OCPBUGS-44961: Fix "Enforce the required-scc monitor test and validate usage of non-standard OCP SCCs" #29323
Prev
Previous commit
monitortests: update flaking namespaces and exclude managed services
- Loading branch information
commit 46485aed8b4ed298129b4ca41c146b1f24a67127
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,6 +10,7 @@ import ( | |
| "github.com/openshift/origin/pkg/monitor/monitorapi" | ||
| "github.com/openshift/origin/pkg/monitortestframework" | ||
| "github.com/openshift/origin/pkg/test/ginkgo/junitapi" | ||
| exutil "github.com/openshift/origin/test/extended/util" | ||
| v1 "k8s.io/api/core/v1" | ||
| "k8s.io/apimachinery/pkg/util/sets" | ||
|
|
||
|
|
@@ -36,6 +37,7 @@ var nonStandardSCCNamespaces = map[string]sets.Set[string]{ | |
| "machine-api-termination-handler": sets.New("openshift-machine-api"), | ||
| } | ||
|
|
||
| // namespacesWithPendingSCCPinning includes namespaces with workloads that have pending SCC pinning. | ||
| var namespacesWithPendingSCCPinning = sets.NewString( | ||
| "openshift-cluster-csi-drivers", | ||
| "openshift-cluster-version", | ||
|
|
@@ -45,8 +47,28 @@ var namespacesWithPendingSCCPinning = sets.NewString( | |
| "openshift-ingress-operator", | ||
| "openshift-insights", | ||
| "openshift-machine-api", | ||
| "openshift-monitoring", | ||
| // run-level namespaces | ||
| "openshift-cloud-controller-manager", | ||
| "openshift-cloud-controller-manager-operator", | ||
| "openshift-cluster-api", | ||
| "openshift-cluster-machine-approver", | ||
| "openshift-dns", | ||
| "openshift-dns-operator", | ||
| "openshift-etcd", | ||
| "openshift-etcd-operator", | ||
| "openshift-kube-apiserver", | ||
| "openshift-kube-apiserver-operator", | ||
| "openshift-kube-controller-manager", | ||
| "openshift-kube-controller-manager-operator", | ||
| "openshift-kube-proxy", | ||
| "openshift-kube-scheduler", | ||
| "openshift-kube-scheduler-operator", | ||
| "openshift-multus", | ||
| "openshift-network-operator", | ||
| "openshift-ovn-kubernetes", | ||
| "openshift-sdn", | ||
| "openshift-storage", | ||
| ) | ||
|
|
||
| // systemNamespaces includes namespaces that should be treated as flaking. | ||
|
|
@@ -90,19 +112,18 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD | |
|
|
||
| junits := []*junitapi.JUnitTestCase{} | ||
| for _, ns := range namespaces.Items { | ||
| // skip managed service namespaces | ||
| if exutil.ManagedServiceNamespaces.Has(ns.Name) { | ||
| continue | ||
| } | ||
|
Comment on lines
+116
to
+118
There was a problem hiding this comment. @stbenjam we have decided to skip scc pinning for the namespaces in There was a problem hiding this comment. FYI ^^^ Flaking means that the test might sometimes pass and sometimes fail. By treating these namespaces as flaking, we allow our tests to continue without blocking progress. So if we decide to treat them as flaking, those namespaces should be fixed and eventually removed from the flaking list. There was a problem hiding this comment. Skipping them entirely sounds fine, thanks |
||
|
|
||
| // require that all workloads in openshift, kube-*, or default namespaces must have the required-scc annotation | ||
| // ignore openshift-must-gather-* namespaces which are generated dynamically | ||
| isPermanentOpenShiftNamespace := (ns.Name == "openshift" || strings.HasPrefix(ns.Name, "openshift-")) && !strings.HasPrefix(ns.Name, "openshift-must-gather-") | ||
| if !strings.HasPrefix(ns.Name, "kube-") && ns.Name != "default" && !isPermanentOpenShiftNamespace { | ||
| continue | ||
| } | ||
|
|
||
| pods, err := w.kubeClient.CoreV1().Pods(ns.Name).List(ctx, metav1.ListOptions{}) | ||
| if err != nil { | ||
| return nil, nil, err | ||
|
|
@@ -168,8 +189,8 @@ func (w *requiredSCCAnnotationChecker) CollectData(ctx context.Context, storageD | |
| FailureOutput: &junitapi.FailureOutput{Output: failureMsg}, | ||
| }) | ||
|
|
||
| // add a successful test with the same name to cause a flake if the namespace should be flaking | ||
| if namespacesWithPendingSCCPinning.Has(ns.Name) || systemNamespaces.Has(ns.Name) { | ||
| junits = append(junits, | ||
| &junitapi.JUnitTestCase{ | ||
| Name: testName, | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you include https://github.com/openshift/origin/blob/master/test/extended/util/managed_services.go#L8-L28 in this set?
.Union(ManagedServiceNamespaces)ROSA managed service namespaces had also failed on this enforcement