From b16ab89c3ccdafd250790b42a846445c4381950d Mon Sep 17 00:00:00 2001 From: Joachim Bartosik Date: Tue, 28 Jun 2022 11:04:23 +0200 Subject: [PATCH] Allow privilidged pods in VPA E2E We allowed them before (it was default) but now we need to allow it explicitly: https://groups.google.com/a/kubernetes.io/g/dev/c/BZlDyz9FK1U/m/57PgQlA4BgAJ Long term I want to run pods without privilidge but it requeres: - https://github.com/kubernetes/kubernetes/pull/110779 to merge - Syncing e2e dependencies to include the merged change - Changing tests to run pods without privilidges To keep tests passing through removal of PodSecurityPolicy for 1.25 I want to merge this change first and reduce pod privilidges later --- vertical-pod-autoscaler/e2e/v1/actuation.go | 2 ++ vertical-pod-autoscaler/e2e/v1/admission_controller.go | 2 ++ vertical-pod-autoscaler/e2e/v1/full_vpa.go | 5 +++++ vertical-pod-autoscaler/e2e/v1/recommender.go | 8 +++++++- vertical-pod-autoscaler/e2e/v1/updater.go | 2 ++ vertical-pod-autoscaler/e2e/v1beta2/actuation.go | 2 ++ .../e2e/v1beta2/admission_controller.go | 2 ++ vertical-pod-autoscaler/e2e/v1beta2/full_vpa.go | 3 +++ vertical-pod-autoscaler/e2e/v1beta2/recommender.go | 8 +++++++- vertical-pod-autoscaler/e2e/v1beta2/updater.go | 2 ++ 10 files changed, 34 insertions(+), 2 deletions(-) diff --git a/vertical-pod-autoscaler/e2e/v1/actuation.go b/vertical-pod-autoscaler/e2e/v1/actuation.go index 048a45b72d..386757fd20 100644 --- a/vertical-pod-autoscaler/e2e/v1/actuation.go +++ b/vertical-pod-autoscaler/e2e/v1/actuation.go @@ -41,6 +41,7 @@ import ( framework_rs "k8s.io/kubernetes/test/e2e/framework/replicaset" framework_ss "k8s.io/kubernetes/test/e2e/framework/statefulset" testutils "k8s.io/kubernetes/test/utils" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ import ( var _ = ActuationSuiteE2eDescribe("Actuation", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("stops when pods get pending", func() { diff --git a/vertical-pod-autoscaler/e2e/v1/admission_controller.go b/vertical-pod-autoscaler/e2e/v1/admission_controller.go index 2e5923d36f..01cbe5941a 100644 --- a/vertical-pod-autoscaler/e2e/v1/admission_controller.go +++ b/vertical-pod-autoscaler/e2e/v1/admission_controller.go @@ -28,6 +28,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" "k8s.io/kubernetes/test/e2e/framework" framework_deployment "k8s.io/kubernetes/test/e2e/framework/deployment" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = AdmissionControllerE2eDescribe("Admission-controller", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("starts pods with new recommended request", func() { d := NewHamsterDeploymentWithResources(f, ParseQuantityOrDie("100m") /*cpu*/, ParseQuantityOrDie("100Mi") /*memory*/) diff --git a/vertical-pod-autoscaler/e2e/v1/full_vpa.go b/vertical-pod-autoscaler/e2e/v1/full_vpa.go index 307036131b..5e4743b64e 100644 --- a/vertical-pod-autoscaler/e2e/v1/full_vpa.go +++ b/vertical-pod-autoscaler/e2e/v1/full_vpa.go @@ -29,6 +29,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" vpa_clientset "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/client/clientset/versioned" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -60,6 +61,7 @@ var _ = FullVpaE2eDescribe("Pods under VPA", func() { // This schedules AfterEach block that needs to run after the AfterEach above and // BeforeEach that needs to run before the BeforeEach below - thus the order of these matters. f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name @@ -138,6 +140,7 @@ var _ = FullVpaE2eDescribe("Pods under VPA with default recommender explicitly c // This schedules AfterEach block that needs to run after the AfterEach above and // BeforeEach that needs to run before the BeforeEach below - thus the order of these