-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test/e2e: drop pod security enforcement label from the test namespace #1002
test/e2e: drop pod security enforcement label from the test namespace #1002
Conversation
✅ Deploy Preview for kubernetes-sigs-nfd ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
/assign @fmuyassarov |
Drop the pod-security.kubernetes.io/enforce label from the test namespace, i.e. remove pod security admission enforcement. NFD-worker uses restricted host mounts (/sys) etc so pod creation fails even in privileged mode if pod security admission enforcement is enabled.
21c01dd
to
7b2add4
Compare
Fixed typos in the commit msg |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure this will work but I would like to test it.
Without this, you can run into issue like this
<*errors.StatusError | 0xc000b5bf40>: {
ErrStatus: {
TypeMeta: {Kind: "", APIVersion: ""},
ListMeta: {
SelfLink: "",
ResourceVersion: "",
Continue: "",
RemainingItemCount: nil,
},
Status: "Failure",
Message: "pods \"nfd-worker-c42c228b-e2b8-483e-aefc-810068dcc450\" is forbidden: violates PodSecurity \"restricted:latest\": restricted volume types (volumes \"host-boot\", \"host-os-release\", \"host-sys\", \"host-usr-lib\", \"host-usr-src\" use restricted volume type \"hostPath\")",
Reason: "Forbidden",
Details: {
Name: "nfd-worker-c42c228b-e2b8-483e-aefc-810068dcc450",
Group: "",
Kind: "pods",
UID: "",
Causes: nil,
RetryAfterSeconds: 0,
},
Code: 403,
},
}
pods "nfd-worker-c42c228b-e2b8-483e-aefc-810068dcc450" is forbidden: violates PodSecurity "restricted:latest": restricted volume types (volumes "host-boot", "host-os-release", "host-sys", "host-usr-lib", "host-usr-src" use restricted volume type "hostPath")
occurred
In [It] at: /home/fmuyassarov/go/src/node-feature-discovery/test/e2e/node_feature_discovery.go:245
Please do. I verified this on latest minikube with k8s v1.25. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested, works good!
/lgtm
LGTM label has been added. Git tree hash: f98467a487965eaad4f83f0c0b06f728bc3b869b
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fmuyassarov, marquiz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Drop the pod-security.kubernetes.io/enforce label from the test namespace, i.e. remove pod security admission enforcement. NFD-worker uses restricted host mounts (/sys) etc so pod creation fails even in privileged mode if pod security admission enforcement is enabled.