origin icon indicating copy to clipboard operation
origin copied to clipboard

Published 20 hours ago verified publisher icon openshift

WIP: monitortests: test existence of required-scc annotation in platform workloads

Open liouk opened this issue 1 year ago • 8 comments

liouk avatar Feb 12 '24 15:02 liouk

/test e2e-aws-csi

liouk avatar Feb 13 '24 08:02 liouk

/retest-required

liouk avatar Feb 13 '24 10:02 liouk

/retest

liouk avatar Feb 13 '24 10:02 liouk

/retest

liouk avatar Feb 14 '24 10:02 liouk

/test e2e-aws-ovn-serial

liouk avatar Feb 15 '24 12:02 liouk

/test e2e-aws-csi

liouk avatar Feb 16 '24 15:02 liouk

@liouk: This pull request references AUTH-483 which is a valid jira issue.

In response to this:

This PR adds a monitor test that requires the existence of the openshift.io/required-scc annotation on all platform workloads (workloads that belong to openshift*, kube-* and default namespaces).

If the annotation is missing, the test suggests an SCC to be pinned using the annotation, based on the following:

  • if the workload is running in a run-level 0 or 1 namespace, suggested SCC is privileged (used for tracking purposes only, as SCC admission is disabled in those namespaces)
  • otherwise, suggested SCC is the one that was used to admit the workload, provided that it is a default SCC and not a custom one
  • if it's a custom SCC, the test cannot suggest any; the developer must determine the appropriate SCC

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Feb 20 '24 10:02 openshift-ci-robot

@liouk: This pull request references AUTH-483 which is a valid jira issue.

In response to this:

This PR adds a monitor test that requires the existence of the openshift.io/required-scc annotation on all platform workloads (workloads that belong to openshift*, kube-* and default namespaces).

If the annotation is missing, the test suggests an SCC to be pinned using the annotation, based on the following:

  • if the workload is running in a run-level 0 or 1 namespace, suggested SCC is privileged (used for tracking purposes only, as SCC admission is disabled in those namespaces)
  • otherwise, suggested SCC is the one that was used to admit the workload, provided that it is a default SCC and not a custom one
  • if it's a custom SCC, the test cannot suggest any; the developer must determine the appropriate SCC

At its current state, the test is implemented as a flake, until we've pinned SCCs to all platform workloads (see https://issues.redhat.com/browse/AUTH-482).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Feb 20 '24 10:02 openshift-ci-robot

/assign @ibihim /cc @deads2k

liouk avatar Feb 20 '24 11:02 liouk

/retest

liouk avatar Feb 28 '24 15:02 liouk

/retest

liouk avatar Mar 04 '24 13:03 liouk

@liouk: This pull request references AUTH-483 which is a valid jira issue.

In response to this:

This PR adds a monitor test that requires the existence of the openshift.io/required-scc annotation on all platform workloads (workloads that belong to openshift*, kube-* and default namespaces).

If the annotation is missing, the test suggests an SCC to be pinned using the annotation, based on the following:

  • suggested SCC is the one that was used to admit the workload, provided that it is a default SCC and not a custom one
  • if it's a custom SCC, the test cannot suggest any; the developer must determine the appropriate SCC

At its current state, the test is implemented as a flake, until we've pinned SCCs to all platform workloads (see https://issues.redhat.com/browse/AUTH-482).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 04 '24 13:03 openshift-ci-robot

@liouk: This pull request references AUTH-483 which is a valid jira issue.

In response to this:

This PR adds a monitor test that requires the existence of the openshift.io/required-scc annotation on all platform workloads (workloads that belong to openshift*, kube-* and default namespaces).

If the annotation is missing, the test suggests an SCC to be pinned using the annotation, based on the following:

  • suggested SCC is the one that was used to admit the workload, provided that it is a default SCC and not a custom one
  • if it's a custom SCC, the test cannot suggest any; the developer must determine the appropriate SCC
  • since SCC admission is disabled for runlevel 0/1 namespaces, the test won't suggest any SCC for their workloads; the developer must determine the appropriate one

At its current state, the test is implemented as a flake, until we've pinned SCCs to all platform workloads (see https://issues.redhat.com/browse/AUTH-482).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 06 '24 14:03 openshift-ci-robot

/retest

liouk avatar Mar 12 '24 13:03 liouk

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi-sdn 12b6967710d9056c8db5632e32beb406f24adc72 link false /test e2e-metal-ipi-sdn
ci/prow/e2e-gcp-ovn-rt-upgrade 12b6967710d9056c8db5632e32beb406f24adc72 link false /test e2e-gcp-ovn-rt-upgrade
ci/prow/e2e-aws-ovn-single-node-upgrade 12b6967710d9056c8db5632e32beb406f24adc72 link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-single-node-serial 12b6967710d9056c8db5632e32beb406f24adc72 link false /test e2e-aws-ovn-single-node-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Mar 12 '24 16:03 openshift-ci[bot]

/lgtm /approve

I'd like to hear an update every week of how many unique namespaces are still failing and how many have been fixed so far.

deads2k avatar Mar 15 '24 20:03 deads2k

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: deads2k, ibihim, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Mar 15 '24 20:03 openshift-ci[bot]

Job Failure Risk Analysis for sha: 12b6967710d9056c8db5632e32beb406f24adc72

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial Low
[sig-arch] events should not repeat pathologically for ns/openshift-etcd-operator
This test has passed 40.43% of 47 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node-serial'] in the last 14 days.

openshift-trt-bot avatar Mar 15 '24 23:03 openshift-trt-bot