WINC-879: Introduce Pod Security admission labels

[jrvaldes]

This change adds the Pod Security admission enforcement labels to
the test namespace created in the e2e tests and to the WMCO namespace
created at deployment, allowing the automatic synchronization of privileged
pods directly without any intermediate pod controller, so that the serviceaccount
has enough privileges to run it. The WMCO namespace is a system namespace ("openshift-" prefixed)
and the security.openshift.io/scc.podSecurityLabelSync label is set as
true to ensure the automatic Pod Security label synchronization.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jrvaldes]

/test vsphere-e2e-operator

[jrvaldes]

/test azure-e2e-operator

[sebsoto]

Why is this being done here and not in the namespace we are creating when installing the operator:
https://github.com/openshift/windows-machine-config-operator/blob/master/config/manager/manager.yaml#L1

How is this going to work for actual users and not just CI?

[sebsoto]

I dont understand why in general we create the namespace before attempting to install the operator. The only thing i can see is that we want to create the cloud-private-key secret ahead of time for some reason. I dont see that as necesary

[jrvaldes]

@sebsoto you are correct. As per standup, this is out of the scope in this PR and should be tackled in a follow-up story.

[jrvaldes]

I dont understand why in general we create the namespace before attempting to install the operator. The only thing i can see is that we want to create the cloud-private-key secret ahead of time for some reason. I dont see that as necesary

After attempting to install the operator without creating the namespace, got:

FATA[0000] Failed to run packagemanifests: create catalog: error creating catalog source: namespaces "openshift-windows-machine-config-operator" not found 
Error from server (NotFound): namespaces "openshift-windows-machine-config-operator" not found

[aravindhp]

The namespace creation I think is being done by the UI based on the suggested namespace in the CSV unless something has changed recently.

[jrvaldes]

That's correct when deploying the operator using the official deployment method using the CatalogSource along with an operator index.

However, for the e2e tests (run-ci-e2e-test.sh) the operator is deployed using OLM where the namespace is created first followed by the creation of the cloud-private-key secret. Therefore, the Pod Security Admission labels are required in this step.

[jrvaldes]

Will this be a valid corner case? What is the probability that another entity created the wmco-test namespace?

[aravindhp]

None. This is an e2e test. Lets not over think this.

[jrvaldes]

Makes sense.

[jrvaldes]

/test azure-e2e-operator

[mansikulkarni96]

Should this be true or false did we get a clarity on this?

[jrvaldes]

As you pointed out, the test namespace (wmco-test) is not "openshift-" prefixed, hence false should be fine.

[jrvaldes]

/test vsphere-e2e-operator

[jrvaldes]

/test azure-e2e-operator

[jrvaldes]

WMCO namespace with labels applied:

$oc describe ns openshift-windows-machine-config-operator
Name:         openshift-windows-machine-config-operator
Labels:       kubernetes.io/metadata.name=openshift-windows-machine-config-operator
              olm.operatorgroup.uid/04ec388c-2739-4afb-88e4-50c10642787d=
              olm.operatorgroup.uid/573918ed-b56e-4294-bc58-c7d84338c639=
              openshift.io/cluster-monitoring=true
              pod-security.kubernetes.io/enforce=privileged
              security.openshift.io/scc.podSecurityLabelSync=true
Annotations:  openshift.io/sa.scc.mcs: s0:c27,c4
              openshift.io/sa.scc.supplemental-groups: 1000710000/10000
              openshift.io/sa.scc.uid-range: 1000710000/10000
Status:       Active

No resource quota.

No LimitRange resource.

[saifshaikh48]

The openshift-wmco namespace should have podSecurityLabelSync=true right? Just want to confirm since the posted output says false

[jrvaldes]

@saifshaikh48 you are correct. I updated the above output.

[jrvaldes]

/test azure-e2e-operator

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aravindhp, jrvaldes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [aravindhp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saifshaikh48]

/hold

one comment in the e2e suite

[saifshaikh48]

The openshift-wmco namespace should have podSecurityLabelSync=true right? Just want to confirm since the posted output says false

[saifshaikh48]

I'm not sure this logic is complete. What if the namespace already exists but without a required label? We should by applying the missing ones

[jrvaldes]

What if the namespace already exists but without a required label?

Throws an error. The probability for this edge case to happen is very low since the namespace is maintained by the e2e test suite.

I was overthinking this, and now you are too 😃 .

[saifshaikh48]

Fair enough

[aravindhp]

The only use case I see is in our local testing where we are playing around with the labels and don't want the tests to fail if they don't exist.

[jrvaldes]

/test aws-e2e-operator

PR merged in the release repo to fix CI issues with AWS compute capacity

• Prevent frequent m6a capacity overruns release#31828

[saifshaikh48]

/lgtm

Feel free to remove the hold when we can get passed the AWS cluster issues

[jrvaldes]

/retest-required

[jrvaldes]

/hold cancel

Infrastructure resources successfully provisioned in AWS CI job

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9db93ab and 2 for PR HEAD e2aa015 in total

[jrvaldes]

/retest-required

[aravindhp]

/retest-required

[jrvaldes]

/hold

to investigate CI failure in aws-e2e-ccm-install jobs

time="2022-09-02T22:24:49Z" level=error msg="Bootstrap failed to complete: timed out waiting for the condition"
time="2022-09-02T22:24:49Z" level=error msg="Failed to wait for bootstrapping to complete. This error usually happens when there is a problem with control plane hosts that prevents the control plane operators from creating the control plane."

[jrvaldes]

/test aws-e2e-ccm-install

[aravindhp]

/retest-required

[aravindhp]

/hold cancel

Looks like the cluster came up and the WMCO tests are running

INFO[2022-09-06T19:41:08Z] Running step aws-e2e-ccm-install-ipi-install-install. 
INFO[2022-09-06T20:26:08Z] Step aws-e2e-ccm-install-ipi-install-install succeeded after 45m0s. 
INFO[2022-09-06T20:26:08Z] Running step aws-e2e-ccm-install-ipi-install-times-collection. 
INFO[2022-09-06T20:26:28Z] Step aws-e2e-ccm-install-ipi-install-times-collection succeeded after 20s. 
INFO[2022-09-06T20:26:28Z] Step phase pre succeeded after 47m10s.       
INFO[2022-09-06T20:26:28Z] Running multi-stage phase test               
INFO[2022-09-06T20:26:28Z] Running step aws-e2e-ccm-install-windows-e2e-operator-test.

[jrvaldes]

/hold cancel

[openshift-ci]

@jrvaldes: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.