Bug 1980141: Reactivate netpol tests

[astoycos]

Reactivate the newer networkpolicy test suite now that e36a14730bdfa8f236626a5e117b0eb51dcb29c7 and 145cec925af70fb94a46ec3fefc9411b928377e6 have made it downstream

Signed-off-by: astoycos [email protected]

[openshift-ci[bot]]

@astoycos: This pull request references Bugzilla bug 1980141, which is invalid:

• expected the bug to target the "4.10.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1980141: Reactivate netpol tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[astoycos]

/assign @danwinship

Let's see how these look in our CI now with the resource usage improvements

[astoycos]

/bugzilla refresh

[openshift-ci[bot]]

@astoycos: This pull request references Bugzilla bug 1980141, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.10.0) matches configured target release for branch (4.10.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact: /cc @zhaozhanqi

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci[bot]]

@astoycos: This pull request references Bugzilla bug 1980141, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.10.0) matches configured target release for branch (4.10.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact: /cc @zhaozhanqi

In response to this:

Bug 1980141: Reactivate netpol tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[astoycos]

/hold

until a few good test runs are seen

[danwinship]

/lgtm assuming you see good test results

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astoycos, danwinship

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~test/extended/util/annotate/OWNERS~~ [danwinship]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[astoycos]

First round looked good, no flakes or failures in successful tests

/test all

[astoycos]

/test all

[openshift-bot]

/bugzilla refresh

The requirements for Bugzilla bugs have changed (BZs linked to PRs on master branch need to target OCP 4.11), recalculating validity.

[openshift-ci[bot]]

@openshift-bot: This pull request references Bugzilla bug 1980141, which is invalid:

• expected the bug to target the "4.11.0" release, but it targets "4.10.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

The requirements for Bugzilla bugs have changed (BZs linked to PRs on master branch need to target OCP 4.11), recalculating validity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[astoycos]

/test all

[astoycos]

/test all

[astoycos]

/test all

[tssurya]

/bugzilla refresh

[openshift-ci[bot]]

@tssurya: This pull request references Bugzilla bug 1980141, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.11.0) matches configured target release for branch (4.11.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact: /cc @zhaozhanqi

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

@astoycos : do you want to remove the hold here? that way we can close this bug?

[astoycos]

Sure let me just take a quick look through all the results, I was letting things soak for a good while @tssurya

[astoycos]

On GCP I'm seeing a few sporadic flakes but no failures with the new netpol tests only on the ci/prow/e2e-gcp workflow, I'll try to find some time to dig into these flakes before merging

Example flake run on GCP -> https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26775/pull-ci-openshift-origin-master-e2e-gcp/1486787705034510336

[astoycos]

/test all

[astoycos]

/test all

[abhat]

/refresh

[astoycos]

/retest

[astoycos]

/retest

[openshift-ci[bot]]

New changes are detected. LGTM label has been removed.

[astoycos]

/test all

[astoycos]

/test all

[astoycos]

These are currently failing with a PSP issue, investigating weather or not we need to update the upstream pod specs

fail [k8s.io/[email protected]/test/e2e/network/netpol/network_policy.go:1478]: unable to initialize resources
Unexpected error:
    <*fmt.wrapError | 0xc001017820>: {
        msg: "unable to update pod e2e-netpol-1091-x/a: pods \"a\" is forbidden: violates PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")",
        err: {
            ErrStatus: {
                TypeMeta: {Kind: "", APIVersion: ""},
                ListMeta: {
                    SelfLink: "",
                    ResourceVersion: "",
                    Continue: "",
                    RemainingItemCount: nil,
                },
                Status: "Failure",
                Message: "pods \"a\" is forbidden: violates PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"cont-80-tcp\", \"cont-81-tcp\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")",
                Reason: "Forbidden",
                Details: {Name: "a", Group: "", Kind: "pods", UID: "", Causes: nil, RetryAfterSeconds: 0},
                Code: 403,
            },
        },
    }
    unable to update pod e2e-netpol-1091-x/a: pods "a" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "cont-80-tcp", "cont-81-tcp" must set 
  

[astoycos]

Looks like this is the issue

[astoycos]

Looks like this is going to require and upstream test modification to work :( Looking into that but it will again delay this from merging

[astoycos]

/retest