Conformance tests with DenyEscalatingExec failing

Question

Conformance tests with DenyEscalatingExec failing

dhemeier opened this issue 6 years ago · comments

Hey,

when you created a cluster with the DenyEscalatingExec Admission Controller, then you have failing test [k8s.io] KubeletManagedEtcHosts should test kubelet managed /etc/hosts file [NodeConformance] [Conformance]

Output Logs:

/workspace/anago-v1.12.1-beta.0.52+4ed3216f3ec431/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/framework.go:699
failed to execute command in pod test-host-network-pod, container busybox-1: pods "test-host-network-pod" is forbidden: cannot exec into or attach to a container using host network
Expected error:
    <*errors.StatusError | 0xc421c81680>: {
        ErrStatus: {
            TypeMeta: {Kind: "Status", APIVersion: "v1"},
            ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
            Status: "Failure",
            Message: "pods \"test-host-network-pod\" is forbidden: cannot exec into or attach to a container using host network",
            Reason: "Forbidden",
            Details: {
                Name: "test-host-network-pod",
                Group: "",
                Kind: "pods",
                UID: "",
                Causes: nil,
                RetryAfterSeconds: 0,
            },
            Code: 403,
        },
    }
    pods "test-host-network-pod" is forbidden: cannot exec into or attach to a container using host network
not to have occurred
/workspace/anago-v1.12.1-beta.0.52+4ed3216f3ec431/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/framework/exec_util.go:104

Related Issue on Sonobuoy: vmware-tanzu/sonobuoy#558
The question I and @andrewrynhard has, is the result still okay for acceptance or need we other solutions to resolve this? Maybe disable Admission controller, run test, enable again?

Andrew Rynhard · Answer 1 · Thu Mar 14 2019 03:18:17 GMT+0800 (China Standard Time)

We are nearing a release of our distro that we would like get certified. Anyone able to give an update on this?

Brian Grant · Answer 2 · Mon Mar 18 2019 22:40:20 GMT+0800 (China Standard Time)

That admission policy is deprecated.

kubernetes/kubernetes#72737

Timothy St. Clair · Answer 3 · Mon Mar 18 2019 22:52:48 GMT+0800 (China Standard Time)

If it's planned to be deprecated, should we have removed the conformance label with the deprecation change? We don't have policy around removing the label...

Brian Grant · Answer 4 · Mon Mar 18 2019 22:58:21 GMT+0800 (China Standard Time)

We don't have tests of that plugin. Clusters configured with the plugin fail. More generally, we don't have a testsuite for roles with restricted privileges yet.

…

On Mon, Mar 18, 2019, 7:52 AM Timothy St. Clair ***@***.***> wrote: If it's planned to be deprecated, should we have removed the conformance label with the deprecation change? We don't have policy around removing the label... — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#386 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHXi0Qlm59P3H4Cr3Xxt6NIZ3tzExLrMks5vX6hDgaJpZM4Y4oWg> .

Timothy St. Clair · Answer 5 · Wed Mar 20 2019 04:08:29 GMT+0800 (China Standard Time)

k, it's pretty clear that this plugin-option will violate some assumptions on behavior and prevents some conformance tests from running. The reason we don't see this in CI, is it's not enabled in any of the release blocking test suites.

All documentation points to: "Use of a policy-based admission plugin (like PodSecurityPolicy or a custom admission plugin) which can be targeted at specific users or Namespaces and also protects against creation of overly privileged Pods is recommended instead."

Closing as the plugin causes issues and has a planned deprecation plan.