@@ -48,15 +48,32 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
4848 testNamespace * v1.Namespace
4949 )
5050 const (
51- namespaceName = "openshift-validation-webhook"
52- serviceName = "validation-webhook"
53- daemonsetName = "validation-webhook"
54- configMapName = "webhook-cert"
55- secretName = "webhook-cert"
56- saName = "webhook-sa"
57- testNsName = "osde2e-temp-ns"
51+ namespaceName = "openshift-validation-webhook"
52+ serviceName = "validation-webhook"
53+ daemonsetName = "validation-webhook"
54+ configMapName = "webhook-cert"
55+ secretName = "webhook-cert"
56+ testNsName = "osde2e-temp-ns"
57+ privilegedNamespace = "openshift-backplane"
58+ unprivilegedNamespace = "openshift-logging"
5859 )
5960
61+ createNS := func (ns string ) {
62+ testNamespace = & v1.Namespace {ObjectMeta : metav1.ObjectMeta {Name : ns }}
63+ err := client .Create (context .TODO (), testNamespace )
64+ By ("checking the custom namespace exists" )
65+ err = wait .For (conditions .New (client .Resources ).ResourceMatch (testNamespace , func (object k8s.Object ) bool {
66+ return true
67+ }))
68+ Expect (err ).ShouldNot (HaveOccurred (), "Unable to create test namespace" )
69+ }
70+
71+ deleteNS := func (ns * v1.Namespace ) {
72+ err := client .Delete (context .TODO (), ns )
73+ err = wait .For (conditions .New (client .Resources ).ResourceDeleted (ns ))
74+ Expect (err ).ShouldNot (HaveOccurred (), "Unable to delete test namespace" )
75+ }
76+
6077 BeforeAll (func () {
6178 log .SetLogger (GinkgoLogr )
6279 var err error
@@ -106,7 +123,7 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
106123 Expect (err ).ToNot (HaveOccurred ())
107124 })
108125
109- It ("should create a pod with the correct security context" , func () {
126+ It ("should create a pod with the correct security context" , func (ctx context. Context ) {
110127 pod := & v1.Pod {
111128 ObjectMeta : metav1.ObjectMeta {
112129 Name : "testpod" ,
@@ -132,27 +149,25 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
132149 },
133150 }
134151
135- err := client .Create (context .TODO (), pod )
152+ err := client .Create (ctx , pod )
153+ Expect (err ).NotTo (HaveOccurred ())
154+ err = client .Delete (ctx , pod )
136155 Expect (err ).NotTo (HaveOccurred ())
137156 })
138157
139158 Describe ("sre-pod-validation" , Ordered , func () {
140159 const (
141- privilegedNamespace = "openshift-backplane"
142- unprivilegedNamespace = "openshift-logging"
143-
144160 deletePodWaitDuration = 5 * time .Minute
145161 createPodWaitDuration = 1 * time .Minute
146162 )
147163
148164 var pod * v1.Pod
149165
150166 BeforeAll (func () {
151- name := envconf .RandomName ("testpod" , 12 )
152167 pod = & v1.Pod {
153168 ObjectMeta : metav1.ObjectMeta {
154- Name : name ,
155- Namespace : testNsName ,
169+ Name : envconf . RandomName ( "testpod" , 12 ) ,
170+ Namespace : privilegedNamespace ,
156171 },
157172 Spec : v1.PodSpec {
158173 Containers : []v1.Container {
@@ -201,42 +216,31 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
201216 }
202217 })
203218
204- withNamespace := func (pod * v1.Pod , namespace string ) * v1.Pod {
205- pod .SetNamespace (namespace )
206- return pod
207- }
208-
209219 It ("blocks pods scheduled onto master/infra nodes" , func (ctx context.Context ) {
210- err := dedicatedAdmink8s .Create (ctx , withNamespace ( pod , privilegedNamespace ) )
220+ err := dedicatedAdmink8s .Create (ctx , pod )
211221 Expect (errors .IsForbidden (err )).To (BeTrue ())
212222
213- err = userk8s .Create (ctx , withNamespace ( pod , privilegedNamespace ) )
223+ err = userk8s .Create (ctx , pod )
214224 Expect (errors .IsForbidden (err )).To (BeTrue ())
215225
216- err = userk8s .Create (ctx , withNamespace (pod , unprivilegedNamespace ))
226+ pod .SetNamespace (unprivilegedNamespace )
