Add sysctls to the ouput of describe on PSPs
#65218
Conversation
k8s-ci-robot
added
size/S
k8s-ci-robot
added
release-note-none
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
| @@ -2248,6 +2249,7 @@ func TestDescribePodSecurityPolicy(t *testing.T) { | |||
| Name: "mypsp", | |||
| }, | |||
| Spec: policy.PodSecurityPolicySpec{ | |||
| AllowedUnsafeSysctls: []string{"kernel.*", ",net.ipv4.ip_local_port_range"}, | |||
There was a problem hiding this comment.
What's about forbidden sysctls?
There was a problem hiding this comment.
",net.ipv4.ip_local_port_range"
Why it's started from a comma?
There was a problem hiding this comment.
I thought I'd test only one of those two since many of the other attributes seem to be left out as well (e.g. FlexVolume) and forbidden sysctls have the same display method as allowed unsafe ones. I can add them if you want, though.
| @@ -2228,6 +2228,7 @@ func TestDescribePodSecurityPolicy(t *testing.T) { | |||
| "Required Drop Capabilities:\\s*<none>", | |||
| "Allowed Capabilities:\\s*<none>", | |||
| "Allowed Volume Types:\\s*<none>", | |||
| "Allowed Unsafe Sysctls:\\skernel.*,net.ipv4.ip_local_port_range", | |||
There was a problem hiding this comment.
Because these are not just a plain string but regexps, I'd suggest to:
- replace
\\sby\\s* - quote
.and*that are part of the expected output rather than a regexp itself
There was a problem hiding this comment.
Ah, you're right, I completely missed the dot and the asterisk somehow got left out as well. Thanks!
|
/sig auth |
k8s-ci-robot
added
sig/auth
stlaz
force-pushed
the
sysctls_describe
branch
2 times, most recently
from
cc5573d to
2d6c640
Compare
| @@ -2248,6 +2249,7 @@ func TestDescribePodSecurityPolicy(t *testing.T) { | |||
| Name: "mypsp", | |||
| }, | |||
| Spec: policy.PodSecurityPolicySpec{ | |||
| AllowedUnsafeSysctls: []string{"kernel.*", "net.ipv4.ip_local_port_range"}, | |||
There was a problem hiding this comment.
Can you add test for ForbiddenSysctls field as well? Just in case it gets removed by accident?
When promoting the sysctls feature for PSPs, the output of the `kubectl describe` command was forgotten about. This commit adds the `AllowedUnsafeSysctls` and `ForbiddenSysctls` fields to the output of that command.
|
The latest patch now also includes the test for "Forbidden Sysctls" |
|
@stlaz: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
PTAL @kubernetes/sig-cli-maintainers /retest |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: php-coder, soltysh, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 65064, 65218, 65260, 65241, 64372). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
When promoting the sysctls feature for PSPs, the output of the
kubectl describecommand was forgotten about. This commitadds the
AllowedUnsafeSysctlsandForbiddenSysctlsfieldsto the output of that command.
Which issue(s) this PR fixes :
Fixes #65181
Release notes: