Skip to content

Commit

Permalink
Add jobs for SELinuxChangePolicy alpha feature
Browse files Browse the repository at this point in the history 
Add a job that enables SELinuxChangePolicy feature + run tests for it.
Also run the SELinux jobs with the new SELinuxWarningController enabled.

See
https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling#proposal
for details
  • Loading branch information
@jsafrane
jsafrane committed Nov 8, 2024
1 parent 4d11d7e commit fce86ee
Show file tree
Hide file tree
Showing 6 changed files with 191 additions and 78 deletions.
48 changes: 45 additions & 3 deletions config/jobs/kubernetes/kops/build_jobs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -884,7 +884,45 @@ def generate_misc():
# support SELinux and there are several subvariants of local volumes
# that multiply nr. of tests.
# - FeatureGate:SELinuxMount: the feature gate is alpha / disabled by default
# in v1.30.
# in v1.32.
# - FeatureGate:SELinuxChangePolicy: the feature gate is alpha / disabled by default
# in v1.32.
skip_regex=r"\[Feature:Volumes\]|\[Driver:.nfs\]|\[Driver:.local\]|\[FeatureGate:SELinuxMount\]|\[FeatureGate:SELinuxChangePolicy\]",
# [Serial] and [Disruptive] are intentionally not skipped, therefore run
# everything as serial.
test_parallelism=1,
# Serial and Disruptive tests can be slow.
test_timeout_minutes=120,
runs_per_day=3),

# [sig-storage, @jsafrane] A one-off scenario testing SELinuxChangePolicy feature (alpha in v1.32).
# and opt-in selinux-warning-controller.
# This will need to merge with kops-aws-selinux when SELinuxMount gets enabled by default.
build_test(name_override="kops-aws-selinux-changepolicy",
# RHEL8 VM image is enforcing SELinux by default.
cloud="aws",
distro="rhel8",
networking="cilium",
k8s_version="ci",
kops_channel="alpha",
feature_flags=['SELinuxMount'],
kubernetes_feature_gates="SELinuxChangePolicy",
extra_flags=[
"--set=cluster.spec.containerd.selinuxEnabled=true",
# Run all default controllers ("*") + selinux-warning-controller.
"--set=cluster.spec.kubeControllerManager.controllers=*",
"--set=cluster.spec.kubeControllerManager.controllers=selinux-warning-controller"
],
focus_regex=r"\[Feature:SELinux\]",
# Skip:
# - Feature:Volumes: skips iSCSI and Ceph tests, they don't have client tools
# installed on nodes.
# - Driver: nfs: NFS does not have client tools installed on nodes.
# - Driver: local: this is optimization only, the volume plugin does not
# support SELinux and there are several subvariants of local volumes
# that multiply nr. of tests.
# - FeatureGate:SELinuxMount: the feature gate is alpha / disabled by default
# in v1.32.
skip_regex=r"\[Feature:Volumes\]|\[Driver:.nfs\]|\[Driver:.local\]|\[FeatureGate:SELinuxMount\]",
# [Serial] and [Disruptive] are intentionally not skipped, therefore run
# everything as serial.
Expand All @@ -893,7 +931,8 @@ def generate_misc():
test_timeout_minutes=120,
runs_per_day=3),

# [sig-storage, @jsafrane] A one-off scenario testing SELinuxMount feature (alpha in v1.30).
# [sig-storage, @jsafrane] A one-off scenario testing all SELinux related feature gates enabled
# and opt-in selinux-warning-controller.
# This will need to merge with kops-aws-selinux when SELinuxMount gets enabled by default.
build_test(name_override="kops-aws-selinux-alpha",
# RHEL8 VM image is enforcing SELinux by default.
Expand All @@ -903,9 +942,12 @@ def generate_misc():
k8s_version="ci",
kops_channel="alpha",
feature_flags=['SELinuxMount'],
kubernetes_feature_gates="SELinuxMount",
kubernetes_feature_gates="SELinuxMount,SELinuxChangePolicy",
extra_flags=[
"--set=cluster.spec.containerd.selinuxEnabled=true",
# Run all default controllers ("*") + selinux-warning-controller.
"--set=cluster.spec.kubeControllerManager.controllers=*",
"--set=cluster.spec.kubeControllerManager.controllers=selinux-warning-controller"
],
focus_regex=r"\[Feature:SELinux\]",
# Skip:
Expand Down
4 changes: 2 additions & 2 deletions config/jobs/kubernetes/kops/kops-periodics-distros.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -608,7 +608,7 @@ periodics:
-v 2 \
--up --down \
--cloud-provider=aws \
--create-args="--image='137112412989/amzn2-ami-kernel-5.10-hvm-2.0.20241014.0-x86_64-gp2' --channel=alpha --networking=cilium --discovery-store=s3://k8s-kops-prow/discovery" \
--create-args="--image='137112412989/amzn2-ami-kernel-5.10-hvm-2.0.20241031.0-x86_64-gp2' --channel=alpha --networking=cilium --discovery-store=s3://k8s-kops-prow/discovery" \
--kops-version-marker=https://storage.googleapis.com/k8s-staging-kops/kops/releases/markers/master/latest-ci-updown-green.txt \
--kubernetes-version=https://dl.k8s.io/release/stable.txt \
--test=kops \
Expand Down Expand Up @@ -672,7 +672,7 @@ periodics:
-v 2 \
--up --down \
--cloud-provider=aws \
--create-args="--image='137112412989/al2023-ami-2023.6.20241010.0-kernel-6.1-x86_64' --channel=alpha --networking=cilium --discovery-store=s3://k8s-kops-prow/discovery" \
--create-args="--image='137112412989/al2023-ami-2023.6.20241031.0-kernel-6.1-x86_64' --channel=alpha --networking=cilium --discovery-store=s3://k8s-kops-prow/discovery" \
--kops-version-marker=https://storage.googleapis.com/k8s-staging-kops/kops/releases/markers/master/latest-ci-updown-green.txt \
--kubernetes-version=https://dl.k8s.io/release/stable.txt \
--test=kops \
Expand Down
Loading

0 comments on commit fce86ee

Please sign in to comment.