Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test failure on OCP 4.14: should print warning about default namespace when running odo dev #6847

Closed
rm3l opened this issue May 26, 2023 · 3 comments · Fixed by #6848
Closed

Test failure on OCP 4.14: should print warning about default namespace when running odo dev #6847

rm3l opened this issue May 26, 2023 · 3 comments · Fixed by #6848
Assignees
@rm3l
Labels
area/testing Issues or PRs related to testing, Quality Assurance or Quality Engineering kind/bug Categorizes issue or PR as related to a bug.

Comments

@rm3l
Copy link
Member

rm3l commented May 26, 2023
edited
Loading

/kind bug
/area testing

  [FAILED] Timed out after 420.001s.
  Expected
      <string>:   __
       /  \__     Developing using the "heqkmx" Devfile
       \__/  \    Namespace: default
       /  \__/    odo version: v3.10.0
       \__/
      
      
      ↪ Running on the cluster in Dev mode
       •  Waiting for Kubernetes resources  ...
      
  to contain substring
      <string>: [Ctrl+c] - Exit
  In [It] at: /go/src/github.com/redhat-developer/odo/tests/helper/helper_run.go:54 @ 05/25/23 21:34:59.5

...

Summarizing 1 Failure:
  [FAIL] odo dev command tests when a component is bootstrapped when using a default namespace [It] should print warning about default namespace when running odo dev
  /go/src/github.com/redhat-developer/odo/tests/helper/helper_run.go:54

Ran 487 of 890 Specs in 5875.282 seconds
FAIL! -- 486 Passed | 1 Failed | 0 Pending | 403 Skipped
@openshift-ci openshift-ci bot added kind/bug Categorizes issue or PR as related to a bug. area/testing Issues or PRs related to testing, Quality Assurance or Quality Engineering labels May 26, 2023
@github-actions github-actions bot added the needs-triage Indicates an issue or PR lacks a `triage/*` and requires one. label May 26, 2023
@rm3l
Copy link
Member Author

rm3l commented May 26, 2023
edited
Loading

I tried to reproduce what the test does by starting a Dev Session on the default project on OCP 4.14, and indeed odo is stuck waiting for the resources:

$ odo dev
  __
 /  \__     Developing using the "nodejs" Devfile
 \__/  \    Namespace: default
 /  \__/    odo version: v3.10.0
 \__/

 ⚠  You are using "default" project, odo may not work as expected in the default project.
 ⚠  You may set a new project by running `odo create project <name>`, or set an existing one by running `odo set project <name>`

