mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-07-17 20:00:07 +00:00
KEP-3619: remove e2etestskipper in e2e tests for SupplementalGroupsPolicy GA
This commit is contained in:
@@ -27,12 +27,9 @@ import (
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"k8s.io/kubernetes/pkg/kubelet/events"
|
||||
"k8s.io/kubernetes/pkg/kubelet/lifecycle"
|
||||
"k8s.io/kubernetes/pkg/kubelet/metrics"
|
||||
"k8s.io/kubernetes/test/e2e/feature"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
@@ -792,19 +789,6 @@ var _ = SIGDescribe("Security Context", func() {
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
nodeSupportsSupplementalGroupsPolicy := func(ctx context.Context, f *framework.Framework, nodeName string) bool {
|
||||
node, err := f.ClientSet.CoreV1().Nodes().Get(ctx, nodeName, metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
gomega.Expect(node).NotTo(gomega.BeNil())
|
||||
if node.Status.Features != nil {
|
||||
supportsSupplementalGroupsPolicy := node.Status.Features.SupplementalGroupsPolicy
|
||||
if supportsSupplementalGroupsPolicy != nil && *supportsSupplementalGroupsPolicy {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
waitForContainerUser := func(ctx context.Context, f *framework.Framework, podName string, containerName string, expectedContainerUser *v1.ContainerUser) error {
|
||||
return framework.Gomega().Eventually(ctx,
|
||||
framework.RetryNotFound(framework.GetObject(f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get, podName, metav1.GetOptions{}))).
|
||||
@@ -866,28 +850,6 @@ var _ = SIGDescribe("Security Context", func() {
|
||||
stdout := e2epod.ExecCommandInContainer(f, podName, containerName, "id", "-G")
|
||||
gomega.Expect(stdout).To(gomega.Equal(expectedOutput))
|
||||
}
|
||||
expectRejectionEventIssued := func(ctx context.Context, f *framework.Framework, pod *v1.Pod) {
|
||||
framework.ExpectNoError(
|
||||
framework.Gomega().Eventually(ctx,
|
||||
framework.HandleRetry(framework.ListObjects(
|
||||
f.ClientSet.CoreV1().Events(pod.Namespace).List,
|
||||
metav1.ListOptions{
|
||||
FieldSelector: fields.Set{
|
||||
"type": core.EventTypeWarning,
|
||||
"reason": lifecycle.SupplementalGroupsPolicyNotSupported,
|
||||
"involvedObject.kind": "Pod",
|
||||
"involvedObject.apiVersion": v1.SchemeGroupVersion.String(),
|
||||
"involvedObject.name": pod.Name,
|
||||
"involvedObject.uid": string(pod.UID),
|
||||
}.AsSelector().String(),
|
||||
},
|
||||
))).
|
||||
WithTimeout(timeout).
|
||||
Should(gcustom.MakeMatcher(func(eventList *v1.EventList) (bool, error) {
|
||||
return len(eventList.Items) == 1, nil
|
||||
})),
|
||||
)
|
||||
}
|
||||
|
||||
ginkgo.When("SupplementalGroupsPolicy nil in SecurityContext", func() {
|
||||
ginkgo.When("if the container's primary UID belongs to some groups in the image", func() {
|
||||
@@ -897,27 +859,8 @@ var _ = SIGDescribe("Security Context", func() {
|
||||
pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyMerge)))
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does not support SupplementalGroupsPolicy
|
||||
if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
|
||||
}
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, false)
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does support SupplementalGroupsPolicy
|
||||
if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
|
||||
}
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
})
|
||||
})
|
||||
@@ -929,27 +872,8 @@ var _ = SIGDescribe("Security Context", func() {
|
||||
pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(nil))
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does not support SupplementalGroupsPolicy
|
||||
if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
|
||||
}
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, false)
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does support SupplementalGroupsPolicy
|
||||
if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
|
||||
}
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
})
|
||||
})
|
||||
@@ -958,35 +882,11 @@ var _ = SIGDescribe("Security Context", func() {
|
||||
var pod *v1.Pod
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
ginkgo.By("creating a pod", func() {
|
||||
pod = e2epod.NewPodClient(f).Create(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyStrict)))
|
||||
framework.ExpectNoError(e2epod.WaitForPodScheduled(ctx, f.ClientSet, pod.Namespace, pod.Name))
|
||||
var err error
|
||||
pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyStrict)))
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does not support SupplementalGroupsPolicy
|
||||
if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
|
||||
}
|
||||
})
|
||||
ginkgo.It("it should reject the pod [LinuxOnly]", func(ctx context.Context) {
|
||||
expectRejectionEventIssued(ctx, f, pod)
|
||||
})
|
||||
})
|
||||
ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
|
||||
ginkgo.BeforeEach(func(ctx context.Context) {
|
||||
// ensure the scheduled node does support SupplementalGroupsPolicy
|
||||
if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
|
||||
e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
|
||||
}
|
||||
framework.ExpectNoError(e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod))
|
||||
})
|
||||
ginkgo.It("it should NOT add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectStrictPolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
ginkgo.It("it should NOT add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
|
||||
expectStrictPolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user