Sok3t/descheduler
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/descheduler.git synced 2026-01-28 06:29:29 +01:00
Code Packages Releases Activity

feat(test/e2e): introduce new flags to override RunAsUser and RunAsGroup security context setting

Browse Source 
So RunAsUser and RunAsGroup can be either omitted and set to different values
This commit is contained in:
Jan Chaloupka
2025-09-16 14:17:26 +02:00
parent f8c8d9a385
commit fa9fa70ed7
2 changed files with 49 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
test/e2e/e2e_test.go
View File

@@ -19,6 +19,7 @@ package e2e
import ( import (
"bufio" "bufio"
"context" "context"
"flag"
"fmt" "fmt"
"math" "math"
"os" "os"
@@ -66,6 +67,23 @@ import (
"sigs.k8s.io/descheduler/pkg/utils" "sigs.k8s.io/descheduler/pkg/utils"
) )
var (
deschedulerImage = flag.String("descheduler-image", "", "descheduler image to set in the pod spec")
podRunAsUserId = flag.Int64("pod-run-as-user-id", 0, ".spec.securityContext.runAsUser setting, not set if 0")
podRunAsGroupId = flag.Int64("pod-run-as-group-id", 0, ".spec.securityContext.runAsGroup setting, not set if 0")
)
func TestMain(m *testing.M) {
flag.Parse()
if *deschedulerImage == "" {
klog.Errorf("--descheduler-image is unset")
os.Exit(1)
}
os.Exit(m.Run())
}
func isClientRateLimiterError(err error) bool { func isClientRateLimiterError(err error) bool {
return strings.Contains(err.Error(), "client rate limiter") return strings.Contains(err.Error(), "client rate limiter")
} }
@@ -96,7 +114,7 @@ func deschedulerPolicyConfigMap(policy *deschedulerapiv1alpha2.DeschedulerPolicy
} }
func deschedulerDeployment(testName string) *appsv1.Deployment { func deschedulerDeployment(testName string) *appsv1.Deployment {
return &appsv1.Deployment{ deploymentObject := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "descheduler", Name: "descheduler",
Namespace: "kube-system", Namespace: "kube-system",
@@ -116,8 +134,6 @@ func deschedulerDeployment(testName string) *appsv1.Deployment {
ServiceAccountName: "descheduler-sa", ServiceAccountName: "descheduler-sa",
SecurityContext: &v1.PodSecurityContext{ SecurityContext: &v1.PodSecurityContext{
RunAsNonRoot: utilptr.To(true), RunAsNonRoot: utilptr.To(true),
RunAsUser: utilptr.To[int64](1000),
RunAsGroup: utilptr.To[int64](1000),
SeccompProfile: &v1.SeccompProfile{ SeccompProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault, Type: v1.SeccompProfileTypeRuntimeDefault,
}, },
@@ -125,7 +141,7 @@ func deschedulerDeployment(testName string) *appsv1.Deployment {
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: "descheduler", Name: "descheduler",
Image: os.Getenv("DESCHEDULER_IMAGE"), Image: *deschedulerImage,
ImagePullPolicy: "IfNotPresent", ImagePullPolicy: "IfNotPresent",
Command: []string{"/bin/descheduler"}, Command: []string{"/bin/descheduler"},
Args: []string{"--policy-config-file", "/policy-dir/policy.yaml", "--descheduling-interval", "100m", "--v", "4"}, Args: []string{"--policy-config-file", "/policy-dir/policy.yaml", "--descheduling-interval", "100m", "--v", "4"},
@@ -183,6 +199,14 @@ func deschedulerDeployment(testName string) *appsv1.Deployment {
}, },
}, },
} }
if *podRunAsUserId != 0 {
deploymentObject.Spec.Template.Spec.SecurityContext.RunAsUser = podRunAsUserId
}
if *podRunAsGroupId != 0 {
deploymentObject.Spec.Template.Spec.SecurityContext.RunAsGroup = podRunAsGroupId
}
return deploymentObject
} }
func printPodLogs(ctx context.Context, t *testing.T, kubeClient clientset.Interface, podName string) { func printPodLogs(ctx context.Context, t *testing.T, kubeClient clientset.Interface, podName string) {
@@ -203,15 +227,6 @@ func printPodLogs(ctx context.Context, t *testing.T, kubeClient clientset.Interf
} }
} }
func TestMain(m *testing.M) {
if os.Getenv("DESCHEDULER_IMAGE") == "" {
klog.Errorf("DESCHEDULER_IMAGE env is not set")
os.Exit(1)
}
os.Exit(m.Run())
}
func initPluginRegistry() { func initPluginRegistry() {
pluginregistry.PluginRegistry = pluginregistry.NewRegistry() pluginregistry.PluginRegistry = pluginregistry.NewRegistry()
pluginregistry.Register(defaultevictor.PluginName, defaultevictor.New, &defaultevictor.DefaultEvictor{}, &defaultevictor.DefaultEvictorArgs{}, defaultevictor.ValidateDefaultEvictorArgs, defaultevictor.SetDefaults_DefaultEvictorArgs, pluginregistry.PluginRegistry) pluginregistry.Register(defaultevictor.PluginName, defaultevictor.New, &defaultevictor.DefaultEvictor{}, &defaultevictor.DefaultEvictorArgs{}, defaultevictor.ValidateDefaultEvictorArgs, defaultevictor.SetDefaults_DefaultEvictorArgs, pluginregistry.PluginRegistry)