↪ Running on the cluster in Dev mode
 •  Waiting for Kubernetes resources  ...
kubectl describe deployment nodejs 
Name:               nodejs-app
Namespace:          default
CreationTimestamp:  Fri, 26 May 2023 10:20:26 +0200
Labels:             app=app
                    app.kubernetes.io/instance=nodejs
                    app.kubernetes.io/managed-by=odo
                    app.kubernetes.io/managed-by-version=v3.10.0
                    app.kubernetes.io/part-of=app
                    app.openshift.io/runtime=nodejs
                    component=nodejs
                    odo.dev/mode=Dev
Annotations:        alpha.image.policy.openshift.io/resolve-names: *
                    deployment.kubernetes.io/revision: 1
                    odo.dev/project-type: nodejs
Selector:           component=nodejs
Replicas:           1 desired | 0 updated | 0 total | 0 available | 1 unavailable
StrategyType:       Recreate
MinReadySeconds:    0
Pod Template:
  Labels:       app=app
                app.kubernetes.io/instance=nodejs
                app.kubernetes.io/managed-by=odo
                app.kubernetes.io/managed-by-version=v3.10.0
                app.kubernetes.io/part-of=app
                app.openshift.io/runtime=nodejs
                component=nodejs
                odo.dev/mode=Dev
  Annotations:  alpha.image.policy.openshift.io/resolve-names: *
                odo.dev/project-type: nodejs
  Containers:
   runtime:
    Image:      registry.access.redhat.com/ubi8/nodejs-12:1-36
    Port:       3000/TCP
    Host Port:  0/TCP
    Command:
      tail
    Args:
      -f
      /dev/null
    Limits:
      memory:  1Gi
    Environment:
      PROJECTS_ROOT:   /projects
      PROJECT_SOURCE:  /projects
    Mounts:
      /opt/odo/ from odo-shared-data (rw)
      /projects from odo-projects (rw)
  Volumes:
   odo-projects:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  odo-projects-nodejs-app
    ReadOnly:   false
   odo-shared-data:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
Conditions:
  Type             Status  Reason
  ----             ------  ------
  Progressing      True    NewReplicaSetCreated
  Available        False   MinimumReplicasUnavailable
  ReplicaFailure   True    FailedCreate
OldReplicaSets:    <none>
NewReplicaSet:     nodejs-app-8665bd77fb (0/1 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  108s  deployment-controller  Scaled up replica set nodejs-app-8665bd77fb to 1
kubectl describe replicaset nodejs-app 
Name:           nodejs-app-8665bd77fb
Namespace:      default
Selector:       component=nodejs,pod-template-hash=8665bd77fb
Labels:         app=app
                app.kubernetes.io/instance=nodejs
                app.kubernetes.io/managed-by=odo
                app.kubernetes.io/managed-by-version=v3.10.0
                app.kubernetes.io/part-of=app
                app.openshift.io/runtime=nodejs
                component=nodejs
                odo.dev/mode=Dev
                pod-template-hash=8665bd77fb
Annotations:    alpha.image.policy.openshift.io/resolve-names: *
                deployment.kubernetes.io/desired-replicas: 1
                deployment.kubernetes.io/max-replicas: 1
                deployment.kubernetes.io/revision: 1
                odo.dev/project-type: nodejs
Controlled By:  Deployment/nodejs-app
Replicas:       0 current / 1 desired
Pods Status:    0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:       app=app
                app.kubernetes.io/instance=nodejs
                app.kubernetes.io/managed-by=odo
                app.kubernetes.io/managed-by-version=v3.10.0
                app.kubernetes.io/part-of=app
                app.openshift.io/runtime=nodejs
                component=nodejs
                odo.dev/mode=Dev
                pod-template-hash=8665bd77fb
  Annotations:  alpha.image.policy.openshift.io/resolve-names: *
                odo.dev/project-type: nodejs
  Containers:
   runtime:
    Image:      registry.access.redhat.com/ubi8/nodejs-12:1-36
    Port:       3000/TCP
    Host Port:  0/TCP
    Command:
      tail
    Args:
      -f
      /dev/null
    Limits:
      memory:  1Gi
    Environment:
      PROJECTS_ROOT:   /projects
      PROJECT_SOURCE:  /projects
    Mounts:
      /opt/odo/ from odo-shared-data (rw)
      /projects from odo-projects (rw)
  Volumes:
   odo-projects:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  odo-projects-nodejs-app
    ReadOnly:   false
   odo-shared-data:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
Conditions:
  Type             Status  Reason
  ----             ------  ------
  ReplicaFailure   True    FailedCreate
Events:
  Type     Reason        Age                 From                   Message
  ----     ------        ----                ----                   -------
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-2dd4n" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-kpvmf" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-4kvh4" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-fvjxt" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-cgf4r" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m6s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-5s96v" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m5s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-2d4h7" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m5s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-pdlmz" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  2m5s                replicaset-controller  Error creating: pods "nodejs-app-8665bd77fb-bq9kk" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  44s (x6 over 2m3s)  replicaset-controller  (combined from similar events): Error creating: pods "nodejs-app-8665bd77fb-cqs5q" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I guess there are two things here:

  • the PodSecurity violation warnings not being displayed. This might be a bug in odo on OCP 4.14. They are currently displayed on OCP 4.12:
$ odo dev                                                                                                                                                                                      
...

 ⚠  You are using "default" project, odo may not work as expected in the default project.
 ⚠  You may set a new project by running `odo create project <name>`, or set an existing one by running `odo set project <name>`

↪ Running on the cluster in Dev mode
 •  Waiting for Kubernetes resources  ...
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "runtime" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "runtime" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "runtime" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
 ⚠  Pod is Pending
...
  • The test itself is just asserting that the You are using "default" project, odo may not work as expected in the default project. warning message is displayed. So maybe it doesn't matter whether the Dev Session starts correctly or not.

@feloy
Copy link
Contributor

feloy commented May 26, 2023

In the default namespace in OCP 4.14, no pod security labels are set, but the pod security is enforced by the admission controller (is the default policy set to enforce for OCP 4.14?).

Because labels are not set in the namespace, odo understands there is not policy on this namespace, and odo doesn't know about default policy.

This was referenced May 26, 2023
Merged
Closed
@rm3l
Copy link
Member Author

rm3l commented May 26, 2023

In the default namespace in OCP 4.14, no pod security labels are set, but the pod security is enforced by the admission controller (is the default policy set to enforce for OCP 4.14?).

Because labels are not set in the namespace, odo understands there is not policy on this namespace, and odo doesn't know about default policy.

Created a separate issue to track: #6849

@rm3l rm3l self-assigned this May 26, 2023
@rm3l rm3l removed the needs-triage Indicates an issue or PR lacks a `triage/*` and requires one. label May 26, 2023
@github-project-automation github-project-automation bot moved this to Done ✅ in odo Project May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rm3l rm3l

Labels
area/testing Issues or PRs related to testing, Quality Assurance or Quality Engineering kind/bug Categorizes issue or PR as related to a bug.
Projects
odo Project
Archived in project
Milestone
No milestone
2 participants
@rm3l @feloy