227+ err = userk8s .Create (ctx , pod )
217228 Expect (errors .IsForbidden (err )).To (BeTrue ())
229+ pod .SetNamespace (privilegedNamespace )
218230 }, SpecTimeout (createPodWaitDuration .Seconds ()+ deletePodWaitDuration .Seconds ()))
219231
220232 It ("allows cluster-admin to schedule pods onto master/infra nodes" , func (ctx context.Context ) {
221- sa := & v1.ServiceAccount {}
222-
223- err := client .Get (ctx , saName , namespaceName , sa )
224-
225- if err == nil {
226- err = client .Delete (ctx , sa )
227- Expect (err ).ToNot (HaveOccurred (), "Failed to delete existing Service Account" )
228- }
229-
230- sa = & v1.ServiceAccount {
233+ sa := & v1.ServiceAccount {
231234 ObjectMeta : metav1.ObjectMeta {
232- Name : saName ,
235+ Name : "webhook-sa" ,
233236 Namespace : namespaceName ,
234237 },
235238 }
236- err = client .Create (ctx , sa )
239+ err : =client .Create (ctx , sa )
237240 Expect (err ).ShouldNot (HaveOccurred (), "Unable to create service account" )
241+ err = client .Delete (ctx , sa )
242+ Expect (err ).ShouldNot (HaveOccurred (), "Unable to delete service account" )
238243
239- pod = withNamespace (pod , privilegedNamespace )
240244 err = client .Create (ctx , pod )
241245 Expect (err ).NotTo (HaveOccurred ())
242246 err = client .Delete (ctx , pod )
@@ -320,9 +324,11 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
320324 )
321325
322326 BeforeAll (func (ctx context.Context ) {
323- testNamespace = & v1.Namespace {ObjectMeta : metav1.ObjectMeta {Name : testNsName }}
324- err := client .Create (ctx , testNamespace )
325- Expect (err ).ShouldNot (HaveOccurred (), "Unable to create test namespace" )
327+ createNS (testNsName )
328+ })
329+
330+ AfterAll (func (ctx context.Context ) {
331+ deleteNS (testNamespace )
326332 })
327333
328334 It ("only blocks configmap/user-ca-bundle changes" , func (ctx context.Context ) {
@@ -521,7 +527,7 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
521527 Expect (err ).NotTo (HaveOccurred ())
522528 }
523529
524- updateNamespace := func (ctx context.Context , name string , user string , groups ... string ) error {
530+ updateNamespace := func (ctx context.Context , name , user string , groups ... string ) error {
525531 userk8s , err := client .Impersonate (user , groups ... )
526532 if err != nil {
527533 return err
@@ -585,9 +591,6 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
585591 })
586592
587593 Describe ("sre-prometheusrule-validation" , func () {
588- const privilegedNamespace = "openshift-backplane"
589- const unprivilegedNamespace = "openshift-logging"
590-
591594 newPrometheusRule := func (namespace string ) * monitoringv1.PrometheusRule {
592595 return & monitoringv1.PrometheusRule {
593596 ObjectMeta : metav1.ObjectMeta {Name : "prometheus-example-app" , Namespace : namespace },
@@ -613,10 +616,11 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
613616 rule := newPrometheusRule (privilegedNamespace )
614617 err = client .Delete (ctx , rule )
615618 Expect (err == nil || errors .IsNotFound (err )).To (BeTrue (), "Failed to ensure PrometheusRule deletion" )
619+ createNS (testNsName )
616620 })
617621
618622 AfterAll (func (ctx context.Context ) {
619- client . Delete ( ctx , testNamespace )
623+ deleteNS ( testNamespace )
620624 })
621625
622626 DescribeTable (
@@ -650,7 +654,7 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
650654 })
651655
652656 It ("allows non-privileged users to manage PrometheusRules in non-privileged namespaces" , func (ctx context.Context ) {
653- rule := newPrometheusRule ("osde2e-temp-ns" )
657+ rule := newPrometheusRule (testNsName )
654658
655659 err := dedicatedAdmink8s .Create (ctx , rule )
656660 Expect (err ).NotTo (HaveOccurred ())
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments