test/e2e/cloud/gcp/cluster_upgrade.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades/node" "k8s.io/kubernetes/test/e2e/upgrades/storage" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -50,6 +51,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("Upgrade [Feature:Upgrade]", func() { f := framework.NewDefaultFramework("cluster-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) // Create the frameworks here because we can only create them @@ -88,6 +90,7 @@ var _ = SIGDescribe("Upgrade [Feature:Upgrade]", func() { var _ = SIGDescribe("Downgrade [Feature:Downgrade]", func() { f := framework.NewDefaultFramework("cluster-downgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("cluster downgrade", func() { diff --git a/test/e2e/cloud/gcp/gke_node_pools.go b/test/e2e/cloud/gcp/gke_node_pools.go index 19be0f6f22f..b00a1e8e7ce 100644 --- a/test/e2e/cloud/gcp/gke_node_pools.go +++ b/test/e2e/cloud/gcp/gke_node_pools.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -30,6 +31,7 @@ import ( var _ = SIGDescribe("GKE node pools [Feature:GKENodePool]", func() { f := framework.NewDefaultFramework("node-pools") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("gke") diff --git a/test/e2e/cloud/gcp/ha_master.go b/test/e2e/cloud/gcp/ha_master.go index 416063c019f..b172eb64a0f 100644 --- a/test/e2e/cloud/gcp/ha_master.go +++ b/test/e2e/cloud/gcp/ha_master.go @@ -35,6 +35,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" ) func addMasterReplica(zone string) error { @@ -161,6 +162,7 @@ func waitForMasters(masterPrefix string, c clientset.Interface, size int, timeou var _ = SIGDescribe("HA-master [Feature:HAMaster]", func() { f := framework.NewDefaultFramework("ha-master") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var ns string var additionalReplicaZones []string diff --git a/test/e2e/cloud/gcp/kubelet_security.go b/test/e2e/cloud/gcp/kubelet_security.go index 99e9d2caf5f..1e12b2ccb58 100644 --- a/test/e2e/cloud/gcp/kubelet_security.go +++ b/test/e2e/cloud/gcp/kubelet_security.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2enode "k8s.io/kubernetes/test/e2e/framework/node" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Ports Security Check [Feature:KubeletSecurity]", func() { f := framework.NewDefaultFramework("kubelet-security") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var node *v1.Node var nodeName string diff --git a/test/e2e/cloud/gcp/network/kube_proxy_migration.go b/test/e2e/cloud/gcp/network/kube_proxy_migration.go index e74a590e7d9..f576da6b762 100644 --- a/test/e2e/cloud/gcp/network/kube_proxy_migration.go +++ b/test/e2e/cloud/gcp/network/kube_proxy_migration.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/network" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ func kubeProxyDaemonSetExtraEnvs(enableKubeProxyDaemonSet bool) []string { var _ = SIGDescribe("kube-proxy migration [Feature:KubeProxyDaemonSetMigration]", func() { f := framework.NewDefaultFramework("kube-proxy-ds-migration") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged upgradeTestFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) downgradeTestsFrameworks := upgrades.CreateUpgradeFrameworks(downgradeTests) diff --git a/test/e2e/cloud/gcp/node/gpu.go b/test/e2e/cloud/gcp/node/gpu.go index 91d57de433c..c2e50fb205e 100644 --- a/test/e2e/cloud/gcp/node/gpu.go +++ b/test/e2e/cloud/gcp/node/gpu.go @@ -22,6 +22,7 @@ import ( "k8s.io/kubernetes/test/e2e/upgrades" "k8s.io/kubernetes/test/e2e/upgrades/node" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var upgradeTests = []upgrades.Test{ var _ = SIGDescribe("gpu Upgrade [Feature:GPUUpgrade]", func() { f := framework.NewDefaultFramework("gpu-upgrade") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testFrameworks := upgrades.CreateUpgradeFrameworks(upgradeTests) ginkgo.Describe("master upgrade", func() { diff --git a/test/e2e/cloud/gcp/node_lease.go b/test/e2e/cloud/gcp/node_lease.go index 6d7479e85c0..5a5a7f6c264 100644 --- a/test/e2e/cloud/gcp/node_lease.go +++ b/test/e2e/cloud/gcp/node_lease.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -36,6 +37,7 @@ import ( var _ = SIGDescribe("[Disruptive]NodeLease", func() { f := framework.NewDefaultFramework("node-lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var systemPodsNo int32 var c clientset.Interface var ns string diff --git a/test/e2e/cloud/gcp/reboot.go b/test/e2e/cloud/gcp/reboot.go index 4a67b9b799d..d60d850e0d5 100644 --- a/test/e2e/cloud/gcp/reboot.go +++ b/test/e2e/cloud/gcp/reboot.go @@ -35,6 +35,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -91,6 +92,7 @@ var _ = SIGDescribe("Reboot [Disruptive] [Feature:Reboot]", func() { }) f = framework.NewDefaultFramework("reboot") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("each node by ordering clean reboot and ensure they function upon restart", func() { // clean shutdown and restart diff --git a/test/e2e/cloud/gcp/recreate_node.go b/test/e2e/cloud/gcp/recreate_node.go index 73a98644c99..4459faf1d77 100644 --- a/test/e2e/cloud/gcp/recreate_node.go +++ b/test/e2e/cloud/gcp/recreate_node.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework/providers/gce" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -43,6 +44,7 @@ const ( var _ = SIGDescribe("Recreate [Feature:Recreate]", func() { f := framework.NewDefaultFramework("recreate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var originalNodes []v1.Node var originalPodNames []string var ps *testutils.PodStore diff --git a/test/e2e/cloud/gcp/resize_nodes.go b/test/e2e/cloud/gcp/resize_nodes.go index d86b7161dfb..fe40d50c7e7 100644 --- a/test/e2e/cloud/gcp/resize_nodes.go +++ b/test/e2e/cloud/gcp/resize_nodes.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ func resizeRC(c clientset.Interface, ns, name string, replicas int32) error { var _ = SIGDescribe("Nodes [Disruptive]", func() { f := framework.NewDefaultFramework("resize-nodes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var systemPodsNo int32 var c clientset.Interface var ns string diff --git a/test/e2e/cloud/gcp/restart.go b/test/e2e/cloud/gcp/restart.go index de62d8345b3..17c6289b36d 100644 --- a/test/e2e/cloud/gcp/restart.go +++ b/test/e2e/cloud/gcp/restart.go @@ -29,6 +29,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -43,6 +44,7 @@ func nodeNames(nodes []v1.Node) []string { var _ = SIGDescribe("Restart [Disruptive]", func() { f := framework.NewDefaultFramework("restart") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ps *testutils.PodStore var originalNodes []v1.Node var originalPodNames []string diff --git a/test/e2e/cloud/nodes.go b/test/e2e/cloud/nodes.go index 11293d56a44..f2aa78bfbe6 100644 --- a/test/e2e/cloud/nodes.go +++ b/test/e2e/cloud/nodes.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:CloudProvider][Disruptive] Nodes", func() { f := framework.NewDefaultFramework("cloudprovider") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface ginkgo.BeforeEach(func() { diff --git a/test/e2e/common/node/lease.go b/test/e2e/common/node/lease.go index b33f8790512..3858752c00a 100644 --- a/test/e2e/common/node/lease.go +++ b/test/e2e/common/node/lease.go @@ -30,6 +30,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/strategicpatch" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" ) @@ -51,6 +52,7 @@ func getPatchBytes(oldLease, newLease *coordinationv1.Lease) ([]byte, error) { var _ = SIGDescribe("Lease", func() { f := framework.NewDefaultFramework("lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.17 diff --git a/test/e2e/common/node/node_lease.go b/test/e2e/common/node/node_lease.go index ed8d799f428..c2c06ee2876 100644 --- a/test/e2e/common/node/node_lease.go +++ b/test/e2e/common/node/node_lease.go @@ -31,6 +31,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -39,6 +40,7 @@ import ( var _ = SIGDescribe("NodeLease", func() { var nodeName string f := framework.NewDefaultFramework("node-lease-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { node, err := e2enode.GetRandomReadySchedulableNode(f.ClientSet) diff --git a/test/e2e/common/node/podtemplates.go b/test/e2e/common/node/podtemplates.go index e85602bc5f8..28db75e60b3 100644 --- a/test/e2e/common/node/podtemplates.go +++ b/test/e2e/common/node/podtemplates.go @@ -31,6 +31,7 @@ import ( "k8s.io/client-go/util/retry" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ const ( var _ = SIGDescribe("PodTemplates", func() { f := framework.NewDefaultFramework("podtemplate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 Testname: PodTemplate lifecycle diff --git a/test/e2e/common/storage/downwardapi.go b/test/e2e/common/storage/downwardapi.go index 1fc05160b58..47e3a36b92f 100644 --- a/test/e2e/common/storage/downwardapi.go +++ b/test/e2e/common/storage/downwardapi.go @@ -27,12 +27,14 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Downward API [Serial] [Disruptive] [NodeFeature:EphemeralStorage]", func() { f := framework.NewDefaultFramework("downward-api") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Downward API tests for local ephemeral storage", func() { ginkgo.BeforeEach(func() { diff --git a/test/e2e/instrumentation/core_events.go b/test/e2e/instrumentation/core_events.go index 9be6f06ea6e..72af05e9de7 100644 --- a/test/e2e/instrumentation/core_events.go +++ b/test/e2e/instrumentation/core_events.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/apimachinery/pkg/types" @@ -38,6 +39,7 @@ const ( var _ = common.SIGDescribe("Events", func() { f := framework.NewDefaultFramework("events") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 diff --git a/test/e2e/instrumentation/events.go b/test/e2e/instrumentation/events.go index f0486a35df8..b3e590434ab 100644 --- a/test/e2e/instrumentation/events.go +++ b/test/e2e/instrumentation/events.go @@ -32,6 +32,7 @@ import ( typedeventsv1 "k8s.io/client-go/kubernetes/typed/events/v1" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "k8s.io/apimachinery/pkg/types" @@ -75,6 +76,7 @@ func eventExistsInList(client typedeventsv1.EventInterface, namespace, name stri var _ = common.SIGDescribe("Events API", func() { f := framework.NewDefaultFramework("events") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var coreClient corev1.EventInterface var client typedeventsv1.EventInterface var clientAllNamespaces typedeventsv1.EventInterface diff --git a/test/e2e/instrumentation/logging/generic_soak.go b/test/e2e/instrumentation/logging/generic_soak.go index 742aff717ba..696460f4bde 100644 --- a/test/e2e/instrumentation/logging/generic_soak.go +++ b/test/e2e/instrumentation/logging/generic_soak.