matters. f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name @@ -200,6 +203,7 @@ var _ = FullVpaE2eDescribe("Pods under VPA with non-recognized recommender expli // This schedules AfterEach block that needs to run after the AfterEach above and // BeforeEach that needs to run before the BeforeEach below - thus the order of these matters. f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name @@ -254,6 +258,7 @@ var _ = FullVpaE2eDescribe("OOMing pods under VPA", func() { const replicas = 3 f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name diff --git a/vertical-pod-autoscaler/e2e/v1/recommender.go b/vertical-pod-autoscaler/e2e/v1/recommender.go index e4d07d56f1..48ac778266 100644 --- a/vertical-pod-autoscaler/e2e/v1/recommender.go +++ b/vertical-pod-autoscaler/e2e/v1/recommender.go @@ -30,8 +30,9 @@ import ( vpa_clientset "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/client/clientset/versioned" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" - "k8s.io/klog/v2" + klog "k8s.io/klog/v2" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -119,6 +120,7 @@ func getVpaObserver(vpaClientSet vpa_clientset.Interface) *observer { var _ = RecommenderE2eDescribe("Checkpoints", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("with missing VPA objects are garbage collected", func() { ns := f.Namespace.Name @@ -147,6 +149,7 @@ var _ = RecommenderE2eDescribe("Checkpoints", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("serves recommendation for CronJob", func() { ginkgo.By("Setting up hamster CronJob") @@ -171,6 +174,7 @@ var _ = RecommenderE2eDescribe("VPA CRD object", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var ( vpaCRD *vpa_types.VerticalPodAutoscaler @@ -241,6 +245,7 @@ var _ = RecommenderE2eDescribe("VPA CRD object", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var ( vpaClientSet vpa_clientset.Interface @@ -321,6 +326,7 @@ func createVpaCRDWithMinMaxAllowed(f *framework.Framework, minAllowed, maxAllowe var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var vpaClientSet vpa_clientset.Interface diff --git a/vertical-pod-autoscaler/e2e/v1/updater.go b/vertical-pod-autoscaler/e2e/v1/updater.go index 4aaeae1a85..4ef17fba4a 100644 --- a/vertical-pod-autoscaler/e2e/v1/updater.go +++ b/vertical-pod-autoscaler/e2e/v1/updater.go @@ -27,6 +27,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/status" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = UpdaterE2eDescribe("Updater", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("evicts pods when Admission Controller status available", func() { const statusUpdateInterval = 10 * time.Second diff --git a/vertical-pod-autoscaler/e2e/v1beta2/actuation.go b/vertical-pod-autoscaler/e2e/v1beta2/actuation.go index 1867ae5c2c..c3c3e4fe23 100644 --- a/vertical-pod-autoscaler/e2e/v1beta2/actuation.go +++ b/vertical-pod-autoscaler/e2e/v1beta2/actuation.go @@ -41,6 +41,7 @@ import ( framework_rs "k8s.io/kubernetes/test/e2e/framework/replicaset" framework_ss "k8s.io/kubernetes/test/e2e/framework/statefulset" testutils "k8s.io/kubernetes/test/utils" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -48,6 +49,7 @@ import ( var _ = ActuationSuiteE2eDescribe("Actuation", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("stops when pods get pending", func() { diff --git a/vertical-pod-autoscaler/e2e/v1beta2/admission_controller.go b/vertical-pod-autoscaler/e2e/v1beta2/admission_controller.go index 7a928c99d9..1d42888b28 100644 --- a/vertical-pod-autoscaler/e2e/v1beta2/admission_controller.go +++ b/vertical-pod-autoscaler/e2e/v1beta2/admission_controller.go @@ -28,6 +28,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1beta2" "k8s.io/kubernetes/test/e2e/framework" framework_deployment "k8s.io/kubernetes/test/e2e/framework/deployment" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -35,6 +36,7 @@ import ( var _ = AdmissionControllerE2eDescribe("Admission-controller", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("starts pods with new recommended request", func() { d := NewHamsterDeploymentWithResources(f, ParseQuantityOrDie("100m") /*cpu*/, ParseQuantityOrDie("100Mi") /*memory*/) diff --git a/vertical-pod-autoscaler/e2e/v1beta2/full_vpa.go b/vertical-pod-autoscaler/e2e/v1beta2/full_vpa.go index b40822dd7f..a15ac458db 100644 --- a/vertical-pod-autoscaler/e2e/v1beta2/full_vpa.go +++ b/vertical-pod-autoscaler/e2e/v1beta2/full_vpa.go @@ -29,6 +29,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1beta2" vpa_clientset "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/client/clientset/versioned" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -60,6 +61,7 @@ var _ = FullVpaE2eDescribe("Pods under VPA", func() { // This schedules AfterEach block that needs to run after the AfterEach above and // BeforeEach that needs to run before the BeforeEach below - thus the order of these matters. f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name @@ -131,6 +133,7 @@ var _ = FullVpaE2eDescribe("OOMing pods under VPA", func() { const replicas = 3 f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.BeforeEach(func() { ns := f.Namespace.Name diff --git a/vertical-pod-autoscaler/e2e/v1beta2/recommender.go b/vertical-pod-autoscaler/e2e/v1beta2/recommender.go index 7e86d6d62f..22f101a4a6 100644 --- a/vertical-pod-autoscaler/e2e/v1beta2/recommender.go +++ b/vertical-pod-autoscaler/e2e/v1beta2/recommender.go @@ -30,8 +30,9 @@ import ( vpa_clientset "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/client/clientset/versioned" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" - "k8s.io/klog/v2" + klog "k8s.io/klog/v2" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -119,6 +120,7 @@ func getVpaObserver(vpaClientSet vpa_clientset.Interface) *observer { var _ = RecommenderE2eDescribe("Checkpoints", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("with missing VPA objects are garbage collected", func() { ns := f.Namespace.Name @@ -147,6 +149,7 @@ var _ = RecommenderE2eDescribe("Checkpoints", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("serves recommendation for CronJob", func() { ginkgo.By("Setting up hamster CronJob") @@ -171,6 +174,7 @@ var _ = RecommenderE2eDescribe("VPA CRD object", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var ( vpaCRD *vpa_types.VerticalPodAutoscaler @@ -241,6 +245,7 @@ var _ = RecommenderE2eDescribe("VPA CRD object", func() { var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var ( vpaClientSet vpa_clientset.Interface @@ -322,6 +327,7 @@ func createVpaCRDWithMinMaxAllowed(f *framework.Framework, minAllowed, maxAllowe var _ = RecommenderE2eDescribe("VPA CRD object", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline var vpaClientSet vpa_clientset.Interface diff --git a/vertical-pod-autoscaler/e2e/v1beta2/updater.go b/vertical-pod-autoscaler/e2e/v1beta2/updater.go index acbc003c70..52ff4bced3 100644 --- a/vertical-pod-autoscaler/e2e/v1beta2/updater.go +++ b/vertical-pod-autoscaler/e2e/v1beta2/updater.go @@ -27,6 +27,7 @@ import ( vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1beta2" "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/status" "k8s.io/kubernetes/test/e2e/framework" + podsecurity "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo" "github.com/onsi/gomega" @@ -34,6 +35,7 @@ import ( var _ = UpdaterE2eDescribe("Updater", func() { f := framework.NewDefaultFramework("vertical-pod-autoscaling") + f.NamespacePodSecurityEnforceLevel = podsecurity.LevelBaseline ginkgo.It("evicts pods when Admission Controller status available", func() { const statusUpdateInterval = 10 * time.Second