From 682ee2908a23dce715bffda590e59396087c17e3 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 20 Jul 2022 15:53:34 +0200 Subject: [PATCH] Make scheduling e2e tests run PSa-restricted pods The "pause" pods that are being run in the scheduling tests are sometimes launched in system namespaces. Therefore even if a test is considered to be running on a "baseline" Pod Security admission level, its "baseline" pods would fail to run if the global PSa enforcement policy is set to "restricted" - the system namespaces have no PSa labels. The "pause" pods run by this test can actually easily run with "restricted" security context, and so this patch turns them into just that. --- test/e2e/scheduling/predicates.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/test/e2e/scheduling/predicates.go b/test/e2e/scheduling/predicates.go index 515bb56f307..451952c2417 100644 --- a/test/e2e/scheduling/predicates.go +++ b/test/e2e/scheduling/predicates.go @@ -828,15 +828,17 @@ func initPausePod(f *framework.Framework, conf pausePodConfig) *v1.Pod { OwnerReferences: conf.OwnerReferences, }, Spec: v1.PodSpec{ + SecurityContext: e2epod.GetRestrictedPodSecurityContext(), NodeSelector: conf.NodeSelector, Affinity: conf.Affinity, TopologySpreadConstraints: conf.TopologySpreadConstraints, RuntimeClassName: conf.RuntimeClassHandler, Containers: []v1.Container{ { - Name: conf.Name, - Image: imageutils.GetPauseImageName(), - Ports: conf.Ports, + Name: conf.Name, + Image: imageutils.GetPauseImageName(), + Ports: conf.Ports, + SecurityContext: e2epod.GetRestrictedContainerSecurityContext(), }, }, Tolerations: conf.Tolerations,