some fixes

Signed-off-by: zhangzujian <[email protected]>
kubeovn · May 3, 2024 · 9bd0265 · 9bd0265
1 parent cf11cf0
commit 9bd0265
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 25 deletions.
diff --git a/Makefile b/Makefile
@@ -1006,6 +1006,11 @@ ipam-bench:
 	go test -timeout 30m -bench='^BenchmarkIPAM' -benchtime=10000x test/unittest/ipam_bench/ipam_test.go -args -logtostderr=false
 	go test -timeout 90m -bench='^BenchmarkParallelIPAM' -benchtime=10x test/unittest/ipam_bench/ipam_test.go -args -logtostderr=false
 
+.PHONY: kubectl-ko-log
+kubectl-ko-log:
+	kubectl ko log all
+	tar -zcvf kubectl-ko-log.tar.gz kubectl-ko-log/
+
 .PHONY: clean
 clean:
 	$(RM) dist/images/kube-ovn dist/images/kube-ovn-cmd

diff --git a/Makefile.e2e b/Makefile.e2e
@@ -215,8 +215,3 @@ kube-ovn-webhook-e2e:
 	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
 	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v \
 		--focus=CNI:Kube-OVN ./test/e2e/webhook/webhook.test -- $(TEST_BIN_ARGS)
-
-.PHONY: kubectl-ko-log
-kubectl-ko-log:
-	kubectl ko log all
-	tar -zcvf kubectl-ko-log.tar.gz kubectl-ko-log/
diff --git a/pkg/ovs/ovn-nb-logical_router_route.go b/pkg/ovs/ovn-nb-logical_router_route.go
@@ -11,6 +11,7 @@ import (
 	"github.com/ovn-org/libovsdb/ovsdb"
 	"github.com/scylladb/go-set/strset"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
 
 	ovsclient "github.com/kubeovn/kube-ovn/pkg/ovsdb/client"
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
@@ -138,7 +139,7 @@ func (c *OVNNbClient) UpdateLogicalRouterStaticRoute(route *ovnnb.LogicalRouterS
 // DeleteLogicalRouterStaticRoute add a logical router static route
 func (c *OVNNbClient) DeleteLogicalRouterStaticRoute(lrName string, routeTable, policy *string, ipPrefix, nexthop string) error {
 	if policy == nil || len(*policy) == 0 {
-		policy = &ovnnb.LogicalRouterStaticRoutePolicyDstIP
+		policy = ptr.To(ovnnb.LogicalRouterStaticRoutePolicyDstIP)
 	}
 
 	routes, err := c.ListLogicalRouterStaticRoutes(lrName, routeTable, policy, ipPrefix, nil)

diff --git a/test/e2e/framework/pod.go b/test/e2e/framework/pod.go
@@ -10,6 +10,8 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	psaapi "k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
 
 	"github.com/kubeovn/kube-ovn/pkg/util"
 )
@@ -86,7 +88,7 @@ func (c *PodClient) WaitForNotFound(name string) {
 	ExpectNoError(err)
 }
 
-func MakePod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod {
+func makePod(ns, name string, labels, annotations map[string]string, image string, command, args []string, securityLevel psaapi.Level) *corev1.Pod {
 	if image == "" {
 		image = PauseImage
 	}
@@ -106,20 +108,24 @@ func MakePod(ns, name string, labels, annotations map[string]string, image strin
 					ImagePullPolicy: corev1.PullIfNotPresent,
 					Command:         command,
 					Args:            args,
+					SecurityContext: e2epod.GenerateContainerSecurityContext(securityLevel),
 				},
 			},
+			SecurityContext:               e2epod.GeneratePodSecurityContext(nil, nil),
+			TerminationGracePeriodSeconds: ptr.To(int64(3)),
 		},
 	}
-	pod.Spec.TerminationGracePeriodSeconds = new(int64)
-	*pod.Spec.TerminationGracePeriodSeconds = 3
+	return e2epod.MustMixinRestrictedPodSecurity(pod)
+}
 
-	return pod
+func MakePod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod {
+	return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelBaseline)
 }
 
-func MakeNetAdminPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod {
-	pod := MakePod(ns, name, labels, annotations, image, command, args)
-	pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
-		Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}},
-	}
-	return pod
+func MakeRestrictedPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod {
+	return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelRestricted)
+}
+
+func MakePrivilegedPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod {
+	return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelPrivileged)
 }
diff --git a/test/e2e/framework/service.go b/test/e2e/framework/service.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/utils/ptr"
 
 	"github.com/onsi/gomega"
 
@@ -155,14 +156,13 @@ func MakeService(name string, svcType corev1.ServiceType, annotations, selector
 			Annotations: annotations,
 		},
 		Spec: corev1.ServiceSpec{
+			IPFamilyPolicy:  ptr.To(corev1.IPFamilyPolicyPreferDualStack),
 			Ports:           ports,
 			Selector:        selector,
 			SessionAffinity: affinity,
 			Type:            svcType,
 		},
 	}
-	service.Spec.IPFamilyPolicy = new(corev1.IPFamilyPolicy)
-	*service.Spec.IPFamilyPolicy = corev1.IPFamilyPolicyPreferDualStack
 
 	return service
 }
diff --git a/test/e2e/kube-ovn/pod/statefulset.go b/test/e2e/kube-ovn/pod/statefulset.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/onsi/ginkgo/v2"
+	"k8s.io/utils/ptr"
 
