Not all tests require to run privileged

[e-minguez]

I've tried to run the openshift/conformance/parallel/minimal test suite ( without those labeled as ClusterAdmin) like:

openshift-tests run all --dry-run 2>/dev/null| grep "openshift/conformance/parallel/minimal" | grep -v -i "clusteradmin" | openshift-tests run --junit-dir=./ -f -

against an OCP 4.5 cluster without being cluster-admin (just a regular user):

$ oc get secret htpass-secret -ojsonpath={.data.htpasswd} -n openshift-config | base64 -d > users.htpasswd

$ htpasswd -bB users.htpasswd nonadmin nonadmin
Adding password for user nonadmin

$ export KUBECONFIG=/tmp/nonadmin.kubeconfig
$ oc login --insecure-skip-tls-verify=true -u nonadmin -p nonadmin https://api.example.com:6443
$ openshift-tests run all --dry-run 2>/dev/null| grep "openshift/conformance/parallel/minimal" | grep -v -i "clusteradmin" | openshift-tests run --junit-dir=./ -f -

and all tests failed because of:

fail [github.com/openshift/origin/test/extended/util/client.go:693]: Jun  9 10:49:49.077: securitycontextconstraints.security.openshift.io "privileged" is forbidden: User "nonadmin" cannot update resource "securitycontextconstraints" in API group "security.openshift.io" at the cluster scope

I've did some modifications here master...e-minguez:cluster-admin-not-needed and recompiled the openshift-tests binary, executed the same set of tests this time with the same user but with 'admin' cluster-role + a custom cluster role to be able to create/delete namespaces:

$ export KUBECONFIG=/tmp/clusteradmin.kubeconfig
$ cat <<EOF | oc apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    openshift.io/description: A user that can create and delete namespaces
  name: self-provisioner-namespaces
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - "*"
EOF

$ oc adm policy add-cluster-role-to-user admin nonadmin
$ oc adm policy add-cluster-role-to-user self-provisioner-namespaces nonadmin

And this time, error: 87 fail, 134 pass, 0 skip.

I guess this would be a ton of work, but maybe the tests can request cluster-admin permissions only if needed (and be tagged like that).

[e-minguez]

Just in case, we've been able to run a subset of some tests suites without requiring cluster-admin. Basically, we've:

• Patched the openshift-tests binary to remove the cluster-admin requirement (master...e-minguez:cluster-admin-not-needed)
• Executed the test suites without being cluster-admin (just admin + cluster-reader)
• Captured the 'passed' tests https://github.com/e-minguez/ose-tests/tree/master/tests-lists
• Created custom roles for each of the test suites https://github.com/e-minguez/ose-tests/tree/master/rbac
• Wrapped everything in a container and documented how to run it here https://github.com/e-minguez/ose-tests/

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.