-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 : e2e test: do tests with restricted pods #2732
🌱 : e2e test: do tests with restricted pods #2732
Conversation
Skipping CI for Draft Pull Request. |
f0d128a
to
56f0ba5
Compare
/test pull-kubebuilder-e2e-k8s-1-18-20 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, just a couple minor nits
test/e2e/v3/generate_test.go
Outdated
@@ -130,7 +130,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+` | |||
} | |||
|
|||
// GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext. | |||
func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string) { | |||
func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictived bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a nit, but I think the bool should either be restrictive
or restricted
func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictived bool) { | |
func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) { |
test/e2e/v3/plugin_cluster_test.go
Outdated
It("should generate a runnable project go/v3 with v1 CRDs and Webhooks with restricted pods", func() { | ||
// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist. | ||
// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 | ||
// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced | ||
if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 { | ||
Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks"+ | ||
"and securityContext.seccompProfile", srvVer.GitVersion)) | ||
} | ||
|
||
GenerateV3(kbc, "v1", true) | ||
|
||
// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret | ||
// TODO: Remove this once a better implementation using something like the TokenRequest API | ||
// is used in the e2e tests | ||
if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 { | ||
sat = true | ||
} | ||
|
||
Run(kbc, sat) | ||
}) | ||
It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha"+ | ||
" with restricted pods", func() { | ||
// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist. | ||
// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 | ||
// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced | ||
if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 { | ||
Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks "+ | ||
"and securityContext.seccompProfile", srvVer.GitVersion)) | ||
} | ||
|
||
GenerateV3WithKustomizeV2(kbc, "v1", true) | ||
|
||
// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret | ||
// TODO: Remove this once a better implementation using something like the TokenRequest API | ||
// is used in the e2e tests | ||
if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 { | ||
sat = true | ||
} | ||
|
||
Run(kbc, sat) | ||
}) | ||
It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() { | ||
// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field. | ||
// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 | ||
// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced | ||
// Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist. | ||
if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 || | ||
srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 { | ||
Skip(fmt.Sprintf("cluster version %s does not support project defaults "+ | ||
"and securityContext.seccompProfile", srvVer.GitVersion)) | ||
} | ||
|
||
GenerateV3(kbc, "v1beta1", true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious as to why these lines were added? These look to be the same as the above tests that have a minor change to enable the testing with restricted pods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a test for an scaffold with CRD v1beta1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the lines:
https://github.com/kubernetes-sigs/kubebuilder/pull/2732/files/56f0ba5b2730702ed56b5e66d3b5e741ba016c55#diff-5f5cf1a838c4d92e543721d2697ea0e2b0cf57b9f9a3c72bc9fa51a030bc56b8R170-R224
are repeated tests. I may be wrong but I think all of these tests already exist in these lines:
https://github.com/kubernetes-sigs/kubebuilder/pull/2732/files/56f0ba5b2730702ed56b5e66d3b5e741ba016c55#diff-5f5cf1a838c4d92e543721d2697ea0e2b0cf57b9f9a3c72bc9fa51a030bc56b8R114-R168
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- the first one test the Operator with v1 CRDs/Webooks and pod restriction
- the second one test the Operator with kustomze v2 changes and pod restriction
- the third one test the Operator with v1beta1 CRDs/Webooks and pod restriction
In the long run we will need to refractory the tests. This code is confusing for sure.
|
||
func uncommentPodStandards(kbc *utils.TestContext) { | ||
configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml") | ||
managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit:
managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml") | |
managerAuth := filepath.Join(configManager, "default", "manager_auth_proxy_patch.yaml") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cannot do this change.
Why?
configManager-> has the full path with the file
56f0ba5
to
948ec04
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, everettraven The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@rashmigottipati I am moving forward with this one but we can be working on any improvement that you see fit as a fallow up as well. |
/hold to rebase with master |
948ec04
to
c3e2276
Compare
New changes are detected. LGTM label has been removed. |
/hold cancel |
…crease the coverage)
c3e2276
to
793161d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Description
do tests with restricted pods
motivation
Ensure that the default scaffold works with restricted pods