[sig-storage] Run storage e2e test_client_pod as privileged #104551
Conversation
k8s-ci-robot
added
kind/bug
|
@Elbehery: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
|
@Elbehery: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-triage
|
Hi @Elbehery. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-priority
|
IIRC privileged containers don't get to bypass SELinux policies. So if SELinux was blocking them before, it will block them after. Please test carefully before going ahead with this approach. |
@gnufied i have tested this on a cluster with SELinux enabled and the test passed successfully |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| @@ -511,8 +511,9 @@ func TestVolumeClientSlow(f *framework.Framework, config TestConfig, fsGroup *in | |||
| } | |||
|
|
|||
| func testVolumeClient(f *framework.Framework, config TestConfig, fsGroup *int64, fsType string, tests []Test, slow bool) { | |||
| privileged := true | |||
There was a problem hiding this comment.
@Elbehery, thank you for working on this.
I have a question for you. Although this fixes the issue, could you check if you can set privileged = true only when the HostPath plugin is being used? Perhaps we could add a flag for that in the plugin definition.
The idea is to avoid always going privileged. Thanks!
There was a problem hiding this comment.
@bertinatto I have adjusted the fix to use privileged only for this scenario.
cc @vrutkovs
Elbehery
force-pushed
the
unprivileged_storage_client
branch
from
4f373a7
to
775a853
Compare
|
|
||
| if (config.Prefix == "hostpathsymlink" || config.Prefix == "hostpath") && podSuffix == "client" { | ||
| privileged = true | ||
| } |
There was a problem hiding this comment.
@Elbehery could you add a comment stating why you're making it privileged on hostpath? The explanation from the PR description looks good to me 😉
Also, I think you can remove the last condition (podSuffix == "client").
There was a problem hiding this comment.
@bertinatto sure I add the comment 👍🏽 ..
Just about the podSuffix == "client" condition, the test fails because the client-pod can not read the data on the mounted volume when SELinux enabled, this will minimise the privileged pods.
Shall I remove it or leave it ?
There was a problem hiding this comment.
As we spoke offline, the pod that writes the content is already privileged (that's the reason it's able to write to the host's /tmp directory). IMO we can safely remove podSuffix == "client".
There was a problem hiding this comment.
yes I removed it already in the most recent commit 👍🏽
Elbehery
force-pushed
the
unprivileged_storage_client
branch
from
775a853
to
01b6743
Compare
k8s-ci-robot
added
size/S
|
@bertinatto I have added a comment and updated the commit msg |
Elbehery
force-pushed
the
unprivileged_storage_client
branch
from
01b6743
to
8a5a9bb
Compare
hostPath volume plugin creates a directory within /tmp on host machine, to be mounted as volume. inject-pod writes content to the volume, and a client-pod tried the read the contents and verify. when SELinux is enabled on the host, client-pod can not read the content, with permission denied. running the client-pod as privileged, so that it can access the volume content, even when SEinux is enabled on the host.
Elbehery
force-pushed
the
unprivileged_storage_client
branch
from
8a5a9bb
to
04ad18c
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @jsafrane |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Elbehery, jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/release-notes-none |
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
release-note
…age-client-1.20 Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
…age-client-1.21 Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
…age-client Cherry pick of #104551: Run storage hostpath e2e test client pod as privileged
What type of PR is this?
/kind bug
/kind storage
/kind failing-test
What this PR does / why we need it:
Fix running storage e2e tests in SELinux environment.
HostPath Volume Plugin creates a directory within
/tmpon host machine, to be mounted as volume. Usually,Inject-podwrites content to the volume, and aClient-podtried the read the contents and verify.When SELinux is enabled on the host,
Client-podcan not read the content, withpermission denied.This PR run the
Client-podas privileged, so that it can access the volume content, even when SELinux is enabled on the host.Which issue(s) this PR fixes:
Fixes #84585