@@ -315,11 +330,9 @@ func buildTestDeployment(name, namespace string, replicas int32, testLabel map[s
} }
func makePodSpec(priorityClassName string, gracePeriod *int64) v1.PodSpec { func makePodSpec(priorityClassName string, gracePeriod *int64) v1.PodSpec {
return v1.PodSpec{ podSpec := v1.PodSpec{
SecurityContext: &v1.PodSecurityContext{ SecurityContext: &v1.PodSecurityContext{
RunAsNonRoot: utilptr.To(true), RunAsNonRoot: utilptr.To(true),
RunAsUser: utilptr.To[int64](1000),
RunAsGroup: utilptr.To[int64](1000),
SeccompProfile: &v1.SeccompProfile{ SeccompProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault, Type: v1.SeccompProfileTypeRuntimeDefault,
}, },
@@ -351,6 +364,13 @@ func makePodSpec(priorityClassName string, gracePeriod *int64) v1.PodSpec {
PriorityClassName: priorityClassName, PriorityClassName: priorityClassName,
TerminationGracePeriodSeconds: gracePeriod, TerminationGracePeriodSeconds: gracePeriod,
} }
if *podRunAsUserId != 0 {
podSpec.SecurityContext.RunAsUser = podRunAsUserId
}
if *podRunAsGroupId != 0 {
podSpec.SecurityContext.RunAsGroup = podRunAsGroupId
}
return podSpec
} }
func initializeClient(ctx context.Context, t *testing.T) (clientset.Interface, informers.SharedInformerFactory, listersv1.NodeLister, podutil.GetPodsAssignedToNodeFunc) { func initializeClient(ctx context.Context, t *testing.T) (clientset.Interface, informers.SharedInformerFactory, listersv1.NodeLister, podutil.GetPodsAssignedToNodeFunc) {
@@ -527,8 +547,6 @@ func TestLowNodeUtilization(t *testing.T) {
Spec: v1.PodSpec{ Spec: v1.PodSpec{
SecurityContext: &v1.PodSecurityContext{ SecurityContext: &v1.PodSecurityContext{
RunAsNonRoot: utilptr.To(true), RunAsNonRoot: utilptr.To(true),
RunAsUser: utilptr.To[int64](1000),
RunAsGroup: utilptr.To[int64](1000),
SeccompProfile: &v1.SeccompProfile{ SeccompProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault, Type: v1.SeccompProfileTypeRuntimeDefault,
}, },
@@ -562,6 +580,12 @@ func TestLowNodeUtilization(t *testing.T) {
}, },
}, },
} }
if *podRunAsUserId != 0 {
pod.Spec.SecurityContext.RunAsUser = podRunAsUserId
}
if *podRunAsGroupId != 0 {
pod.Spec.SecurityContext.RunAsGroup = podRunAsGroupId
}
t.Logf("Creating pod %v in %v namespace for node %v", pod.Name, pod.Namespace, workerNodes[0].Name) t.Logf("Creating pod %v in %v namespace for node %v", pod.Name, pod.Namespace, workerNodes[0].Name)
_, err := clientSet.CoreV1().Pods(pod.Namespace).Create(ctx, pod, metav1.CreateOptions{}) _, err := clientSet.CoreV1().Pods(pod.Namespace).Create(ctx, pod, metav1.CreateOptions{})
@@ -1610,8 +1634,6 @@ func createBalancedPodForNodes(
Spec: v1.PodSpec{ Spec: v1.PodSpec{
SecurityContext: &v1.PodSecurityContext{ SecurityContext: &v1.PodSecurityContext{
RunAsNonRoot: utilptr.To(true), RunAsNonRoot: utilptr.To(true),
RunAsUser: utilptr.To[int64](1000),
RunAsGroup: utilptr.To[int64](1000),
SeccompProfile: &v1.SeccompProfile{ SeccompProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault, Type: v1.SeccompProfileTypeRuntimeDefault,
}, },
@@ -1643,6 +1665,12 @@ func createBalancedPodForNodes(
TerminationGracePeriodSeconds: &gracePeriod, TerminationGracePeriodSeconds: &gracePeriod,
}, },
} }
if *podRunAsUserId != 0 {
pod.Spec.SecurityContext.RunAsUser = podRunAsUserId
}
if *podRunAsGroupId != 0 {
pod.Spec.SecurityContext.RunAsGroup = podRunAsGroupId
}
t.Logf("Creating pod %v in %v namespace for node %v", pod.Name, pod.Namespace, node.Name) t.Logf("Creating pod %v in %v namespace for node %v", pod.Name, pod.Namespace, node.Name)
_, err := cs.CoreV1().Pods(pod.Namespace).Create(ctx, pod, metav1.CreateOptions{}) _, err := cs.CoreV1().Pods(pod.Namespace).Create(ctx, pod, metav1.CreateOptions{})

2
test/run-e2e-tests.sh
View File

@@ -105,4 +105,4 @@ kubectl patch -n kube-system deployment metrics-server --type=json \
-p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]' -p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'
PRJ_PREFIX="sigs.k8s.io/descheduler" PRJ_PREFIX="sigs.k8s.io/descheduler"
go test ${PRJ_PREFIX}/test/e2e/ -v -timeout 0 go test ${PRJ_PREFIX}/test/e2e/ -v -timeout 0 --args --descheduler-image ${DESCHEDULER_IMAGE} --pod-run-as-user-id 1000 --pod-run-as-group-id 1000