From a66c025dc9e5a454ba65ea3ce354e36c96883dd3 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Fri, 14 Nov 2025 10:17:54 +0100 Subject: [PATCH] test/e2e_node: Update procMount test to use Restricted PSA level Update the procMount test expectations to match the intentional PSA policy relaxation introduced in commit e8bd3f629d4. As of Kubernetes 1.35+, Pod Security Admission Baseline policy allows UnmaskedProcMount for pods with user namespaces (hostUsers: false). This was an intentional change to support nested container use cases while maintaining security through user namespace isolation. The test "will fail to unmask proc mounts if not privileged" was written before this relaxation and expected Baseline level to reject UnmaskedProcMount. Since Baseline now allows it (for user namespace pods), the test needs to use Restricted level instead, which unconditionally blocks UnmaskedProcMount regardless of user namespace settings. Changes: - Change PSA level from Baseline to Restricted - Update test name to clarify it's testing Restricted level behavior - Update framework name from "proc-mount-baseline-test" to "proc-mount-restricted-test" Fixes the ci-crio-userns-e2e-serial test failure that started occurring when runtimes began reporting user namespace support. Signed-off-by: Sascha Grunert --- test/e2e_node/proc_mount_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e_node/proc_mount_test.go b/test/e2e_node/proc_mount_test.go index e0023ba8d73..5a968b089ac 100644 --- a/test/e2e_node/proc_mount_test.go +++ b/test/e2e_node/proc_mount_test.go @@ -46,10 +46,10 @@ var _ = SIGDescribe("DefaultProcMount [LinuxOnly]", framework.WithNodeConformanc }) var _ = SIGDescribe("ProcMount [LinuxOnly]", feature.ProcMountType, feature.UserNamespacesSupport, func() { - f := framework.NewDefaultFramework("proc-mount-baseline-test") - f.NamespacePodSecurityLevel = admissionapi.LevelBaseline + f := framework.NewDefaultFramework("proc-mount-restricted-test") + f.NamespacePodSecurityLevel = admissionapi.LevelRestricted - f.It("will fail to unmask proc mounts if not privileged", func(ctx context.Context) { + f.It("will fail to unmask proc mounts at restricted level", func(ctx context.Context) { if !supportsUserNS(ctx, f) { e2eskipper.Skipf("runtime does not support user namespaces") }