// verifyTestSuitePreconditions ensures that all namespaces prefixed with 'e2e-' have their
// service accounts in the privileged and anyuid SCCs, and that Origin/Kubernetes synthetic
// skip labels are applied
func verifyTestSuitePreconditions() {
desc := ginkgo.CurrentGinkgoTestDescription()
switch {
case strings.Contains(desc.FileName, "/origin/test/"):
if strings.Contains(config.GinkgoConfig.SkipString, "[Origin]") {
ginkgo.Skip("skipping [Origin] tests")
}
case strings.Contains(desc.FileName, "/kubernetes/test/e2e/"):
if strings.Contains(config.GinkgoConfig.SkipString, "[Kubernetes]") {
ginkgo.Skip("skipping [Kubernetes] tests")
}
e2e.Logf("About to run a Kube e2e test, ensuring namespace is privileged")
c, _, err := configapi.GetKubeClient(KubeConfigPath())
if err != nil {
FatalErr(err)
}
namespaces, err := c.Namespaces().List(kapi.ListOptions{})
if err != nil {
FatalErr(err)
}
// add to the "privileged" scc to ensure pods that explicitly
// request extra capabilities are not rejected
addE2EServiceAccountsToSCC(c, namespaces, "privileged")
// add to the "anyuid" scc to ensure pods that don't specify a
// uid don't get forced into a range (mimics upstream
// behavior)
addE2EServiceAccountsToSCC(c, namespaces, "anyuid")
}
}
// checkSuiteSkips ensures Origin/Kubernetes synthetic skip labels are applied
func checkSuiteSkips() {
switch {
case isOriginTest():
if strings.Contains(config.GinkgoConfig.SkipString, "Synthetic Origin") {
ginkgo.Skip("skipping all openshift/origin tests")
}
case isKubernetesE2ETest():
if strings.Contains(config.GinkgoConfig.SkipString, "Synthetic Kubernetes") {
ginkgo.Skip("skipping all k8s.io/kubernetes tests")
}
}
}
// checkSuiteSkips ensures Origin/Kubernetes synthetic skip labels are applied
func checkSuiteSkips() {
switch {
case isOriginTest():
if strings.Contains(config.GinkgoConfig.SkipString, "[Origin]") {
ginkgo.Skip("skipping [Origin] tests")
}
case isKubernetesE2ETest():
if strings.Contains(config.GinkgoConfig.SkipString, "[Kubernetes]") {
ginkgo.Skip("skipping [Kubernetes] tests")
}
}
}
// the docker version being used supports the supplemental groups feature
g.By("ensuring the feature is supported")
dockerCli, err := testutil.NewDockerClient()
o.Expect(err).NotTo(o.HaveOccurred())
env, err := dockerCli.Version()
o.Expect(err).NotTo(o.HaveOccurred(), "error getting docker environment")
version := env.Get("Version")
supports, err, requiredVersion := supportsSupplementalGroups(version)
if !supports || err != nil {
msg := fmt.Sprintf("skipping supplemental groups test, docker version %s does not meet required version %s", version, requiredVersion)
if err != nil {
msg = fmt.Sprintf("%s - encountered error: %v", msg, err)
}
g.Skip(msg)
}
// on to the real test
fsGroup := int64(1111)
supGroup := int64(2222)
// create a pod that is requesting supplemental groups. We request specific sup groups
// so that we can check for the exact values later and not rely on SCC allocation.
g.By("creating a pod that requests supplemental groups")
submittedPod := supGroupPod(fsGroup, supGroup)
_, err = f.Client.Pods(f.Namespace.Name).Create(submittedPod)
o.Expect(err).NotTo(o.HaveOccurred())
defer f.Client.Pods(f.Namespace.Name).Delete(submittedPod.Name, nil)
// we should have been admitted with the groups that we requested but if for any