USHIFT-346: MicroShift: skip sig-auth tests #27404
Conversation
openshift-merge-robot
added
the
needs-rebase
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
pacevedom
force-pushed
the
ushift-sig-auth
branch
from
4e4ceb0 to
e1e5cb8
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
pacevedom
force-pushed
the
ushift-sig-auth
branch
from
e1e5cb8 to
e389049
Compare
test/extended/security/scc.go
Outdated
| // This test should use image.ShellImage but this requires having a local image | ||
| // registry, which not all deployment types have. Using LDAP test image guarantees | ||
| // capsh presence. | ||
| pod, err := exutil.NewPodExecutor(oc, "restrictedcapsh", image.OpenLDAPTestImage()) |
There was a problem hiding this comment.
@openshift/openshift-team-auth PTAL
There was a problem hiding this comment.
@pacevedom is there a less complex image than LDAP? Something on the same level of complexity as the shell image? Complexity = minimum rpm installation/configuration inside the image. I assume you choosed OpenLDAPTestImage since it's publicly available from quay.io/openshifttest/ldap:1.2. I wonder whether we run these tests in a disconnected environment.
There was a problem hiding this comment.
Exactly, took this one mainly for being publicly available. I checked other public images having capsh for size and number of RPMs and got:
quay.io/redhat-developer/test-build-simples2i:1.2. 216 MB, 186 RPMs.quay.io/redhat-developer/test-build-roots2i:1.2. 216 MB, 186 RPMs.quay.io/openshifttest/multicast:1.1. 267 MB, 240 RPMs.quay.io/openshifttest/ldap:1.2. 375 MB, 306 RPMs.
So I will update it with either of the first two.
pacevedom
force-pushed
the
ushift-sig-auth
branch
from
e389049 to
4c7ef46
Compare
pacevedom
force-pushed
the
ushift-sig-auth
branch
3 times, most recently
from
8b607fe to
184784a
Compare
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
pacevedom
force-pushed
the
ushift-sig-auth
branch
from
184784a to
4b02c3d
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/retest-required |
2 similar comments
|
/retest-required |
|
/retest-required |
| operatorsCoreOSGroup, | ||
| imageGroup, | ||
| ), | ||
| func() { |
There was a problem hiding this comment.
Would you please put func() { right after the previous line as (, func() {? To reduce the diff. If that does not help you might move fmt.Sprintf next to g.It(.
| kubeInformers := informers.NewSharedInformerFactory(oc.AdminKubeClient(), 20*time.Minute) | ||
| ruleResolver := exutil.NewRuleResolver(kubeInformers.Rbac().V1()) // signal what informers we want to use early | ||
| g.It( | ||
| fmt.Sprintf("should have correct RBAC rules [apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s]", |
There was a problem hiding this comment.
This is quite complex. allUnauthenticatedRules is the source of so many groups. I'd rather turn allUnauthenticatedRules into a api-group-key map and loop over all apigroups over g.It("should have correct RBAC rules", func() { rather than have all groups in a single test name.
There was a problem hiding this comment.
Mind if we change this in the next PR?
There was a problem hiding this comment.
Making the change later would put the next work into backlog most likely. Better to do it now.
| ) | ||
|
|
||
| var _ = g.Describe("[sig-auth][Feature:OAuthServer] OAuth server", func() { | ||
| var _ = g.Describe("[sig-auth][Feature:OAuthServer] OAuth server [apigroup:auth.openshift.io]", func() { |
There was a problem hiding this comment.
Is the requirement coming from oc get --raw /.well-known/oauth-authorization-server?
EDIT: From the previous review comment: "// MicroShift does not have the oauth well known data path in the API Server". So it does.
test/extended/security/scc.go
Outdated
| // This test should use image.ShellImage but this requires having a local image | ||
| // registry, which not all deployment types have. Using LDAP test image guarantees | ||
| // capsh presence. | ||
| pod, err := exutil.NewPodExecutor(oc, "restrictedcapsh", image.OpenLDAPTestImage()) |
There was a problem hiding this comment.
@openshift/openshift-team-auth PTAL
pacevedom
force-pushed
the
ushift-sig-auth
branch
from
4b02c3d to
e0f066a
Compare
| oc := exutil.NewCLI("default-rbac-policy") | ||
|
|
||
| g.It("should have correct RBAC rules", func() { | ||
| g.It(fmt.Sprintf("should have correct RBAC rules [apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s][apigroup:%s]", |
There was a problem hiding this comment.
This is quite complex. allUnauthenticatedRules is the source of so many groups. I'd rather turn allUnauthenticatedRules into a api-group-key map and loop over all apigroups over g.It("should have correct RBAC rules", func() { rather than have all groups in a single test name.
There was a problem hiding this comment.
I don't think it's safe to break the test apart. I am not sure why these groups are listed here though because you don't actually need the API groups, you only need the RBAC group, the rest are just strings.
There was a problem hiding this comment.
You are right. Also, I don't see an easy way how to run the test minus missing apigroups since the test is doing set diff of both "what's currently available" and "what's expected to be available".
There was a problem hiding this comment.
Obvious approach is to dynamically detect the apigroups based on exutil.DoesApiResourceExist, constructing both allAuthenticatedRules and allUnauthenticatedRules based on the apigroup presence and then running the comparision/coverage. Though, there's more than just api group detection which needs to be taken into account. E.g. https://github.com/openshift/origin/blob/master/test/extended/authorization/rbac/groups_default_rules.go#L91-L94.
https://github.com/openshift/origin/blob/master/test/extended/authorization/rbac/groups_default_rules.go#L97-L100 can be removed. Maybe the legacy groups in https://github.com/openshift/origin/blob/master/test/extended/authorization/rbac/groups_default_rules.go#L59-L66 as well? What about https://github.com/openshift/origin/blob/master/test/extended/authorization/rbac/groups_default_rules.go#L134-L142?
There was a problem hiding this comment.
I'm taking a second look at this. It look like @stlaz is right, all [apigroup:*] seems wrong. Currently it complains about (fails due to) test data being too big which a nice mechanism except not right against microshift
There was a problem hiding this comment.
Reverted these changes as this wasn't exercising [apigroups] - it was exercising RBAC about those apigroups so the test should run on MicroShift. If it fails then we should take a look what should we fix in MicroShift and how should we refactor test if needed
|
/retest-required |
|
/lgtm |
|
/retest-required |
2 similar comments
|
/retest-required |
|
/retest-required |
|
/approve |
openshift-ci
bot
added
the
approved
|
/retest-required |
It's no use, |
|
/lgtm |
|
/retest-required |
1 similar comment
|
/retest-required |
|
/test e2e-aws-ovn-fips |
|
/retest-required |
1 similar comment
|
/retest-required |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ingvagabund, mfojtik, pacevedom, pmtk The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ingvagabund, mfojtik, pacevedom, pmtk The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest-required |
|
@pacevedom: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
7 participants
No description provided.