admission_test.go(TestAdmit): compare SecurityContexts instead of particular members #17296
Conversation
openshift-ci-robot
added
the
size/L
| func podSC(fsGroup, supGroup int64) *kapi.PodSecurityContext { | ||
| return &kapi.PodSecurityContext{ | ||
| SELinuxOptions: &kapi.SELinuxOptions{ | ||
| Level: "s0:c1,c0", |
There was a problem hiding this comment.
I see that this is the way it was in the previous tests but now I'm wondering why it's hard coded.
There was a problem hiding this comment.
I had a version where SELinux Level was passed to the function, but later I realized that we always passing the same value and I decided to inline it. With the current approach we need to pass only the values that differs between tests.
Do you think that I should step back and continue to passing a level as an argument?
There was a problem hiding this comment.
The value assumption is correct but we should be pulling it from the namespace. Guess that was missed in a refactor somewhere:
func CreateNamespaceForTest() *kapi.Namespace {
return &kapi.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
Annotations: map[string]string{
allocator.UIDRangeAnnotation: "1/3",
allocator.MCSAnnotation: "s0:c1,c0",
allocator.SupplementalGroupsAnnotation: "2/3",
},
},
}
}
There was a problem hiding this comment.
I updated the code and started to use a variable for that. PTAL.
|
@php-coder Can you split the |
…using existing function.
php-coder
force-pushed
the
refactor_test_admit
branch
from
8f8b5dc to
8258f06
Compare
openshift-ci-robot
added
size/XL
php-coder
force-pushed
the
refactor_test_admit
branch
2 times, most recently
from
99ae8d5 to
41d05aa
Compare
@legionus Ok, I split it to 2 functions :) Is it better now? |
php-coder
force-pushed
the
refactor_test_admit
branch
from
41d05aa to
0016ceb
Compare
|
PTAL @pweil- |
| @@ -293,18 +223,111 @@ func TestAdmit(t *testing.T) { | |||
| Level: "s0:c1,c0", | |||
| } | |||
|
|
|||
| // level matches a value from namespace (see CreateNamespaceForTest()) | |||
| seLinuxLevelFromNamespace := "s0:c1,c0" | |||
There was a problem hiding this comment.
We can't pull this from the namespace? I took a quick look but didn't see that it was available. I guess the whole point is that if the ns method changes all of these tests are broken. Easy to change since it's in one place. If that's how it has to be then I'm ok with it.
There was a problem hiding this comment.
you could make the setupClientSet call return the namespace that was used. But yes, that's what I was looking to see so that if it is changed somewhere it won't break anything. Thanks for the update.
There was a problem hiding this comment.
We need a namespace only in a single place, so I think it's better to keep this function as-is.
|
/test extended_conformance_gce @pweil- Could you merge it? |
|
/test extended_conformance_gce |
|
@php-coder: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
extended_conformance_gce is failing with errors like |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: eparis, php-coder, simo5 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 17369, 17296). |
This makes the test close to the upstream implementation.
Extracted from #16934 (comment)
PTAL @liggitt @pweil- @adelton @simo5