 	"github.com/kubeovn/kube-ovn/pkg/util"
 	"github.com/kubeovn/kube-ovn/test/e2e/framework"
@@ -47,7 +48,7 @@ var _ = framework.Describe("[group:pod]", func() {
 		ginkgo.By("Scale sts replicas to 1")
 		sts = stsClient.Get(stsName)
 		patchSts := sts.DeepCopy()
-		*patchSts.Spec.Replicas = 1
+		patchSts.Spec.Replicas = ptr.To(int32(1))
 		stsClient.PatchSync(sts, patchSts)
 
 		for index := 1; index <= 2; index++ {
@@ -58,7 +59,7 @@ var _ = framework.Describe("[group:pod]", func() {
 		ginkgo.By("Scale sts replicas to 3")
 		sts = stsClient.Get(stsName)
 		patchSts = sts.DeepCopy()
-		*patchSts.Spec.Replicas = 3
+		patchSts.Spec.Replicas = ptr.To(int32(3))
 		stsClient.PatchSync(sts, patchSts)
 		ginkgo.By("Waiting for statefulset " + stsName + " to be ready")
 		stsClient.WaitForRunningAndReady(patchSts)

diff --git a/test/e2e/kube-ovn/service/service.go b/test/e2e/kube-ovn/service/service.go
@@ -14,6 +14,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
 	e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
+	"k8s.io/utils/ptr"
 
 	"github.com/onsi/ginkgo/v2"
 
@@ -179,15 +180,15 @@ var _ = framework.Describe("[group:service]", func() {
 
 		ginkgo.By("change service from dual stack to single stack")
 		modifyService := service.DeepCopy()
-		*modifyService.Spec.IPFamilyPolicy = corev1.IPFamilyPolicySingleStack
+		modifyService.Spec.IPFamilyPolicy = ptr.To(corev1.IPFamilyPolicySingleStack)
 		modifyService.Spec.IPFamilies = []corev1.IPFamily{corev1.IPv4Protocol}
 		modifyService.Spec.ClusterIPs = []string{service.Spec.ClusterIP}
 		service = serviceClient.Patch(service, modifyService)
 		checkContainsClusterIP(v6ClusterIP, false)
 
 		ginkgo.By("recover service from single stack to dual stack")
 		recoverService := service.DeepCopy()
-		*recoverService.Spec.IPFamilyPolicy = *originService.Spec.IPFamilyPolicy
+		recoverService.Spec.IPFamilyPolicy = ptr.To(*originService.Spec.IPFamilyPolicy)
 		recoverService.Spec.IPFamilies = originService.Spec.IPFamilies
 		recoverService.Spec.ClusterIPs = originService.Spec.ClusterIPs
 		_ = serviceClient.Patch(service, recoverService)

diff --git a/test/e2e/vip/e2e_test.go b/test/e2e/vip/e2e_test.go
@@ -215,10 +215,10 @@ var _ = framework.Describe("[group:vip]", func() {
 		annotations := map[string]string{util.AAPsAnnotation: vip1Name}
 		cmd := []string{"sh", "-c", "sleep infinity"}
 		ginkgo.By("Creating pod1 support allowed address pair using " + vip1Name)
-		aapPod1 := framework.MakeNetAdminPod(namespaceName, aapPodName1, nil, annotations, image, cmd, nil)
+		aapPod1 := framework.MakeRestrictedPod(namespaceName, aapPodName1, nil, annotations, image, cmd, nil)
 		aapPod1 = podClient.CreateSync(aapPod1)
 		ginkgo.By("Creating pod2 support allowed address pair using " + vip1Name)
-		aapPod2 := framework.MakeNetAdminPod(namespaceName, aapPodName2, nil, annotations, image, cmd, nil)
+		aapPod2 := framework.MakeRestrictedPod(namespaceName, aapPodName2, nil, annotations, image, cmd, nil)
 		_ = podClient.CreateSync(aapPod2)
 		// logical switch port with type virtual should be created
 		conditions := fmt.Sprintf("type=virtual name=%s options:virtual-ip=\\\"%s\\\" ", vip1Name, virtualIP1)
@@ -303,7 +303,7 @@ var _ = framework.Describe("[group:vip]", func() {
 		ginkgo.By("Creating pod3 support allowed address pair with security group")
 		annotations[util.PortSecurityAnnotation] = "true"
 		annotations[fmt.Sprintf(util.SecurityGroupAnnotationTemplate, "ovn")] = securityGroupName
-		aapPod3 := framework.MakeNetAdminPod(namespaceName, aapPodName3, nil, annotations, image, cmd, nil)
+		aapPod3 := framework.MakeRestrictedPod(namespaceName, aapPodName3, nil, annotations, image, cmd, nil)
 		aapPod3 = podClient.CreateSync(aapPod3)
 		v4ip, v6ip := util.SplitStringIP(aapPod3.Annotations[util.IPAddressAnnotation])
 		if f.HasIPv4() {