e2e: disable pod security checks

pohly · pohly · commit 72af34931505 · 2022-09-14T09:33:49.000+02:00
The pods that we deploy inside the test namespaces need privileges.
diff --git a/go.mod b/go.mod
@@ -32,6 +32,7 @@ require (
 	k8s.io/kube-scheduler v0.25.0
 	k8s.io/kubectl v1.25.0
 	k8s.io/kubernetes v1.25.0
+	k8s.io/pod-security-admission v0.0.0
 	k8s.io/utils v0.0.0-20220812165043-ad590609e2e5
 	sigs.k8s.io/controller-runtime v0.12.3
 	sigs.k8s.io/sig-storage-lib-external-provisioner/v6 v6.2.0
@@ -111,7 +112,6 @@ require (
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
 	k8s.io/mount-utils v0.0.0 // indirect
-	k8s.io/pod-security-admission v0.0.0 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.32 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
diff --git a/test/e2e/storage/conversion.go b/test/e2e/storage/conversion.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1"
 	"github.com/intel/pmem-csi/test/e2e/deploy"
@@ -48,6 +49,9 @@ var _ = deploy.DescribeForSome("raw-conversion", func(d *deploy.Deployment) bool
 }, func(d *deploy.Deployment) {
 	f := framework.NewDefaultFramework("conversion")
 
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	It("works", func() {
 		testRawNamespaceConversion(f, d.DriverName, d.Namespace)
 	})
diff --git a/test/e2e/storage/dax/dax.go b/test/e2e/storage/dax/dax.go
@@ -31,6 +31,7 @@ import (
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	"k8s.io/kubernetes/test/e2e/framework/volume"
 	storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	api "github.com/intel/pmem-csi/pkg/apis/pmemcsi/v1beta1"
 	"github.com/intel/pmem-csi/test/e2e/deploy"
@@ -92,6 +93,9 @@ func (p *daxTestSuite) DefineTests(driver storageframework.TestDriver, pattern s
 
 	f := framework.NewDefaultFramework("dax")
 
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	init := func() {
 		l = local{}
 
@@ -525,6 +529,10 @@ var _ = deploy.DescribeForSome("dax", func(d *deploy.Deployment) bool {
 }, func(d *deploy.Deployment) {
 	var l local
 	f := framework.NewDefaultFramework("dax")
+
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	init := func() {
 		l = local{}
 
diff --git a/test/e2e/storage/pmem_csi.go b/test/e2e/storage/pmem_csi.go
@@ -19,6 +19,7 @@ import (
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/test/e2e/framework"
 	storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
 	runtime "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/intel/pmem-csi/pkg/k8sutil"
@@ -52,6 +53,9 @@ var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) {
 var _ = deploy.DescribeForAll("Deployment", func(d *deploy.Deployment) {
 	f := framework.NewDefaultFramework("pmem-csi")
 
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	DefineLateBindingTests(d, f)
 	DefineImmediateBindingTests(d, f)
 	DefineKataTests(d)
diff --git a/test/e2e/tls/tls.go b/test/e2e/tls/tls.go
@@ -19,6 +19,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	"k8s.io/kubernetes/test/e2e/framework/skipper"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	"github.com/intel/pmem-csi/test/e2e/deploy"
 	pmempod "github.com/intel/pmem-csi/test/e2e/pod"
@@ -31,6 +32,9 @@ import (
 var _ = deploy.DescribeForAll("TLS", func(d *deploy.Deployment) {
 	f := framework.NewDefaultFramework("tls")
 
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	// All of the following pod names, namespaces and ports match
 	// those in the current deployment files.
 
diff --git a/test/e2e/versionskew/versionskew.go b/test/e2e/versionskew/versionskew.go
@@ -15,20 +15,21 @@ import (
 	"fmt"
 	"strconv"
 
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/kubernetes/test/e2e/framework"
+	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
 	"k8s.io/kubernetes/test/e2e/framework/skipper"
+	e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
 	storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	"github.com/intel/pmem-csi/pkg/k8sutil"
 	"github.com/intel/pmem-csi/pkg/version"
 	"github.com/intel/pmem-csi/test/e2e/deploy"
 	"github.com/intel/pmem-csi/test/e2e/driver"
 	"github.com/intel/pmem-csi/test/e2e/storage/dax"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
-	e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -155,6 +156,9 @@ func (p *skewTestSuite) DefineTests(driver storageframework.TestDriver, pattern
 
 	f := framework.NewDefaultFramework("skew")
 
+	// Several pods needs privileges.
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+
 	// We rely here on the driver being named after a deployment
 	// (see csi_volumes.go).
 	d := deploy.MustParse(driver.GetDriverInfo().Name)
