From 9bd0265afb32d9ede2d89fc84f76f47bd19449be Mon Sep 17 00:00:00 2001 From: zhangzujian Date: Fri, 3 May 2024 05:59:06 +0000 Subject: [PATCH] some fixes Signed-off-by: zhangzujian --- Makefile | 5 +++++ Makefile.e2e | 5 ----- pkg/ovs/ovn-nb-logical_router_route.go | 3 ++- test/e2e/framework/pod.go | 26 ++++++++++++++++---------- test/e2e/framework/service.go | 4 ++-- test/e2e/kube-ovn/pod/statefulset.go | 5 +++-- test/e2e/kube-ovn/service/service.go | 5 +++-- test/e2e/vip/e2e_test.go | 6 +++--- 8 files changed, 34 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 9728ea5d647e..fede3488a77a 100644 --- a/Makefile +++ b/Makefile @@ -1006,6 +1006,11 @@ ipam-bench: go test -timeout 30m -bench='^BenchmarkIPAM' -benchtime=10000x test/unittest/ipam_bench/ipam_test.go -args -logtostderr=false go test -timeout 90m -bench='^BenchmarkParallelIPAM' -benchtime=10x test/unittest/ipam_bench/ipam_test.go -args -logtostderr=false +.PHONY: kubectl-ko-log +kubectl-ko-log: + kubectl ko log all + tar -zcvf kubectl-ko-log.tar.gz kubectl-ko-log/ + .PHONY: clean clean: $(RM) dist/images/kube-ovn dist/images/kube-ovn-cmd diff --git a/Makefile.e2e b/Makefile.e2e index 61768883c736..0477ffa4d69c 100644 --- a/Makefile.e2e +++ b/Makefile.e2e @@ -215,8 +215,3 @@ kube-ovn-webhook-e2e: E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \ ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v \ --focus=CNI:Kube-OVN ./test/e2e/webhook/webhook.test -- $(TEST_BIN_ARGS) - -.PHONY: kubectl-ko-log -kubectl-ko-log: - kubectl ko log all - tar -zcvf kubectl-ko-log.tar.gz kubectl-ko-log/ diff --git a/pkg/ovs/ovn-nb-logical_router_route.go b/pkg/ovs/ovn-nb-logical_router_route.go index 4c4afefd8ce2..421f3a76ec57 100644 --- a/pkg/ovs/ovn-nb-logical_router_route.go +++ b/pkg/ovs/ovn-nb-logical_router_route.go @@ -11,6 +11,7 @@ import ( "github.com/ovn-org/libovsdb/ovsdb" "github.com/scylladb/go-set/strset" "k8s.io/klog/v2" + "k8s.io/utils/ptr" ovsclient "github.com/kubeovn/kube-ovn/pkg/ovsdb/client" "github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb" @@ -138,7 +139,7 @@ func (c *OVNNbClient) UpdateLogicalRouterStaticRoute(route *ovnnb.LogicalRouterS // DeleteLogicalRouterStaticRoute add a logical router static route func (c *OVNNbClient) DeleteLogicalRouterStaticRoute(lrName string, routeTable, policy *string, ipPrefix, nexthop string) error { if policy == nil || len(*policy) == 0 { - policy = &ovnnb.LogicalRouterStaticRoutePolicyDstIP + policy = ptr.To(ovnnb.LogicalRouterStaticRoutePolicyDstIP) } routes, err := c.ListLogicalRouterStaticRoutes(lrName, routeTable, policy, ipPrefix, nil) diff --git a/test/e2e/framework/pod.go b/test/e2e/framework/pod.go index 4afd7d40cb00..04a26820c5a8 100644 --- a/test/e2e/framework/pod.go +++ b/test/e2e/framework/pod.go @@ -10,6 +10,8 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + psaapi "k8s.io/pod-security-admission/api" + "k8s.io/utils/ptr" "github.com/kubeovn/kube-ovn/pkg/util" ) @@ -86,7 +88,7 @@ func (c *PodClient) WaitForNotFound(name string) { ExpectNoError(err) } -func MakePod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod { +func makePod(ns, name string, labels, annotations map[string]string, image string, command, args []string, securityLevel psaapi.Level) *corev1.Pod { if image == "" { image = PauseImage } @@ -106,20 +108,24 @@ func MakePod(ns, name string, labels, annotations map[string]string, image strin ImagePullPolicy: corev1.PullIfNotPresent, Command: command, Args: args, + SecurityContext: e2epod.GenerateContainerSecurityContext(securityLevel), }, }, + SecurityContext: e2epod.GeneratePodSecurityContext(nil, nil), + TerminationGracePeriodSeconds: ptr.To(int64(3)), }, } - pod.Spec.TerminationGracePeriodSeconds = new(int64) - *pod.Spec.TerminationGracePeriodSeconds = 3 + return e2epod.MustMixinRestrictedPodSecurity(pod) +} - return pod +func MakePod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod { + return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelBaseline) } -func MakeNetAdminPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod { - pod := MakePod(ns, name, labels, annotations, image, command, args) - pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ - Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_ADMIN"}}, - } - return pod +func MakeRestrictedPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod { + return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelRestricted) +} + +func MakePrivilegedPod(ns, name string, labels, annotations map[string]string, image string, command, args []string) *corev1.Pod { + return makePod(ns, name, labels, annotations, image, command, args, psaapi.LevelPrivileged) } diff --git a/test/e2e/framework/service.go b/test/e2e/framework/service.go index 0535d203fa75..6b654f53e3c0 100644 --- a/test/e2e/framework/service.go +++ b/test/e2e/framework/service.go @@ -13,6 +13,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" v1core "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/kubernetes/test/e2e/framework" + "k8s.io/utils/ptr" "github.com/onsi/gomega" @@ -155,14 +156,13 @@ func MakeService(name string, svcType corev1.ServiceType, annotations, selector Annotations: annotations, }, Spec: corev1.ServiceSpec{ + IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicyPreferDualStack), Ports: ports, Selector: selector, SessionAffinity: affinity, Type: svcType, }, } - service.Spec.IPFamilyPolicy = new(corev1.IPFamilyPolicy) - *service.Spec.IPFamilyPolicy = corev1.IPFamilyPolicyPreferDualStack return service } diff --git a/test/e2e/kube-ovn/pod/statefulset.go b/test/e2e/kube-ovn/pod/statefulset.go index 826847c9ce21..38a51b36f027 100644 --- a/test/e2e/kube-ovn/pod/statefulset.go +++ b/test/e2e/kube-ovn/pod/statefulset.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/onsi/ginkgo/v2" + "k8s.io/utils/ptr" "github.com/kubeovn/kube-ovn/pkg/util" "github.com/kubeovn/kube-ovn/test/e2e/framework" @@ -47,7 +48,7 @@ var _ = framework.Describe("[group:pod]", func() { ginkgo.By("Scale sts replicas to 1") sts = stsClient.Get(stsName) patchSts := sts.DeepCopy() - *patchSts.Spec.Replicas = 1 + patchSts.Spec.Replicas = ptr.To(int32(1)) stsClient.PatchSync(sts, patchSts) for index := 1; index <= 2; index++ { @@ -58,7 +59,7 @@ var _ = framework.Describe("[group:pod]", func() { ginkgo.By("Scale sts replicas to 3") sts = stsClient.Get(stsName) patchSts = sts.DeepCopy() - *patchSts.Spec.Replicas = 3 + patchSts.Spec.Replicas = ptr.To(int32(3)) stsClient.PatchSync(sts, patchSts) ginkgo.By("Waiting for statefulset " + stsName + " to be