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ var _ = e2econfig.AddOptions(&loggingSoak, "instrumentation.logging.soak") var _ = instrumentation.SIGDescribe("Logging soak [Performance] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("logging-soak") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Not a global constant (irrelevant outside this test), also not a parameter (if you want more logs, use --scale=). kbRateInSeconds := 1 * time.Second diff --git a/test/e2e/instrumentation/monitoring/accelerator.go b/test/e2e/instrumentation/monitoring/accelerator.go index 90047e46ea1..cd371b9a464 100644 --- a/test/e2e/instrumentation/monitoring/accelerator.go +++ b/test/e2e/instrumentation/monitoring/accelerator.go @@ -31,6 +31,7 @@ import ( instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" "k8s.io/kubernetes/test/e2e/scheduling" "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -52,6 +53,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should have accelerator metrics [Feature:StackdriverAcceleratorMonitoring]", func() { testStackdriverAcceleratorMonitoring(f) diff --git a/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go b/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go index d340b4cf0af..9a88d7fb84f 100644 --- a/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go +++ b/test/e2e/instrumentation/monitoring/custom_metrics_stackdriver.go @@ -35,6 +35,7 @@ import ( instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" customclient "k8s.io/metrics/pkg/client/custom_metrics" externalclient "k8s.io/metrics/pkg/client/external_metrics" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -53,6 +54,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run Custom Metrics - Stackdriver Adapter for old resource model [Feature:StackdriverCustomMetrics]", func() { kubeClient := f.ClientSet diff --git a/test/e2e/instrumentation/monitoring/metrics_grabber.go b/test/e2e/instrumentation/monitoring/metrics_grabber.go index efe230ab4ee..a08039a94a3 100644 --- a/test/e2e/instrumentation/monitoring/metrics_grabber.go +++ b/test/e2e/instrumentation/monitoring/metrics_grabber.go @@ -30,10 +30,12 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = instrumentation.SIGDescribe("MetricsGrabber", func() { f := framework.NewDefaultFramework("metrics-grabber") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c, ec clientset.Interface var grabber *e2emetrics.Grabber ginkgo.BeforeEach(func() { diff --git a/test/e2e/instrumentation/monitoring/stackdriver.go b/test/e2e/instrumentation/monitoring/stackdriver.go index 6683df510e1..658ec887212 100644 --- a/test/e2e/instrumentation/monitoring/stackdriver.go +++ b/test/e2e/instrumentation/monitoring/stackdriver.go @@ -28,6 +28,7 @@ import ( e2eautoscaling "k8s.io/kubernetes/test/e2e/framework/autoscaling" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -65,6 +66,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should have cluster metrics [Feature:StackdriverMonitoring]", func() { testStackdriverMonitoring(f, 1, 100, 200) diff --git a/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go b/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go index 34d1b95f6ed..7df81d90de1 100644 --- a/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go +++ b/test/e2e/instrumentation/monitoring/stackdriver_metadata_agent.go @@ -31,6 +31,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" instrumentation "k8s.io/kubernetes/test/e2e/instrumentation/common" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "golang.org/x/oauth2/google" @@ -50,6 +51,7 @@ var _ = instrumentation.SIGDescribe("Stackdriver Monitoring", func() { }) f := framework.NewDefaultFramework("stackdriver-monitoring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var kubeClient clientset.Interface ginkgo.It("should run Stackdriver Metadata Agent [Feature:StackdriverMetadataAgent]", func() { diff --git a/test/e2e/lifecycle/bootstrap/bootstrap_signer.go b/test/e2e/lifecycle/bootstrap/bootstrap_signer.go index beb046335a4..90e2ee15d5f 100644 --- a/test/e2e/lifecycle/bootstrap/bootstrap_signer.go +++ b/test/e2e/lifecycle/bootstrap/bootstrap_signer.go @@ -26,6 +26,7 @@ import ( bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/lifecycle" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -41,6 +42,7 @@ var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() { var c clientset.Interface f := framework.NewDefaultFramework("bootstrap-signer") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.AfterEach(func() { if len(secretNeedClean) > 0 { ginkgo.By("delete the bootstrap token secret") diff --git a/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go b/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go index c0c136d7e77..96cb8a5e049 100644 --- a/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go +++ b/test/e2e/lifecycle/bootstrap/bootstrap_token_cleaner.go @@ -27,6 +27,7 @@ import ( bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/lifecycle" + admissionapi "k8s.io/pod-security-admission/api" ) var secretNeedClean string @@ -35,6 +36,7 @@ var _ = lifecycle.SIGDescribe("[Feature:BootstrapTokens]", func() { var c clientset.Interface f := framework.NewDefaultFramework("bootstrap-token-cleaner") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { c = f.ClientSet diff --git a/test/e2e/network/dns_common.go b/test/e2e/network/dns_common.go index 5c95a97957c..75ac489fb05 100644 --- a/test/e2e/network/dns_common.go +++ b/test/e2e/network/dns_common.go @@ -36,6 +36,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" dnsclient "k8s.io/kubernetes/third_party/forked/golang/net" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -59,8 +60,10 @@ type dnsTestCommon struct { } func newDNSTestCommon() dnsTestCommon { + framework := framework.NewDefaultFramework("dns-config-map") + framework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged return dnsTestCommon{ - f: framework.NewDefaultFramework("dns-config-map"), + f: framework, ns: "kube-system", } } diff --git a/test/e2e/network/dns_scale_records.go b/test/e2e/network/dns_scale_records.go index d79c3dc98bb..7d111fa15c5 100644 --- a/test/e2e/network/dns_scale_records.go +++ b/test/e2e/network/dns_scale_records.go @@ -30,6 +30,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" "k8s.io/kubernetes/test/e2e/network/common" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -43,6 +44,7 @@ const ( var _ = common.SIGDescribe("[Feature:PerformanceDNS][Serial]", func() { f := framework.NewDefaultFramework("performancedns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { framework.ExpectNoError(framework.WaitForAllNodesSchedulable(f.ClientSet, framework.TestContext.NodeSchedulableTimeout)) diff --git a/test/e2e/network/dual_stack.go b/test/e2e/network/dual_stack.go index 448852e1428..3299a748cf2 100644 --- a/test/e2e/network/dual_stack.go +++ b/test/e2e/network/dual_stack.go @@ -38,12 +38,14 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" ) // Tests for ipv4-ipv6 dual-stack feature var _ = common.SIGDescribe("[Feature:IPv6DualStack]", func() { f := framework.NewDefaultFramework("dualstack") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface var podClient *framework.PodClient diff --git a/test/e2e/network/endpointslicemirroring.go b/test/e2e/network/endpointslicemirroring.go index 0c56f538ad2..a745abee72d 100644 --- a/test/e2e/network/endpointslicemirroring.go +++ b/test/e2e/network/endpointslicemirroring.go @@ -29,10 +29,12 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = common.SIGDescribe("EndpointSliceMirroring", func() { f := framework.NewDefaultFramework("endpointslicemirroring") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/network/example_cluster_dns.go b/test/e2e/network/example_cluster_dns.go index 97c6f34768e..b5e73ee130a 100644 --- a/test/e2e/network/example_cluster_dns.go +++ b/test/e2e/network/example_cluster_dns.go @@ -38,6 +38,7 @@ import ( e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -57,6 +58,7 @@ except: var _ = common.SIGDescribe("ClusterDns [Feature:Example]", func() { f := framework.NewDefaultFramework("cluster-dns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface ginkgo.BeforeEach(func() { diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go index 97b67fc492a..9e05edea59b 100644 --- a/test/e2e/network/firewall.go +++ b/test/e2e/network/firewall.go @@ -39,6 +39,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" gcecloud "k8s.io/legacy-cloud-providers/gce" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -53,6 +54,7 @@ const ( var _ = common.SIGDescribe("Firewall rule", func() { var firewallTestName = "firewall-test" f := framework.NewDefaultFramework(firewallTestName) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface var cloudConfig framework.CloudConfig diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go index 57999b847b0..a5a070f9cb5 100644 --- a/test/e2e/network/ingress.go +++ b/test/e2e/network/ingress.go @@ -537,6 +537,7 @@ func detectNegAnnotation(f *framework.Framework, jig *e2eingress.TestJig, gceCon var _ = common.SIGDescribe("Ingress API", func() { f := framework.NewDefaultFramework("ingress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.19 Testname: Ingress API diff --git a/test/e2e/network/ingress_scale.go b/test/e2e/network/ingress_scale.go index a21e5508b33..81488a28066 100644 --- a/test/e2e/network/ingress_scale.go +++ b/test/e2e/network/ingress_scale.go @@ -21,6 +21,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" "k8s.io/kubernetes/test/e2e/network/scale" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -31,6 +32,7 @@ var _ = common.SIGDescribe("Loadbalancing: L7 Scalability", func() { ns string ) f := framework.NewDefaultFramework("ingress-scale") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { ns = f.Namespace.Name diff --git a/test/e2e/network/ingressclass.go b/test/e2e/network/ingressclass.go index 249a87ec1ad..38170067ad1 100644 --- a/test/e2e/network/ingressclass.go +++ b/test/e2e/network/ingressclass.go @@ -31,6 +31,7 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" utilpointer "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -38,6 +39,7 @@ import ( var _ = common.SIGDescribe("IngressClass [Feature:Ingress]", func() { f := framework.NewDefaultFramework("ingressclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface ginkgo.BeforeEach(func() { cs = f.ClientSet @@ -181,6 +183,7 @@ func deleteIngressClass(cs clientset.Interface, name string) { var _ = common.SIGDescribe("IngressClass API", func() { f := framework.NewDefaultFramework("ingressclass") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface ginkgo.BeforeEach(func() { cs = f.ClientSet diff --git a/test/e2e/network/netpol/network_legacy.go b/test/e2e/network/netpol/network_legacy.go index 6db4d97cdbd..8ec0381ecc5 100644 --- a/test/e2e/network/netpol/network_legacy.go +++ b/test/e2e/network/netpol/network_legacy.go @@ -1733,6 +1733,7 @@ var _ = common.SIGDescribe("NetworkPolicy [Feature:SCTPConnectivity][LinuxOnly][ var podServer *v1.Pod var podServerLabelSelector string f := framework.NewDefaultFramework("sctp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // Windows does not support network policies. @@ -2186,6 +2187,7 @@ func cleanupNetworkPolicy(f *framework.Framework, policy *networkingv1.NetworkPo var _ = common.SIGDescribe("NetworkPolicy API", func() { f := framework.NewDefaultFramework("networkpolicies") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 Testname: NetworkPolicies API diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 9fca76aebf5..45cde9918aa 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" + admissionapi "k8s.io/pod-security-admission/api" utilnet "k8s.io/utils/net" ) @@ -116,6 +117,7 @@ and what is happening in practice: var _ = common.SIGDescribe("Netpol", func() { f := framework.NewDefaultFramework("netpol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.Context("NetworkPolicy between server and client", func() { @@ -1254,6 +1256,7 @@ var _ = common.SIGDescribe("Netpol", func() { var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { f := framework.NewDefaultFramework("udp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.BeforeEach(func() { // Windows does not support UDP testing via agnhost. @@ -1339,6 +1342,7 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disruptive]", func() { f := framework.NewDefaultFramework("sctp-network-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var model *Model ginkgo.BeforeEach(func() { // Windows does not support network policies. diff --git a/test/e2e/network/netpol/network_policy_api.go b/test/e2e/network/netpol/network_policy_api.go index e3825770194..35eaa664b9a 100644 --- a/test/e2e/network/netpol/network_policy_api.go +++ b/test/e2e/network/netpol/network_policy_api.go @@ -25,6 +25,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" networkingv1 "k8s.io/api/networking/v1" @@ -35,6 +36,7 @@ import ( var _ = common.SIGDescribe("Netpol API", func() { f := framework.NewDefaultFramework("netpol") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.20 Testname: NetworkPolicies API diff --git a/test/e2e/network/network_tiers.go b/test/e2e/network/network_tiers.go index ae948f79458..abc3f3d36cb 100644 --- a/test/e2e/network/network_tiers.go +++ b/test/e2e/network/network_tiers.go @@ -34,12 +34,14 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" gcecloud "k8s.io/legacy-cloud-providers/gce" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = common.SIGDescribe("Services GCE [Slow]", func() { f := framework.NewDefaultFramework("services") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface serviceLBNames := []string{} diff --git a/test/e2e/network/no_snat.go b/test/e2e/network/no_snat.go index 1799914cfff..c98dd6d6148 100644 --- a/test/e2e/network/no_snat.go +++ b/test/e2e/network/no_snat.go @@ -26,6 +26,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -63,6 +64,7 @@ var ( // We use the [Feature:NoSNAT] tag so that most jobs will skip this test by default. var _ = common.SIGDescribe("NoSNAT [Feature:NoSNAT] [Slow]", func() { f := framework.NewDefaultFramework("no-snat-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("Should be able to send traffic between Pods without SNAT", func() { cs := f.ClientSet pc := cs.CoreV1().Pods(f.Namespace.Name) diff --git a/test/e2e/network/topology_hints.go b/test/e2e/network/topology_hints.go index c929a7e48e4..39d0f9fe4ba 100644 --- a/test/e2e/network/topology_hints.go +++ b/test/e2e/network/topology_hints.go @@ -37,10 +37,12 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/network/common" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = common.SIGDescribe("[Feature:Topology Hints]", func() { f := framework.NewDefaultFramework("topology-hints") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // filled in BeforeEach var c clientset.Interface diff --git a/test/e2e/node/kubelet_perf.go b/test/e2e/node/kubelet_perf.go index df8e2d79d04..3d09a537fe3 100644 --- a/test/e2e/node/kubelet_perf.go +++ b/test/e2e/node/kubelet_perf.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/test/e2e/perftype" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -196,6 +197,7 @@ func verifyCPULimits(expected e2ekubelet.ContainersCPUSummary, actual e2ekubelet var _ = SIGDescribe("Kubelet [Serial] [Slow]", func() { var nodeNames sets.String f := framework.NewDefaultFramework("kubelet-perf") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var om *e2ekubelet.RuntimeOperationMonitor var rm *e2ekubelet.ResourceMonitor diff --git a/test/e2e/node/node_problem_detector.go b/test/e2e/node/node_problem_detector.go index 1529229e6b6..a61a894d5b6 100644 --- a/test/e2e/node/node_problem_detector.go +++ b/test/e2e/node/node_problem_detector.go @@ -34,6 +34,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = SIGDescribe("NodeProblemDetector", func() { maxNodesToProcess = 10 ) f := framework.NewDefaultFramework("node-problem-detector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessSSHKeyPresent() diff --git a/test/e2e/node/pod_gc.go b/test/e2e/node/pod_gc.go index 4b63235d980..517360cdabd 100644 --- a/test/e2e/node/pod_gc.go +++ b/test/e2e/node/pod_gc.go @@ -29,6 +29,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) // This test requires that --terminated-pod-gc-threshold=100 be set on the controller manager @@ -36,6 +37,7 @@ import ( // Slow by design (7 min) var _ = SIGDescribe("Pod garbage collector [Feature:PodGarbageCollector] [Slow]", func() { f := framework.NewDefaultFramework("pod-garbage-collector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should handle the creation of 1000 pods", func() { var count int for count < 1000 { diff --git a/test/e2e/node/ssh.go b/test/e2e/node/ssh.go index 901bc45d110..ac4f1b822c7 100644 --- a/test/e2e/node/ssh.go +++ b/test/e2e/node/ssh.go @@ -23,6 +23,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ const maxNodes = 100 var _ = SIGDescribe("SSH", func() { f := framework.NewDefaultFramework("ssh") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // When adding more providers here, also implement their functionality in e2essh.GetSigner(...). diff --git a/test/e2e/scheduling/nvidia-gpus.go b/test/e2e/scheduling/nvidia-gpus.go index 313e773b8e2..0e2c1d70011 100644 --- a/test/e2e/scheduling/nvidia-gpus.go +++ b/test/e2e/scheduling/nvidia-gpus.go @@ -39,6 +39,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -221,6 +222,7 @@ func logContainers(f *framework.Framework, pod *v1.Pod) { var _ = SIGDescribe("[Feature:GPUDevicePlugin]", func() { f := framework.NewDefaultFramework("device-plugin-gpus") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("run Nvidia GPU Device Plugin tests", func() { testNvidiaGPUs(f) }) @@ -322,6 +324,7 @@ var _ = SIGDescribe("GPUDevicePluginAcrossRecreate [Feature:Recreate]", func() { e2eskipper.SkipUnlessProviderIs("gce", "gke") }) f := framework.NewDefaultFramework("device-plugin-gpus-recreate") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("run Nvidia GPU Device Plugin tests with a recreation", func() { testNvidiaGPUsJob(f) }) diff --git a/test/e2e/scheduling/preemption.go b/test/e2e/scheduling/preemption.go index 06a14036277..a59ddc41a2b 100644 --- a/test/e2e/scheduling/preemption.go +++ b/test/e2e/scheduling/preemption.go @@ -683,6 +683,7 @@ var _ = SIGDescribe("SchedulerPreemption [Serial]", func() { ginkgo.Context("PriorityClass endpoints", func() { var cs clientset.Interface f := framework.NewDefaultFramework("sched-preemption-path") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testUUID := uuid.New().String() var pcs []*schedulingv1.PriorityClass diff --git a/test/e2e/storage/csistoragecapacity.go b/test/e2e/storage/csistoragecapacity.go index 9c5401f85a4..3d91de3c06e 100644 --- a/test/e2e/storage/csistoragecapacity.go +++ b/test/e2e/storage/csistoragecapacity.go @@ -28,12 +28,14 @@ import ( "k8s.io/apimachinery/pkg/watch" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = utils.SIGDescribe("CSIStorageCapacity", func() { f := framework.NewDefaultFramework("csistoragecapacity") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Release: v1.24 diff --git a/test/e2e/storage/detach_mounted.go b/test/e2e/storage/detach_mounted.go index 54ec3f59e13..2ca1377903f 100644 --- a/test/e2e/storage/detach_mounted.go +++ b/test/e2e/storage/detach_mounted.go @@ -33,6 +33,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -45,6 +46,7 @@ var ( var _ = utils.SIGDescribe("[Feature:Flexvolumes] Detaching volumes", func() { f := framework.NewDefaultFramework("flexvolume") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // note that namespace deletion is handled by delete-namespace flag diff --git a/test/e2e/storage/flexvolume_mounted_volume_resize.go b/test/e2e/storage/flexvolume_mounted_volume_resize.go index 33ab803486b..8d54db382a8 100644 --- a/test/e2e/storage/flexvolume_mounted_volume_resize.go +++ b/test/e2e/storage/flexvolume_mounted_volume_resize.go @@ -38,6 +38,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -61,6 +62,7 @@ var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume expand[Slow] ) f := framework.NewDefaultFramework("mounted-flexvolume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "local") e2eskipper.SkipUnlessMasterOSDistroIs("debian", "ubuntu", "gci", "custom") diff --git a/test/e2e/storage/flexvolume_online_resize.go b/test/e2e/storage/flexvolume_online_resize.go index 4b2721e0b8e..7e121cfee11 100644 --- a/test/e2e/storage/flexvolume_online_resize.go +++ b/test/e2e/storage/flexvolume_online_resize.go @@ -37,6 +37,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume volume expand [Slow]", func() { @@ -55,6 +56,7 @@ var _ = utils.SIGDescribe("[Feature:Flexvolumes] Mounted flexvolume volume expan ) f := framework.NewDefaultFramework("mounted-flexvolume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "local") e2eskipper.SkipUnlessMasterOSDistroIs("debian", "ubuntu", "gci", "custom") diff --git a/test/e2e/storage/generic_persistent_volume-disruptive.go b/test/e2e/storage/generic_persistent_volume-disruptive.go index 6a19ba51217..fed257e9136 100644 --- a/test/e2e/storage/generic_persistent_volume-disruptive.go +++ b/test/e2e/storage/generic_persistent_volume-disruptive.go @@ -30,10 +30,12 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("GenericPersistentVolume[Disruptive]", func() { f := framework.NewDefaultFramework("generic-disruptive-pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/gke_local_ssd.go b/test/e2e/storage/gke_local_ssd.go index e57bde08e3a..cc47ba3a809 100644 --- a/test/e2e/storage/gke_local_ssd.go +++ b/test/e2e/storage/gke_local_ssd.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -33,6 +34,7 @@ import ( var _ = utils.SIGDescribe("GKE local SSD [Feature:GKELocalSSD]", func() { f := framework.NewDefaultFramework("localssd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("gke") diff --git a/test/e2e/storage/mounted_volume_resize.go b/test/e2e/storage/mounted_volume_resize.go index 45a8b03e4fb..9cfca647223 100644 --- a/test/e2e/storage/mounted_volume_resize.go +++ b/test/e2e/storage/mounted_volume_resize.go @@ -28,6 +28,7 @@ import ( storagev1 "k8s.io/api/storage/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + admissionapi "k8s.io/pod-security-admission/api" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/wait" @@ -58,6 +59,7 @@ var _ = utils.SIGDescribe("Mounted volume expand [Feature:StorageProvider]", fun ) f := framework.NewDefaultFramework("mounted-volume-expand") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce") c = f.ClientSet diff --git a/test/e2e/storage/nfs_persistent_volume-disruptive.go b/test/e2e/storage/nfs_persistent_volume-disruptive.go index 35876be3c4c..efe1ed90109 100644 --- a/test/e2e/storage/nfs_persistent_volume-disruptive.go +++ b/test/e2e/storage/nfs_persistent_volume-disruptive.go @@ -39,6 +39,7 @@ import ( e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type testBody func(c clientset.Interface, f *framework.Framework, clientPod *v1.Pod) @@ -77,6 +78,7 @@ func checkForControllerManagerHealthy(duration time.Duration) error { var _ = utils.SIGDescribe("NFSPersistentVolumes[Disruptive][Flaky]", func() { f := framework.NewDefaultFramework("disruptive-pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/pd.go b/test/e2e/storage/pd.go index c7ffa4fe164..706885feaa3 100644 --- a/test/e2e/storage/pd.go +++ b/test/e2e/storage/pd.go @@ -48,6 +48,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -70,6 +71,7 @@ var _ = utils.SIGDescribe("Pod Disks [Feature:StorageProvider]", func() { nodes *v1.NodeList ) f := framework.NewDefaultFramework("pod-disks") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessNodeCountIsAtLeast(minNodes) diff --git a/test/e2e/storage/persistent_volumes-gce.go b/test/e2e/storage/persistent_volumes-gce.go index cd479b7c913..238c4eb568c 100644 --- a/test/e2e/storage/persistent_volumes-gce.go +++ b/test/e2e/storage/persistent_volumes-gce.go @@ -32,6 +32,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // verifyGCEDiskAttached performs a sanity check to verify the PD attached to the node @@ -74,6 +75,7 @@ var _ = utils.SIGDescribe("PersistentVolumes GCEPD [Feature:StorageProvider]", f ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { c = f.ClientSet ns = f.Namespace.Name diff --git a/test/e2e/storage/persistent_volumes.go b/test/e2e/storage/persistent_volumes.go index df6a787c8e8..c8c11a8ead9 100644 --- a/test/e2e/storage/persistent_volumes.go +++ b/test/e2e/storage/persistent_volumes.go @@ -97,6 +97,7 @@ var _ = utils.SIGDescribe("PersistentVolumes", func() { // global vars for the ginkgo.Context()s and ginkgo.It()'s below f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/pv_protection.go b/test/e2e/storage/pv_protection.go index fc63531070c..570b85ea0d3 100644 --- a/test/e2e/storage/pv_protection.go +++ b/test/e2e/storage/pv_protection.go @@ -32,6 +32,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epv "k8s.io/kubernetes/test/e2e/framework/pv" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("PV Protection", func() { @@ -48,6 +49,7 @@ var _ = utils.SIGDescribe("PV Protection", func() { ) f := framework.NewDefaultFramework("pv-protection") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { client = f.ClientSet nameSpace = f.Namespace.Name diff --git a/test/e2e/storage/regional_pd.go b/test/e2e/storage/regional_pd.go index e2cace65ddb..1ad6768ba94 100644 --- a/test/e2e/storage/regional_pd.go +++ b/test/e2e/storage/regional_pd.go @@ -48,6 +48,7 @@ import ( "k8s.io/kubernetes/test/e2e/storage/testsuites" "k8s.io/kubernetes/test/e2e/storage/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -60,6 +61,7 @@ const ( var _ = utils.SIGDescribe("Regional PD", func() { f := framework.NewDefaultFramework("regional-pd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // filled in BeforeEach var c clientset.Interface diff --git a/test/e2e/storage/testsuites/capacity.go b/test/e2e/storage/testsuites/capacity.go index 8dcfe0747e7..098768da307 100644 --- a/test/e2e/storage/testsuites/capacity.go +++ b/test/e2e/storage/testsuites/capacity.go @@ -34,6 +34,7 @@ import ( e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type capacityTestSuite struct { @@ -89,6 +90,7 @@ func (p *capacityTestSuite) DefineTests(driver storageframework.TestDriver, patt // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("capacity", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { dDriver, _ = driver.(storageframework.DynamicPVTestDriver) diff --git a/test/e2e/storage/testsuites/volume_stress.go b/test/e2e/storage/testsuites/volume_stress.go index 289c9d154de..c25d0c0cd0c 100644 --- a/test/e2e/storage/testsuites/volume_stress.go +++ b/test/e2e/storage/testsuites/volume_stress.go @@ -34,6 +34,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" storageutils "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) type volumeStressTestSuite struct { @@ -113,6 +114,7 @@ func (t *volumeStressTestSuite) DefineTests(driver storageframework.TestDriver, // Beware that it also registers an AfterEach which renders f unusable. Any code using // f must run inside an It or Context callback. f := framework.NewFrameworkWithCustomTimeouts("stress", storageframework.GetDriverTimeouts(driver)) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged init := func() { cs = f.ClientSet diff --git a/test/e2e/storage/testsuites/volumeperf.go b/test/e2e/storage/testsuites/volumeperf.go index baabe0ab8bc..b2634bbeef9 100644 --- a/test/e2e/storage/testsuites/volumeperf.go +++ b/test/e2e/storage/testsuites/volumeperf.go @@ -37,6 +37,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" storageframework "k8s.io/kubernetes/test/e2e/storage/framework" + admissionapi "k8s.io/pod-security-admission/api" ) type volumePerformanceTestSuite struct { @@ -126,6 +127,7 @@ func (t *volumePerformanceTestSuite) DefineTests(driver storageframework.TestDri ClientBurst: 400, } f := framework.NewFramework("volume-lifecycle-performance", frameworkOptions, nil) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged f.AddAfterEach("cleanup", func(f *framework.Framework, failed bool) { ginkgo.By("Closing informer channel") close(l.stopCh) diff --git a/test/e2e/storage/ubernetes_lite_volumes.go b/test/e2e/storage/ubernetes_lite_volumes.go index c3028614164..90f28cb406c 100644 --- a/test/e2e/storage/ubernetes_lite_volumes.go +++ b/test/e2e/storage/ubernetes_lite_volumes.go @@ -30,10 +30,12 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Multi-AZ Cluster Volumes", func() { f := framework.NewDefaultFramework("multi-az") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var zoneCount int var err error image := framework.ServeHostnameImage diff --git a/test/e2e/storage/volume_limits.go b/test/e2e/storage/volume_limits.go index 5d443bc978c..8d87c2c182b 100644 --- a/test/e2e/storage/volume_limits.go +++ b/test/e2e/storage/volume_limits.go @@ -26,6 +26,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Volume limits", func() { @@ -33,6 +34,7 @@ var _ = utils.SIGDescribe("Volume limits", func() { c clientset.Interface ) f := framework.NewDefaultFramework("volume-limits-on-node") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessProviderIs("aws", "gce", "gke") // If CSIMigration is enabled, then the limits should be on CSINodes, not Nodes, and another test checks this diff --git a/test/e2e/storage/vsphere/persistent_volumes-vsphere.go b/test/e2e/storage/vsphere/persistent_volumes-vsphere.go index 8cd8eaf2dbf..6ca8d8c78c0 100644 --- a/test/e2e/storage/vsphere/persistent_volumes-vsphere.go +++ b/test/e2e/storage/vsphere/persistent_volumes-vsphere.go @@ -30,6 +30,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // Testing configurations of single a PV/PVC pair attached to a vSphere Disk @@ -51,6 +52,7 @@ var _ = utils.SIGDescribe("PersistentVolumes:vsphere [Feature:vsphere]", func() ) f := framework.NewDefaultFramework("pv") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* Test Setup diff --git a/test/e2e/storage/vsphere/pv_reclaimpolicy.go b/test/e2e/storage/vsphere/pv_reclaimpolicy.go index b8f1d0f4b93..ed9298783e7 100644 --- a/test/e2e/storage/vsphere/pv_reclaimpolicy.go +++ b/test/e2e/storage/vsphere/pv_reclaimpolicy.go @@ -31,10 +31,12 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("PersistentVolumes [Feature:vsphere][Feature:ReclaimPolicy]", func() { f := framework.NewDefaultFramework("persistentvolumereclaim") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/vsphere/pvc_label_selector.go b/test/e2e/storage/vsphere/pvc_label_selector.go index 3245f18569b..50763f9e67e 100644 --- a/test/e2e/storage/vsphere/pvc_label_selector.go +++ b/test/e2e/storage/vsphere/pvc_label_selector.go @@ -28,6 +28,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -49,6 +50,7 @@ import ( */ var _ = utils.SIGDescribe("PersistentVolumes [Feature:vsphere][Feature:LabelSelector]", func() { f := framework.NewDefaultFramework("pvclabelselector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( c clientset.Interface ns string diff --git a/test/e2e/storage/vsphere/vsphere_scale.go b/test/e2e/storage/vsphere/vsphere_scale.go index 36db34cf143..70d144b9d04 100644 --- a/test/e2e/storage/vsphere/vsphere_scale.go +++ b/test/e2e/storage/vsphere/vsphere_scale.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -57,6 +58,7 @@ type NodeSelector struct { var _ = utils.SIGDescribe("vcp at scale [Feature:vsphere] ", func() { f := framework.NewDefaultFramework("vcp-at-scale") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_statefulsets.go b/test/e2e/storage/vsphere/vsphere_statefulsets.go index 1e186447553..3966c1144d2 100644 --- a/test/e2e/storage/vsphere/vsphere_statefulsets.go +++ b/test/e2e/storage/vsphere/vsphere_statefulsets.go @@ -30,6 +30,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2estatefulset "k8s.io/kubernetes/test/e2e/framework/statefulset" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -56,6 +57,7 @@ const ( var _ = utils.SIGDescribe("vsphere statefulset [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vsphere-statefulset") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( namespace string client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_stress.go b/test/e2e/storage/vsphere/vsphere_stress.go index 1a742f256c3..27ca884891d 100644 --- a/test/e2e/storage/vsphere/vsphere_stress.go +++ b/test/e2e/storage/vsphere/vsphere_stress.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -47,6 +48,7 @@ import ( */ var _ = utils.SIGDescribe("vsphere cloud provider stress [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vcp-stress") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go b/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go index b9651ac5c63..b3d670cc9b8 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go +++ b/test/e2e/storage/vsphere/vsphere_volume_cluster_ds.go @@ -26,6 +26,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -40,6 +41,7 @@ import ( */ var _ = utils.SIGDescribe("Volume Provisioning On Clustered Datastore [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-provision") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_datastore.go b/test/e2e/storage/vsphere/vsphere_volume_datastore.go index d0bb4ac5276..6fdfb885161 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_datastore.go +++ b/test/e2e/storage/vsphere/vsphere_volume_datastore.go @@ -26,6 +26,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientset "k8s.io/client-go/kubernetes" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -51,6 +52,7 @@ const ( var _ = utils.SIGDescribe("Volume Provisioning on Datastore [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-datastore") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_diskformat.go b/test/e2e/storage/vsphere/vsphere_volume_diskformat.go index efbed401e9c..7f392bddde1 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_diskformat.go +++ b/test/e2e/storage/vsphere/vsphere_volume_diskformat.go @@ -34,6 +34,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -56,6 +57,7 @@ import ( var _ = utils.SIGDescribe("Volume Disk Format [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-disk-format") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const ( NodeLabelKey = "vsphere_e2e_label_volume_diskformat" ) diff --git a/test/e2e/storage/vsphere/vsphere_volume_disksize.go b/test/e2e/storage/vsphere/vsphere_volume_disksize.go index c74159e8805..6d146c7d257 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_disksize.go +++ b/test/e2e/storage/vsphere/vsphere_volume_disksize.go @@ -29,6 +29,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -46,6 +47,7 @@ const ( var _ = utils.SIGDescribe("Volume Disk Size [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-disksize") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_fstype.go b/test/e2e/storage/vsphere/vsphere_volume_fstype.go index 226b20cf50d..5c4e811b191 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_fstype.go +++ b/test/e2e/storage/vsphere/vsphere_volume_fstype.go @@ -31,6 +31,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -68,6 +69,7 @@ const ( var _ = utils.SIGDescribe("Volume FStype [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-fstype") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_master_restart.go b/test/e2e/storage/vsphere/vsphere_volume_master_restart.go index 7c8b4b4f261..deadfe4b098 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_master_restart.go +++ b/test/e2e/storage/vsphere/vsphere_volume_master_restart.go @@ -37,6 +37,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2essh "k8s.io/kubernetes/test/e2e/framework/ssh" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) // waitForKubeletUp waits for the kubelet on the given host to be up. @@ -101,6 +102,7 @@ func restartKubelet(host string) error { */ var _ = utils.SIGDescribe("Volume Attach Verify [Feature:vsphere][Serial][Disruptive]", func() { f := framework.NewDefaultFramework("restart-master") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const labelKey = "vsphere_e2e_label" var ( diff --git a/test/e2e/storage/vsphere/vsphere_volume_node_delete.go b/test/e2e/storage/vsphere/vsphere_volume_node_delete.go index 3ba80ced120..423c9924000 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_node_delete.go +++ b/test/e2e/storage/vsphere/vsphere_volume_node_delete.go @@ -28,10 +28,12 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Node Unregister [Feature:vsphere] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-unregister") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go b/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go index 7e47ed4c899..1e29b46d78c 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go +++ b/test/e2e/storage/vsphere/vsphere_volume_node_poweroff.go @@ -37,6 +37,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -46,6 +47,7 @@ import ( */ var _ = utils.SIGDescribe("Node Poweroff [Feature:vsphere] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-poweroff") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go b/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go index 1d93c30dfb6..07261a3a5da 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go +++ b/test/e2e/storage/vsphere/vsphere_volume_ops_storm.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -53,6 +54,7 @@ import ( var _ = utils.SIGDescribe("Volume Operations Storm [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-ops-storm") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const defaultVolumeOpsScale = 30 var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_perf.go b/test/e2e/storage/vsphere/vsphere_volume_perf.go index dcc9625675a..3b6ce31ad7e 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_perf.go +++ b/test/e2e/storage/vsphere/vsphere_volume_perf.go @@ -33,6 +33,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* This test calculates latency numbers for volume lifecycle operations @@ -54,6 +55,7 @@ const ( var _ = utils.SIGDescribe("vcp-performance [Feature:vsphere]", func() { f := framework.NewDefaultFramework("vcp-performance") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface diff --git a/test/e2e/storage/vsphere/vsphere_volume_placement.go b/test/e2e/storage/vsphere/vsphere_volume_placement.go index 36b8ba3259e..cf9ac489e21 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_placement.go +++ b/test/e2e/storage/vsphere/vsphere_volume_placement.go @@ -33,10 +33,12 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = utils.SIGDescribe("Volume Placement [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-placement") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged const ( NodeLabelKey = "vsphere_e2e_label_volume_placement" ) diff --git a/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go b/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go index f6d39166c01..bcd87f8d6d9 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go +++ b/test/e2e/storage/vsphere/vsphere_volume_vpxd_restart.go @@ -34,6 +34,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -53,6 +54,7 @@ import ( */ var _ = utils.SIGDescribe("Verify Volume Attach Through vpxd Restart [Feature:vsphere][Serial][Disruptive]", func() { f := framework.NewDefaultFramework("restart-vpxd") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged type node struct { name string diff --git a/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go b/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go index bbb245c8a9a..e8e06e568d0 100644 --- a/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go +++ b/test/e2e/storage/vsphere/vsphere_volume_vsan_policy.go @@ -36,6 +36,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -76,6 +77,7 @@ const ( var _ = utils.SIGDescribe("Storage Policy Based Volume Provisioning [Feature:vsphere]", func() { f := framework.NewDefaultFramework("volume-vsan-policy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/storage/vsphere/vsphere_zone_support.go b/test/e2e/storage/vsphere/vsphere_zone_support.go index 12b6640d5ee..2f13a1ded65 100644 --- a/test/e2e/storage/vsphere/vsphere_zone_support.go +++ b/test/e2e/storage/vsphere/vsphere_zone_support.go @@ -36,6 +36,7 @@ import ( e2epv "k8s.io/kubernetes/test/e2e/framework/pv" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/e2e/storage/utils" + admissionapi "k8s.io/pod-security-admission/api" ) /* @@ -87,6 +88,7 @@ import ( var _ = utils.SIGDescribe("Zone Support [Feature:vsphere]", func() { f := framework.NewDefaultFramework("zone-support") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( client clientset.Interface namespace string diff --git a/test/e2e/upgrades/upgrade_suite.go b/test/e2e/upgrades/upgrade_suite.go index eac3b0f5a66..9ac435c2d71 100644 --- a/test/e2e/upgrades/upgrade_suite.go +++ b/test/e2e/upgrades/upgrade_suite.go @@ -31,6 +31,7 @@ import ( e2eginkgowrapper "k8s.io/kubernetes/test/e2e/framework/ginkgowrapper" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" "k8s.io/kubernetes/test/utils/junit" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -101,7 +102,9 @@ func CreateUpgradeFrameworks(tests []Test) map[string]*framework.Framework { for _, t := range tests { ns := nsFilter.ReplaceAllString(t.Name(), "-") // and replace with a single hyphen ns = strings.Trim(ns, "-") - testFrameworks[t.Name()] = framework.NewDefaultFramework(ns) + f := framework.NewDefaultFramework(ns) + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + testFrameworks[t.Name()] = f } return testFrameworks } diff --git a/test/e2e/windows/cpu_limits.go b/test/e2e/windows/cpu_limits.go index 18fcfc7e5bd..d35fdf438cd 100644 --- a/test/e2e/windows/cpu_limits.go +++ b/test/e2e/windows/cpu_limits.go @@ -26,6 +26,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "time" "github.com/onsi/ginkgo" @@ -33,6 +34,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Cpu Resources [Serial]", func() { f := framework.NewDefaultFramework("cpu-resources-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // The Windows 'BusyBox' image is PowerShell plus a collection of scripts and utilities to mimic common busybox commands powershellImage := imageutils.GetConfig(imageutils.BusyBox) diff --git a/test/e2e/windows/density.go b/test/e2e/windows/density.go index 11eb75d26b0..9ebc0559117 100644 --- a/test/e2e/windows/density.go +++ b/test/e2e/windows/density.go @@ -34,6 +34,7 @@ import ( e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -41,6 +42,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Density [Serial] [Slow]", func() { f := framework.NewDefaultFramework("density-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("create a batch of pods", func() { // TODO(coufon): the values are generous, set more precise limits with benchmark data diff --git a/test/e2e/windows/device_plugin.go b/test/e2e/windows/device_plugin.go index 76390530608..5e362bc7dae 100644 --- a/test/e2e/windows/device_plugin.go +++ b/test/e2e/windows/device_plugin.go @@ -29,6 +29,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -39,6 +40,7 @@ const ( var _ = SIGDescribe("[Feature:GPUDevicePlugin] Device Plugin", func() { f := framework.NewDefaultFramework("device-plugin") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/windows/dns.go b/test/e2e/windows/dns.go index 79ec33822d0..ef2cbbf6537 100644 --- a/test/e2e/windows/dns.go +++ b/test/e2e/windows/dns.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -36,6 +37,7 @@ var _ = SIGDescribe("[Feature:Windows] DNS", func() { }) f := framework.NewDefaultFramework("dns") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should support configurable pod DNS servers", func() { ginkgo.By("Getting the IP address of the internal Kubernetes service") diff --git a/test/e2e/windows/gmsa_full.go b/test/e2e/windows/gmsa_full.go index 6667f1e38d6..326dd39e3ca 100644 --- a/test/e2e/windows/gmsa_full.go +++ b/test/e2e/windows/gmsa_full.go @@ -60,6 +60,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -90,6 +91,7 @@ const ( var _ = SIGDescribe("[Feature:Windows] GMSA Full [Serial] [Slow]", func() { f := framework.NewDefaultFramework("gmsa-full-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("GMSA support", func() { ginkgo.It("works end to end", func() { diff --git a/test/e2e/windows/gmsa_kubelet.go b/test/e2e/windows/gmsa_kubelet.go index f92775de50d..17c5e32c554 100644 --- a/test/e2e/windows/gmsa_kubelet.go +++ b/test/e2e/windows/gmsa_kubelet.go @@ -30,6 +30,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -37,6 +38,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] GMSA Kubelet [Slow]", func() { f := framework.NewDefaultFramework("gmsa-kubelet-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("kubelet GMSA support", func() { ginkgo.Context("when creating a pod with correct GMSA credential specs", func() { diff --git a/test/e2e/windows/host_process.go b/test/e2e/windows/host_process.go index faac52041d5..44fb4a2bd49 100644 --- a/test/e2e/windows/host_process.go +++ b/test/e2e/windows/host_process.go @@ -32,6 +32,7 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -82,6 +83,7 @@ var _ = SIGDescribe("[Feature:WindowsHostProcessContainers] [MinimumKubeletVersi }) f := framework.NewDefaultFramework("host-process-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run as a process on the host/node", func() { diff --git a/test/e2e/windows/hybrid_network.go b/test/e2e/windows/hybrid_network.go index f54ffbf5760..ad1c04e856b 100644 --- a/test/e2e/windows/hybrid_network.go +++ b/test/e2e/windows/hybrid_network.