0

I am trying to create a namespace on 4.12 Openshift cluster for my e2e. I use below lines of code

    f := framework.NewDefaultFramework("ics-e2e-pods")
    f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
    var (
            cs        clientset.Interface
            ns        *v1.Namespace
            secretKey string
    )

    secretKey = os.Getenv("E2E_SECRET_ENCRYPTION_KEY")
    if secretKey == "" {
            secretKey = defaultSecret
    }

    BeforeEach(func() {
            cs = f.ClientSet
            ns = f.Namespace
    })

so the line ideally sets PodSecurity Level to Privileged (f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged).

Now this works for kubernetes 1.23, 1.26 and Openshift 4.9. Testinf on Openshift 4.12, I see the namespace is still getting created with restricted level.

oc describe ns ics-e2e-pods-7887 
Name:         ics-e2e-pods-7887
Labels:       e2e-framework=ics-e2e-pods
              e2e-run=d97cdd72-8716-4e6d-a442-2b07be881b76
              kubernetes.io/metadata.name=ics-e2e-pods-7887
              pod-security.kubernetes.io/enforce=restricted
              pod-security.kubernetes.io/enforce-version=v1.24
Annotations:  openshift.io/sa.scc.mcs: s0:c25,c20
              openshift.io/sa.scc.supplemental-groups: 1000640000/10000
              openshift.io/sa.scc.uid-range: 1000640000/10000
Status:       Active

No resource quota.

No LimitRange resource.

Could you please tell what am I lacking in my understanding here.

Adding more logs while running tests

[ics-e2e] [resize] [pv] Dynamic Provisioning and resize pv
  with 5iops sc: should create a pvc & pv, pod resources, and resize the volume
  /root/workspace/src/github.com/IBM/ibm-csi-common/tests/e2e/pvc_tests.go:426
STEP: Creating a kubernetes client 11/17/22 00:54:35.731
Nov 17 00:54:35.731: INFO: >>> kubeConfig: /root/.bluemix/plugins/container-service/clusters/mycluster-us-south-1-bx2.4x16-cdphpme20d2eaq5f8tmg-admin/kube-config.yaml
STEP: Building a namespace api object, basename ics-e2e-pods 11/17/22 00:54:35.733
STEP: Inside NamespacePodSecurityEnforceLevel, basename ics-e2e-pods 11/17/22 00:54:35.733
STEP: Printing enforceLevel, basename privileged 11/17/22 00:54:35.733
STEP: Inside namespace creation, name ics-e2e-pods-8081 11/17/22 00:54:35.733
STEP: Inside NamespacePodSecurityEnforceLevel, labels map[e2e-framework:ics-e2e-pods e2e-run:3cad736b-0fec-4f69-9904-dc39cfb1e9a1 pod-security.kubernetes.io/enforce:privileged] 11/17/22 00:54:35.734
Nov 17 00:54:36.663: INFO: Skipping waiting for service account
STEP: setting up POD 11/17/22 00:54:36.664
STEP: setting up the PVC for POD 11/17/22 00:54:36.664
STEP: setting up the PVC and PV 11/17/22 00:54:36.664
STEP: creating a PVC 11/17/22 00:54:36.664
STEP: waiting for PVC to be in phase "Bound" 11/17/22 00:54:37.252

c describe ns ics-e2e-pods-8081
Name:         ics-e2e-pods-8081
Labels:       e2e-framework=ics-e2e-pods
              e2e-run=3cad736b-0fec-4f69-9904-dc39cfb1e9a1
              kubernetes.io/metadata.name=ics-e2e-pods-8081
              pod-security.kubernetes.io/enforce=restricted
              pod-security.kubernetes.io/enforce-version=v1.24
Annotations:  openshift.io/sa.scc.mcs: s0:c26,c25
              openshift.io/sa.scc.supplemental-groups: 1000700000/10000
              openshift.io/sa.scc.uid-range: 1000700000/10000
Status:       Active

No resource quota.
ambikanair
  • 4,004
  • 11
  • 43
  • 83

0 Answers0