ready") stsClient.WaitForRunningAndReady(patchSts) diff --git a/test/e2e/kube-ovn/service/service.go b/test/e2e/kube-ovn/service/service.go index 96afe88782fb..8a1e296ca887 100644 --- a/test/e2e/kube-ovn/service/service.go +++ b/test/e2e/kube-ovn/service/service.go @@ -14,6 +14,7 @@ import ( clientset "k8s.io/client-go/kubernetes" e2enode "k8s.io/kubernetes/test/e2e/framework/node" e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output" + "k8s.io/utils/ptr" "github.com/onsi/ginkgo/v2" @@ -179,7 +180,7 @@ var _ = framework.Describe("[group:service]", func() { ginkgo.By("change service from dual stack to single stack") modifyService := service.DeepCopy() - *modifyService.Spec.IPFamilyPolicy = corev1.IPFamilyPolicySingleStack + modifyService.Spec.IPFamilyPolicy = ptr.To(corev1.IPFamilyPolicySingleStack) modifyService.Spec.IPFamilies = []corev1.IPFamily{corev1.IPv4Protocol} modifyService.Spec.ClusterIPs = []string{service.Spec.ClusterIP} service = serviceClient.Patch(service, modifyService) @@ -187,7 +188,7 @@ var _ = framework.Describe("[group:service]", func() { ginkgo.By("recover service from single stack to dual stack") recoverService := service.DeepCopy() - *recoverService.Spec.IPFamilyPolicy = *originService.Spec.IPFamilyPolicy + recoverService.Spec.IPFamilyPolicy = ptr.To(*originService.Spec.IPFamilyPolicy) recoverService.Spec.IPFamilies = originService.Spec.IPFamilies recoverService.Spec.ClusterIPs = originService.Spec.ClusterIPs _ = serviceClient.Patch(service, recoverService) diff --git a/test/e2e/vip/e2e_test.go b/test/e2e/vip/e2e_test.go index 31fd30285178..126789de7d4d 100644 --- a/test/e2e/vip/e2e_test.go +++ b/test/e2e/vip/e2e_test.go @@ -215,10 +215,10 @@ var _ = framework.Describe("[group:vip]", func() { annotations := map[string]string{util.AAPsAnnotation: vip1Name} cmd := []string{"sh", "-c", "sleep infinity"} ginkgo.By("Creating pod1 support allowed address pair using " + vip1Name) - aapPod1 := framework.MakeNetAdminPod(namespaceName, aapPodName1, nil, annotations, image, cmd, nil) + aapPod1 := framework.MakeRestrictedPod(namespaceName, aapPodName1, nil, annotations, image, cmd, nil) aapPod1 = podClient.CreateSync(aapPod1) ginkgo.By("Creating pod2 support allowed address pair using " + vip1Name) - aapPod2 := framework.MakeNetAdminPod(namespaceName, aapPodName2, nil, annotations, image, cmd, nil) + aapPod2 := framework.MakeRestrictedPod(namespaceName, aapPodName2, nil, annotations, image, cmd, nil) _ = podClient.CreateSync(aapPod2) // logical switch port with type virtual should be created conditions := fmt.Sprintf("type=virtual name=%s options:virtual-ip=\\\"%s\\\" ", vip1Name, virtualIP1) @@ -303,7 +303,7 @@ var _ = framework.Describe("[group:vip]", func() { ginkgo.By("Creating pod3 support allowed address pair with security group") annotations[util.PortSecurityAnnotation] = "true" annotations[fmt.Sprintf(util.SecurityGroupAnnotationTemplate, "ovn")] = securityGroupName - aapPod3 := framework.MakeNetAdminPod(namespaceName, aapPodName3, nil, annotations, image, cmd, nil) + aapPod3 := framework.MakeRestrictedPod(namespaceName, aapPodName3, nil, annotations, image, cmd, nil) aapPod3 = podClient.CreateSync(aapPod3) v4ip, v6ip := util.SplitStringIP(aapPod3.Annotations[util.IPAddressAnnotation]) if f.HasIPv4() {