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" imageutils "k8s.io/kubernetes/test/utils/image" @@ -43,6 +44,7 @@ var ( var _ = SIGDescribe("Hybrid cluster network", func() { f := framework.NewDefaultFramework("hybrid-network") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { e2eskipper.SkipUnlessNodeOSDistroIs("windows") diff --git a/test/e2e/windows/kubelet_stats.go b/test/e2e/windows/kubelet_stats.go index 23d003ec17e..04bf382a593 100644 --- a/test/e2e/windows/kubelet_stats.go +++ b/test/e2e/windows/kubelet_stats.go @@ -31,12 +31,14 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats [Serial]", func() { f := framework.NewDefaultFramework("kubelet-stats-test-windows-serial") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Kubelet stats collection for Windows nodes", func() { @@ -112,6 +114,7 @@ var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats [Serial]", func() { }) var _ = SIGDescribe("[Feature:Windows] Kubelet-Stats", func() { f := framework.NewDefaultFramework("kubelet-stats-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Kubelet stats collection for Windows nodes", func() { diff --git a/test/e2e/windows/memory_limits.go b/test/e2e/windows/memory_limits.go index 43ee92a1973..02d74c026ae 100644 --- a/test/e2e/windows/memory_limits.go +++ b/test/e2e/windows/memory_limits.go @@ -34,6 +34,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -42,6 +43,7 @@ import ( var _ = SIGDescribe("[Feature:Windows] Memory Limits [Serial] [Slow]", func() { f := framework.NewDefaultFramework("memory-limit-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // NOTE(vyta): these tests are Windows specific diff --git a/test/e2e/windows/reboot_node.go b/test/e2e/windows/reboot_node.go index 55ac6e9176a..fbd62f27b7b 100644 --- a/test/e2e/windows/reboot_node.go +++ b/test/e2e/windows/reboot_node.go @@ -29,6 +29,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("[Feature:Windows] [Excluded:WindowsDocker] [MinimumKubeletVersion:1.22] RebootHost containers [Serial] [Disruptive] [Slow]", func() { @@ -37,6 +38,7 @@ var _ = SIGDescribe("[Feature:Windows] [Excluded:WindowsDocker] [MinimumKubeletV }) f := framework.NewDefaultFramework("reboot-host-test-windows") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should run as a reboot process on the host/node", func() { diff --git a/test/e2e/windows/security_context.go b/test/e2e/windows/security_context.go index 1f8fbd9e0f6..04188758b6b 100644 --- a/test/e2e/windows/security_context.go +++ b/test/e2e/windows/security_context.go @@ -34,12 +34,14 @@ import ( e2epod "k8s.io/kubernetes/test/e2e/framework/pod" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) const runAsUserNameContainerName = "run-as-username-container" var _ = SIGDescribe("[Feature:Windows] SecurityContext", func() { f := framework.NewDefaultFramework("windows-run-as-username") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should be able create pods and run containers with a given username", func() { ginkgo.By("Creating 2 pods: 1 with the default user, and one with a custom one.") diff --git a/test/e2e/windows/service.go b/test/e2e/windows/service.go index b3e650bba20..61cb0b95f40 100644 --- a/test/e2e/windows/service.go +++ b/test/e2e/windows/service.go @@ -25,12 +25,14 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2eservice "k8s.io/kubernetes/test/e2e/framework/service" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Services", func() { f := framework.NewDefaultFramework("services") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var cs clientset.Interface diff --git a/test/e2e/windows/volumes.go b/test/e2e/windows/volumes.go index cf4b229ffc7..069c690c34e 100644 --- a/test/e2e/windows/volumes.go +++ b/test/e2e/windows/volumes.go @@ -25,6 +25,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -42,6 +43,7 @@ var ( var _ = SIGDescribe("[Feature:Windows] Windows volume mounts ", func() { f := framework.NewDefaultFramework("windows-volumes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( emptyDirSource = v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{ diff --git a/test/e2e_kubeadm/bootstrap_signer.go b/test/e2e_kubeadm/bootstrap_signer.go index 412c54459aa..cf192116103 100644 --- a/test/e2e_kubeadm/bootstrap_signer.go +++ b/test/e2e_kubeadm/bootstrap_signer.go @@ -18,6 +18,7 @@ package kubeadm import ( "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -32,6 +33,7 @@ var _ = Describe("bootstrap signer", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("bootstrap token") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/bootstrap_token_test.go b/test/e2e_kubeadm/bootstrap_token_test.go index 8e4d4aaf12a..4dc7f98e28f 100644 --- a/test/e2e_kubeadm/bootstrap_token_test.go +++ b/test/e2e_kubeadm/bootstrap_token_test.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -43,6 +44,7 @@ var _ = Describe("bootstrap token", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("bootstrap token") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/cluster_info_test.go b/test/e2e_kubeadm/cluster_info_test.go index ec182722740..2bdbfffe6ee 100644 --- a/test/e2e_kubeadm/cluster_info_test.go +++ b/test/e2e_kubeadm/cluster_info_test.go @@ -21,6 +21,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" bootstrapapi "k8s.io/cluster-bootstrap/token/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = Describe("cluster-info ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("cluster-info") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/controlplane_nodes_test.go b/test/e2e_kubeadm/controlplane_nodes_test.go index b886bb049ba..71625d12eef 100644 --- a/test/e2e_kubeadm/controlplane_nodes_test.go +++ b/test/e2e_kubeadm/controlplane_nodes_test.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/labels" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -42,6 +43,7 @@ var _ = Describe("control-plane node", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("control-plane node") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/dns_addon_test.go b/test/e2e_kubeadm/dns_addon_test.go index 3a5272fa557..564c6e6513f 100644 --- a/test/e2e_kubeadm/dns_addon_test.go +++ b/test/e2e_kubeadm/dns_addon_test.go @@ -19,6 +19,7 @@ package kubeadm import ( "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ var _ = Describe("DNS addon", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("DNS") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubeadm_certs_test.go b/test/e2e_kubeadm/kubeadm_certs_test.go index d6a66d15848..9b388cec643 100644 --- a/test/e2e_kubeadm/kubeadm_certs_test.go +++ b/test/e2e_kubeadm/kubeadm_certs_test.go @@ -23,6 +23,7 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -54,6 +55,7 @@ var _ = Describe("kubeadm-certs [copy-certs]", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubeadm-certs") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubeadm_config_test.go b/test/e2e_kubeadm/kubeadm_config_test.go index 3e4b3677072..f0eb5ccaff0 100644 --- a/test/e2e_kubeadm/kubeadm_config_test.go +++ b/test/e2e_kubeadm/kubeadm_config_test.go @@ -22,6 +22,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -50,6 +51,7 @@ var _ = Describe("kubeadm-config ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubeadm-config") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/kubelet_config_test.go b/test/e2e_kubeadm/kubelet_config_test.go index 09f6de02cb6..7ccc778d360 100644 --- a/test/e2e_kubeadm/kubelet_config_test.go +++ b/test/e2e_kubeadm/kubelet_config_test.go @@ -24,6 +24,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/version" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -53,6 +54,7 @@ var _ = Describe("kubelet-config ConfigMap", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("kubelet-config") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/networking_test.go b/test/e2e_kubeadm/networking_test.go index 9810a9aa7bf..3f4b77273e9 100644 --- a/test/e2e_kubeadm/networking_test.go +++ b/test/e2e_kubeadm/networking_test.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" netutils "k8s.io/utils/net" "github.com/onsi/ginkgo" @@ -41,6 +42,7 @@ var _ = Describe("networking [setup-networking]", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("networking") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/nodes_test.go b/test/e2e_kubeadm/nodes_test.go index f3937f5a52a..dbf1d4eb3fa 100644 --- a/test/e2e_kubeadm/nodes_test.go +++ b/test/e2e_kubeadm/nodes_test.go @@ -21,6 +21,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -39,6 +40,7 @@ var _ = Describe("nodes", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("nodes") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_kubeadm/proxy_addon_test.go b/test/e2e_kubeadm/proxy_addon_test.go index 47c2595c25e..04042caa997 100644 --- a/test/e2e_kubeadm/proxy_addon_test.go +++ b/test/e2e_kubeadm/proxy_addon_test.go @@ -20,6 +20,7 @@ import ( authv1 "k8s.io/api/authorization/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -52,6 +53,7 @@ var _ = Describe("proxy addon", func() { // Get an instance of the k8s test framework f := framework.NewDefaultFramework("proxy") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // Tests in this container are not expected to create new objects in the cluster // so we are disabling the creation of a namespace in order to get a faster execution diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index cbc06e41e87..686a49c0653 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -20,6 +20,7 @@ import ( "bytes" "context" "fmt" + admissionapi "k8s.io/pod-security-admission/api" "os" "os/exec" "regexp" @@ -54,6 +55,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func() }) ginkgo.Context("when running with AppArmor", func() { f := framework.NewDefaultFramework("apparmor-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should reject an unloaded profile", func() { status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") @@ -84,6 +86,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func() } else { ginkgo.Context("when running without AppArmor", func() { f := framework.NewDefaultFramework("apparmor-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should reject a pod with an AppArmor profile", func() { status := runAppArmorTest(f, false, v1.AppArmorBetaProfileRuntimeDefault) diff --git a/test/e2e_node/container_log_rotation_test.go b/test/e2e_node/container_log_rotation_test.go index 96713e05278..6b1fe3d87d9 100644 --- a/test/e2e_node/container_log_rotation_test.go +++ b/test/e2e_node/container_log_rotation_test.go @@ -25,6 +25,7 @@ import ( kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubelogs "k8s.io/kubernetes/pkg/kubelet/logs" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -40,6 +41,7 @@ const ( var _ = SIGDescribe("ContainerLogRotation [Slow] [Serial] [Disruptive]", func() { f := framework.NewDefaultFramework("container-log-rotation-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when a container generates a lot of log", func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { initialConfig.ContainerLogMaxFiles = testContainerLogMaxFiles diff --git a/test/e2e_node/container_manager_test.go b/test/e2e_node/container_manager_test.go index 75f0589749f..fe04413f4d4 100644 --- a/test/e2e_node/container_manager_test.go +++ b/test/e2e_node/container_manager_test.go @@ -35,6 +35,7 @@ import ( runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -76,6 +77,7 @@ func validateOOMScoreAdjSettingIsInRange(pid int, expectedMinOOMScoreAdj, expect var _ = SIGDescribe("Container Manager Misc [Serial]", func() { f := framework.NewDefaultFramework("kubelet-container-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Validate OOM score adjustments [NodeFeature:OOMScoreAdj]", func() { ginkgo.Context("once the node is setup", func() { ginkgo.It("container runtime's oom-score-adj should be -999", func() { diff --git a/test/e2e_node/cpu_manager_test.go b/test/e2e_node/cpu_manager_test.go index 30706ebf72c..f4099e98988 100644 --- a/test/e2e_node/cpu_manager_test.go +++ b/test/e2e_node/cpu_manager_test.go @@ -34,6 +34,7 @@ import ( cpumanagerstate "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state" "k8s.io/kubernetes/pkg/kubelet/cm/cpuset" "k8s.io/kubernetes/pkg/kubelet/types" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -784,6 +785,7 @@ func isSMTAlignmentError(pod *v1.Pod) bool { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("CPU Manager [Serial] [Feature:CPUManager]", func() { f := framework.NewDefaultFramework("cpu-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With kubeconfig updated with static CPU Manager policy run the CPU Manager tests", func() { runCPUManagerTests(f) diff --git a/test/e2e_node/critical_pod_test.go b/test/e2e_node/critical_pod_test.go index 474f4b7c66a..38d69118e16 100644 --- a/test/e2e_node/critical_pod_test.go +++ b/test/e2e_node/critical_pod_test.go @@ -28,6 +28,7 @@ import ( kubelettypes "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -41,6 +42,7 @@ const ( var _ = SIGDescribe("CriticalPod [Serial] [Disruptive] [NodeFeature:CriticalPod]", func() { f := framework.NewDefaultFramework("critical-pod-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when we need to admit a critical pod", func() { ginkgo.It("[Flaky] should be able to create and delete a critical pod", func() { // because adminssion Priority enable, If the priority class is not found, the Pod is rejected. diff --git a/test/e2e_node/density_test.go b/test/e2e_node/density_test.go index 61d0f60893f..c430bb6757d 100644 --- a/test/e2e_node/density_test.go +++ b/test/e2e_node/density_test.go @@ -41,6 +41,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -63,6 +64,7 @@ var _ = SIGDescribe("Density [Serial] [Slow]", func() { ) f := framework.NewDefaultFramework("density-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { // Start a standalone cadvisor pod using 'createSync', the pod is running when it returns diff --git a/test/e2e_node/device_manager_test.go b/test/e2e_node/device_manager_test.go index 148fd852855..1ec4df2ac03 100644 --- a/test/e2e_node/device_manager_test.go +++ b/test/e2e_node/device_manager_test.go @@ -33,6 +33,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/checkpointmanager" "k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/checkpoint" "k8s.io/kubernetes/pkg/kubelet/util" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -52,6 +53,7 @@ const ( var _ = SIGDescribe("Device Manager [Serial] [Feature:DeviceManager][NodeFeature:DeviceManager]", func() { checkpointFullPath := filepath.Join(devicePluginDir, checkpointName) f := framework.NewDefaultFramework("devicemanager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With SRIOV devices in the system", func() { // this test wants to reproduce what happened in https://github.com/kubernetes/kubernetes/issues/102880 diff --git a/test/e2e_node/device_plugin_test.go b/test/e2e_node/device_plugin_test.go index 56ba767162b..9d3ece3a92f 100644 --- a/test/e2e_node/device_plugin_test.go +++ b/test/e2e_node/device_plugin_test.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles" + admissionapi "k8s.io/pod-security-admission/api" "regexp" @@ -61,6 +62,7 @@ var ( // Serial because the test restarts Kubelet var _ = SIGDescribe("Device Plugin [Feature:DevicePluginProbe][NodeFeature:DevicePluginProbe][Serial]", func() { f := framework.NewDefaultFramework("device-plugin-errors") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged testDevicePlugin(f, "/var/lib/kubelet/plugins_registry") }) diff --git a/test/e2e_node/eviction_test.go b/test/e2e_node/eviction_test.go index 499d9d8819f..03fe45a393b 100644 --- a/test/e2e_node/eviction_test.go +++ b/test/e2e_node/eviction_test.go @@ -40,6 +40,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -68,6 +69,7 @@ const ( // Node disk pressure is induced by consuming all inodes on the node. var _ = SIGDescribe("InodeEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("inode-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := resourceInodes pressureTimeout := 15 * time.Minute @@ -104,6 +106,7 @@ var _ = SIGDescribe("InodeEviction [Slow] [Serial] [Disruptive][NodeFeature:Evic // Disk pressure is induced by pulling large images var _ = SIGDescribe("ImageGCNoEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("image-gc-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 10 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := resourceInodes @@ -134,6 +137,7 @@ var _ = SIGDescribe("ImageGCNoEviction [Slow] [Serial] [Disruptive][NodeFeature: // Node memory pressure is only encountered because we reserve the majority of the node's capacity via kube-reserved. var _ = SIGDescribe("MemoryAllocatableEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("memory-allocatable-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeMemoryPressure expectedStarvedResource := v1.ResourceMemory pressureTimeout := 10 * time.Minute @@ -167,6 +171,7 @@ var _ = SIGDescribe("MemoryAllocatableEviction [Slow] [Serial] [Disruptive][Node // Disk pressure is induced by running pods which consume disk space. var _ = SIGDescribe("LocalStorageEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 15 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage @@ -205,6 +210,7 @@ var _ = SIGDescribe("LocalStorageEviction [Slow] [Serial] [Disruptive][NodeFeatu // Note: This test's purpose is to test Soft Evictions. Local storage was chosen since it is the least costly to run. var _ = SIGDescribe("LocalStorageSoftEviction [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 10 * time.Minute expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage @@ -243,6 +249,7 @@ var _ = SIGDescribe("LocalStorageSoftEviction [Slow] [Serial] [Disruptive][NodeF // not possible to exhaust the quota. var _ = SIGDescribe("LocalStorageCapacityIsolationMemoryBackedVolumeEviction [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolation][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged evictionTestTimeout := 7 * time.Minute ginkgo.Context(fmt.Sprintf(testContextFmt, "evictions due to pod local storage violations"), func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { @@ -282,6 +289,7 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationMemoryBackedVolumeEviction [Sl // LocalStorageCapacityIsolationEviction tests that container and volume local storage limits are enforced through evictions var _ = SIGDescribe("LocalStorageCapacityIsolationEviction [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolation][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("localstorage-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged evictionTestTimeout := 10 * time.Minute ginkgo.Context(fmt.Sprintf(testContextFmt, "evictions due to pod local storage violations"), func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { @@ -334,6 +342,7 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationEviction [Slow] [Serial] [Disr // the higher priority pod. var _ = SIGDescribe("PriorityMemoryEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("priority-memory-eviction-ordering-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeMemoryPressure expectedStarvedResource := v1.ResourceMemory pressureTimeout := 10 * time.Minute @@ -391,6 +400,7 @@ var _ = SIGDescribe("PriorityMemoryEvictionOrdering [Slow] [Serial] [Disruptive] // the higher priority pod. var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("priority-disk-eviction-ordering-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged expectedNodeCondition := v1.NodeDiskPressure expectedStarvedResource := v1.ResourceEphemeralStorage pressureTimeout := 15 * time.Minute @@ -447,6 +457,7 @@ var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering [Slow] [Serial] [Disru // PriorityPidEvictionOrdering tests that the node emits pid pressure in response to a fork bomb, and evicts pods by priority var _ = SIGDescribe("PriorityPidEvictionOrdering [Slow] [Serial] [Disruptive][NodeFeature:Eviction]", func() { f := framework.NewDefaultFramework("pidpressure-eviction-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged pressureTimeout := 2 * time.Minute expectedNodeCondition := v1.NodePIDPressure expectedStarvedResource := noStarvedResource diff --git a/test/e2e_node/garbage_collector_test.go b/test/e2e_node/garbage_collector_test.go index 5ad982dd31e..6e1711e4e13 100644 --- a/test/e2e_node/garbage_collector_test.go +++ b/test/e2e_node/garbage_collector_test.go @@ -28,6 +28,7 @@ import ( runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -72,6 +73,7 @@ type testRun struct { // http://kubernetes.io/docs/admin/garbage-collection/ var _ = SIGDescribe("GarbageCollect [Serial][NodeFeature:GarbageCollect]", func() { f := framework.NewDefaultFramework("garbage-collect-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged containerNamePrefix := "gc-test-container-" podNamePrefix := "gc-test-pod-" diff --git a/test/e2e_node/hugepages_test.go b/test/e2e_node/hugepages_test.go index 773bbc3d308..9f9968fc218 100644 --- a/test/e2e_node/hugepages_test.go +++ b/test/e2e_node/hugepages_test.go @@ -37,6 +37,7 @@ import ( "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + admissionapi "k8s.io/pod-security-admission/api" ) const ( @@ -201,6 +202,7 @@ func getHugepagesTestPod(f *framework.Framework, limits v1.ResourceList, mounts // Serial because the test updates kubelet configuration. var _ = SIGDescribe("HugePages [Serial] [Feature:HugePages][NodeSpecialFeature:HugePages]", func() { f := framework.NewDefaultFramework("hugepages-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should remove resources for huge page sizes no longer supported", func() { ginkgo.By("mimicking support for 9Mi of 3Mi huge page memory by patching the node status") diff --git a/test/e2e_node/image_credential_provider.go b/test/e2e_node/image_credential_provider.go index b94917f3c7c..11a2104a32b 100644 --- a/test/e2e_node/image_credential_provider.go +++ b/test/e2e_node/image_credential_provider.go @@ -24,10 +24,12 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("ImageCredentialProvider [Feature:KubeletCredentialProviders]", func() { f := framework.NewDefaultFramework("image-credential-provider") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var podClient *framework.PodClient ginkgo.BeforeEach(func() { diff --git a/test/e2e_node/image_id_test.go b/test/e2e_node/image_id_test.go index 1d9102f51c0..42d47b547b2 100644 --- a/test/e2e_node/image_id_test.go +++ b/test/e2e_node/image_id_test.go @@ -22,6 +22,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "github.com/davecgh/go-spew/spew" "github.com/onsi/ginkgo" @@ -33,6 +34,7 @@ var _ = SIGDescribe("ImageID [NodeFeature: ImageID]", func() { busyBoxImage := "k8s.gcr.io/busybox@sha256:4bdd623e848417d96127e16037743f0cd8b528c026e9175e22a84f639eca58ff" f := framework.NewDefaultFramework("image-id-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.It("should be set to the manifest digest (from RepoDigests) when available", func() { podDesc := &v1.Pod{ diff --git a/test/e2e_node/memory_manager_test.go b/test/e2e_node/memory_manager_test.go index bba3b5dc602..219a0a854f9 100644 --- a/test/e2e_node/memory_manager_test.go +++ b/test/e2e_node/memory_manager_test.go @@ -42,6 +42,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/util" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/utils/pointer" "github.com/onsi/ginkgo" @@ -253,6 +254,7 @@ var _ = SIGDescribe("Memory Manager [Disruptive] [Serial] [Feature:MemoryManager ) f := framework.NewDefaultFramework("memory-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged memoryQuantity := resource.MustParse("1100Mi") defaultKubeParams := &kubeletParams{ diff --git a/test/e2e_node/node_container_manager_test.go b/test/e2e_node/node_container_manager_test.go index ca2c59a1ef5..65a2e3eda7d 100644 --- a/test/e2e_node/node_container_manager_test.go +++ b/test/e2e_node/node_container_manager_test.go @@ -34,6 +34,7 @@ import ( kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" "k8s.io/kubernetes/pkg/kubelet/cm" "k8s.io/kubernetes/pkg/kubelet/stats/pidlimit" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" @@ -64,6 +65,7 @@ func setDesiredConfiguration(initialConfig *kubeletconfig.KubeletConfiguration) var _ = SIGDescribe("Node Container Manager [Serial]", func() { f := framework.NewDefaultFramework("node-container-manager") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("Validate Node Allocatable [NodeFeature:NodeAllocatable]", func() { ginkgo.It("sets up the node and runs the test", func() { framework.ExpectNoError(runTest(f)) diff --git a/test/e2e_node/node_perf_test.go b/test/e2e_node/node_perf_test.go index e5c064da122..3a76cd9e5ac 100644 --- a/test/e2e_node/node_perf_test.go +++ b/test/e2e_node/node_perf_test.go @@ -24,6 +24,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -80,6 +81,7 @@ func setKubeletConfig(f *framework.Framework, cfg *kubeletconfig.KubeletConfigur // Slow by design. var _ = SIGDescribe("Node Performance Testing [Serial] [Slow]", func() { f := framework.NewDefaultFramework("node-performance-testing") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var ( wl workloads.NodePerfWorkload oldCfg *kubeletconfig.KubeletConfiguration diff --git a/test/e2e_node/node_problem_detector_linux.go b/test/e2e_node/node_problem_detector_linux.go index 6b6bf676f5d..6f079ea5048 100644 --- a/test/e2e_node/node_problem_detector_linux.go +++ b/test/e2e_node/node_problem_detector_linux.go @@ -36,6 +36,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" clientset "k8s.io/client-go/kubernetes" coreclientset "k8s.io/client-go/kubernetes/typed/core/v1" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/pkg/kubelet/util" "k8s.io/kubernetes/test/e2e/framework" @@ -50,6 +51,7 @@ var _ = SIGDescribe("NodeProblemDetector [NodeFeature:NodeProblemDetector] [Seri pollTimeout = 1 * time.Minute ) f := framework.NewDefaultFramework("node-problem-detector") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged var c clientset.Interface var uid string var ns, name, configName, eventNamespace string diff --git a/test/e2e_node/node_shutdown_linux_test.go b/test/e2e_node/node_shutdown_linux_test.go index f8b672a463a..e93fbb8db39 100644 --- a/test/e2e_node/node_shutdown_linux_test.go +++ b/test/e2e_node/node_shutdown_linux_test.go @@ -31,6 +31,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/fields" "k8s.io/kubectl/pkg/util/podutils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -49,6 +50,7 @@ import ( var _ = SIGDescribe("GracefulNodeShutdown [Serial] [NodeFeature:GracefulNodeShutdown] [NodeFeature:GracefulNodeShutdownBasedOnPodPriority]", func() { f := framework.NewDefaultFramework("graceful-node-shutdown") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when gracefully shutting down", func() { const ( diff --git a/test/e2e_node/os_label_rename_test.go b/test/e2e_node/os_label_rename_test.go index 080f73f3780..8c4fc24fdb1 100644 --- a/test/e2e_node/os_label_rename_test.go +++ b/test/e2e_node/os_label_rename_test.go @@ -34,10 +34,12 @@ import ( v1core "k8s.io/client-go/kubernetes/typed/core/v1" nodeutil "k8s.io/component-helpers/node/util" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) var _ = SIGDescribe("OSArchLabelReconciliation [Serial] [Slow] [Disruptive]", func() { f := framework.NewDefaultFramework("node-label-reconciliation") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Kubelet", func() { ginkgo.It("should reconcile the OS and Arch labels when restarted", func() { node := getLocalNode(f) diff --git a/test/e2e_node/pids_test.go b/test/e2e_node/pids_test.go index b455e0945ac..60eb7907570 100644 --- a/test/e2e_node/pids_test.go +++ b/test/e2e_node/pids_test.go @@ -23,6 +23,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/uuid" + admissionapi "k8s.io/pod-security-admission/api" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" "k8s.io/kubernetes/pkg/kubelet/cm" @@ -120,6 +121,7 @@ func runPodPidsLimitTests(f *framework.Framework) { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("PodPidsLimit [Serial]", func() { f := framework.NewDefaultFramework("pids-limit-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With config updated with pids limits", func() { tempSetCurrentKubeletConfig(f, func(initialConfig *kubeletconfig.KubeletConfiguration) { initialConfig.PodPidsLimit = int64(1024) diff --git a/test/e2e_node/podresources_test.go b/test/e2e_node/podresources_test.go index bf12c7bcb0f..aff1d0800b2 100644 --- a/test/e2e_node/podresources_test.go +++ b/test/e2e_node/podresources_test.go @@ -35,6 +35,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/cm/cpuset" "k8s.io/kubernetes/pkg/kubelet/util" testutils "k8s.io/kubernetes/test/utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -551,6 +552,7 @@ func podresourcesGetAllocatableResourcesTests(cli kubeletpodresourcesv1.PodResou // Serial because the test updates kubelet configuration. var _ = SIGDescribe("POD Resources [Serial] [Feature:PodResources][NodeFeature:PodResources]", func() { f := framework.NewDefaultFramework("podresources-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged reservedSystemCPUs := cpuset.MustParse("1") diff --git a/test/e2e_node/quota_lsci_test.go b/test/e2e_node/quota_lsci_test.go index 5e470c27cdf..e5441147a53 100644 --- a/test/e2e_node/quota_lsci_test.go +++ b/test/e2e_node/quota_lsci_test.go @@ -31,6 +31,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" imageutils "k8s.io/kubernetes/test/utils/image" "k8s.io/mount-utils" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -96,6 +97,7 @@ func runOneQuotaTest(f *framework.Framework, quotasRequested bool) { // file; if du is used to monitor, it will not detect this. var _ = SIGDescribe("LocalStorageCapacityIsolationQuotaMonitoring [Slow] [Serial] [Disruptive] [Feature:LocalStorageCapacityIsolationQuota][NodeFeature:LSCIQuotaMonitoring]", func() { f := framework.NewDefaultFramework("localstorage-quota-monitoring-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged runOneQuotaTest(f, true) runOneQuotaTest(f, false) }) diff --git a/test/e2e_node/resource_metrics_test.go b/test/e2e_node/resource_metrics_test.go index 014f5093f78..42727284fb9 100644 --- a/test/e2e_node/resource_metrics_test.go +++ b/test/e2e_node/resource_metrics_test.go @@ -25,6 +25,7 @@ import ( e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics" e2evolume "k8s.io/kubernetes/test/e2e/framework/volume" + admissionapi "k8s.io/pod-security-admission/api" "github.com/prometheus/common/model" @@ -42,6 +43,7 @@ const ( var _ = SIGDescribe("ResourceMetricsAPI [NodeFeature:ResourceMetrics]", func() { f := framework.NewDefaultFramework("resource-metrics") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("when querying /resource/metrics", func() { ginkgo.BeforeEach(func() { ginkgo.By("Creating test pods to measure their resource usage") diff --git a/test/e2e_node/resource_usage_test.go b/test/e2e_node/resource_usage_test.go index fa7c1660334..b83fc3f2e88 100644 --- a/test/e2e_node/resource_usage_test.go +++ b/test/e2e_node/resource_usage_test.go @@ -30,6 +30,7 @@ import ( e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" e2eperf "k8s.io/kubernetes/test/e2e/framework/perf" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -46,6 +47,7 @@ var _ = SIGDescribe("Resource-usage [Serial] [Slow]", func() { ) f := framework.NewDefaultFramework("resource-usage") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.BeforeEach(func() { om = e2ekubelet.NewRuntimeOperationMonitor(f.ClientSet) diff --git a/test/e2e_node/restart_test.go b/test/e2e_node/restart_test.go index 52f0e244e2f..421c2e85de5 100644 --- a/test/e2e_node/restart_test.go +++ b/test/e2e_node/restart_test.go @@ -32,6 +32,7 @@ import ( e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" testutils "k8s.io/kubernetes/test/utils" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -81,6 +82,7 @@ var _ = SIGDescribe("Restart [Serial] [Slow] [Disruptive]", func() { ) f := framework.NewDefaultFramework("restart-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("Container Runtime", func() { ginkgo.Context("Network", func() { ginkgo.It("should recover from ip leak", func() { diff --git a/test/e2e_node/runtimeclass_test.go b/test/e2e_node/runtimeclass_test.go index 4e563dc5b45..416eb20540b 100644 --- a/test/e2e_node/runtimeclass_test.go +++ b/test/e2e_node/runtimeclass_test.go @@ -29,6 +29,7 @@ import ( e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" imageutils "k8s.io/kubernetes/test/utils/image" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" ) @@ -91,6 +92,7 @@ func makePodToVerifyCgroupSize(cgroupNames []string, expectedCPU string, expecte var _ = SIGDescribe("Kubelet PodOverhead handling [LinuxOnly]", func() { f := framework.NewDefaultFramework("podoverhead-handling") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Describe("PodOverhead cgroup accounting", func() { ginkgo.Context("On running pod with PodOverhead defined", func() { ginkgo.It("Pod cgroup should be sum of overhead and resource limits", func() { diff --git a/test/e2e_node/system_node_critical_test.go b/test/e2e_node/system_node_critical_test.go index fcecccaf28f..ad68b58a20d 100644 --- a/test/e2e_node/system_node_critical_test.go +++ b/test/e2e_node/system_node_critical_test.go @@ -28,6 +28,7 @@ import ( kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = SIGDescribe("SystemNodeCriticalPod [Slow] [Serial] [Disruptive] [NodeFeature:SystemNodeCriticalPod]", func() { f := framework.NewDefaultFramework("system-node-critical-pod-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged // this test only manipulates pods in kube-system f.SkipNamespaceCreation = true diff --git a/test/e2e_node/topology_manager_test.go b/test/e2e_node/topology_manager_test.go index 83ea629cdb5..dc51c347a25 100644 --- a/test/e2e_node/topology_manager_test.go +++ b/test/e2e_node/topology_manager_test.go @@ -36,6 +36,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager" "k8s.io/kubernetes/pkg/kubelet/cm/topologymanager" "k8s.io/kubernetes/pkg/kubelet/types" + admissionapi "k8s.io/pod-security-admission/api" "k8s.io/kubernetes/test/e2e/framework" e2enode "k8s.io/kubernetes/test/e2e/framework/node" @@ -972,6 +973,7 @@ func hostPrecheck() (int, int) { // Serial because the test updates kubelet configuration. var _ = SIGDescribe("Topology Manager [Serial] [Feature:TopologyManager][NodeFeature:TopologyManager]", func() { f := framework.NewDefaultFramework("topology-manager-test") + f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged ginkgo.Context("With kubeconfig updated to static CPU Manager policy run the Topology Manager tests", func() { runTopologyManagerTests(f)