Skip tests modifying cluster/network.config when it is not permitted

kyrtapz · kyrtapz · commit a655bd445567 · 2025-05-27T19:33:44.000+02:00
In HyperShift a ValidatingAdmissionPolicy blocks the tests from modifying cluster config resources. Skip the tests that modify cluster/network.config.openshift.io if the admin client is not allowed to do so. Note that the ValidatingAdmissionPolicy failures return an Invalid(422) and not Forbidden(403) error: ``` I0527 19:02:21.445832 2048333 request.go:1154] Request Body: {"spec":{"networkType": ""}} I0527 19:02:21.445873 2048333 round_trippers.go:463] PATCH https://api.wveww-wjddj-6em.auu6.p3.openshiftapps.com:443/apis/config.openshift.io/v1/networks/cluster?dryRun=All&fieldManager=kubectl-patch I0527 19:02:21.445878 2048333 round_trippers.go:469] Request Headers: I0527 19:02:21.445886 2048333 round_trippers.go:473] Accept: application/json I0527 19:02:21.445892 2048333 round_trippers.go:473] Content-Type: application/merge-patch+json I0527 19:02:21.445897 2048333 round_trippers.go:473] User-Agent: oc/v4.2.0 (linux/amd64) kubernetes/5559085 I0527 19:02:21.445902 2048333 round_trippers.go:473] Authorization: Bearer <masked> I0527 19:02:21.577807 2048333 round_trippers.go:574] Response Status: 422 Unprocessable Entity in 131 milliseconds I0527 19:02:21.577830 2048333 round_trippers.go:577] Response Headers: I0527 19:02:21.577836 2048333 round_trippers.go:580] Cache-Control: no-cache, private I0527 19:02:21.577841 2048333 round_trippers.go:580] Content-Type: application/json I0527 19:02:21.577847 2048333 round_trippers.go:580] Strict-Transport-Security: max-age=31536000; includeSubDomains; preload I0527 19:02:21.577852 2048333 round_trippers.go:580] X-Kubernetes-Pf-Flowschema-Uid: 6e3b2d16-aa1b-42a1-bf05-eb06efacf90c I0527 19:02:21.577857 2048333 round_trippers.go:580] X-Kubernetes-Pf-Prioritylevel-Uid: 488a1e74-530c-4ca1-8d71-31360b7f84da I0527 19:02:21.577863 2048333 round_trippers.go:580] Content-Length: 702 I0527 19:02:21.577868 2048333 round_trippers.go:580] Date: Tue, 27 May 2025 17:02:21 GMT I0527 19:02:21.577874 2048333 round_trippers.go:580] Audit-Id: 0a1efc9d-4405-4c9a-bc6f-8563fd714f77 I0527 19:02:21.577903 2048333 request.go:1154] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"networks.config.openshift.io \"cluster\" is forbidden: ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object.","reason":"Invalid","details":{"name":"cluster","group":"config.openshift.io","kind":"networks","causes":[{"message":"ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object."}]},"code":422} The networks "cluster" is invalid: : ValidatingAdmissionPolicy 'config' with binding 'config-binding' denied request: This resource cannot be created, updated, or deleted. Please ask your administrator to modify the resource in the HostedCluster object. ``` Signed-off-by: Patryk Diak <pdiak@redhat.com>
diff --git a/test/extended/networking/network_diagnostics.go b/test/extended/networking/network_diagnostics.go
@@ -16,6 +16,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 
 	exutil "github.com/openshift/origin/test/extended/util"
+	"k8s.io/kubernetes/test/e2e/framework/skipper"
 )
 
 const (
@@ -31,9 +32,16 @@ var _ = g.Describe("[sig-network][OCPFeatureGate:NetworkDiagnosticsConfig][Seria
 	oc := exutil.NewCLIWithoutNamespace("network-diagnostics")
 
 	g.BeforeAll(func(ctx context.Context) {
+		// Check if the test can write to cluster/network.config.openshift.io
+		hasAccess, err := hasNetworkConfigWriteAccess(oc)
+		o.Expect(err).NotTo(o.HaveOccurred())
+		if !hasAccess {
+			skipper.Skipf("The test is not permitted to modify the cluster/network.config.openshift.io resource")
+		}
+
 		// Reset and take ownership of the network diagnostics config
 		patch := []byte(`{"spec":{"networkDiagnostics":null}}`)
-		_, err := oc.AdminConfigClient().ConfigV1().Networks().Patch(ctx, clusterConfig, types.MergePatchType, patch, metav1.PatchOptions{FieldManager: fieldManager})
+		_, err = oc.AdminConfigClient().ConfigV1().Networks().Patch(ctx, clusterConfig, types.MergePatchType, patch, metav1.PatchOptions{FieldManager: fieldManager})
 		o.Expect(err).NotTo(o.HaveOccurred())
 	})
 
diff --git a/test/extended/networking/services.go b/test/extended/networking/services.go
@@ -15,6 +15,7 @@ import (
 	admissionapi "k8s.io/pod-security-admission/api"
 
 	exutil "github.com/openshift/origin/test/extended/util"
+	"k8s.io/kubernetes/test/e2e/framework/skipper"
 )
 
 var _ = Describe("[sig-network] services", func() {
@@ -89,6 +90,13 @@ var _ = Describe("[sig-network] services", func() {
 
 	InIPv4ClusterContext(oc, func() {
 		It("ensures external ip policy is configured correctly on the cluster [apigroup:config.openshift.io] [Serial]", func() {
+			// Check if the test can write to cluster/network.config.openshift.io
+			hasAccess, err := hasNetworkConfigWriteAccess(oc)
+			Expect(err).NotTo(HaveOccurred())
+			if !hasAccess {
+				skipper.Skipf("The test is not permitted to modify the cluster/network.config.openshift.io resource")
+			}
+
 			namespace := oc.Namespace()
 			adminConfigClient := oc.AdminConfigClient()
 			k8sClient := oc.KubeClient()
@@ -97,7 +105,7 @@ var _ = Describe("[sig-network] services", func() {
 			By("create service of type load balancer with default cluster networks config")
 			serviceName := names.SimpleNameGenerator.GenerateName("svc-without-ext-ip")
 			By("check load balance service creation fails")
-			err := createWebserverLBService(k8sClient, namespace, serviceName, "", []string{"192.168.132.10"}, nil)
+			err = createWebserverLBService(k8sClient, namespace, serviceName, "", []string{"192.168.132.10"}, nil)
 			Expect(kapierrs.IsForbidden(err)).Should(Equal(true))
 
 			// Test external ip policy configured with allowedCIDRs. Make sure service
@@ -166,6 +174,13 @@ var _ = Describe("[sig-network] services", func() {
 
 	InBareMetalIPv4ClusterContext(oc, func() {
 		It("ensures external auto assign cidr is configured correctly on the cluster [apigroup:config.openshift.io] [Serial]", func() {
+			// Check if the test can write to cluster/network.config.openshift.io
+			hasAccess, err := hasNetworkConfigWriteAccess(oc)
+			Expect(err).NotTo(HaveOccurred())
+			if !hasAccess {
+				skipper.Skipf("The test is not permitted to modify the cluster/network.config.openshift.io resource")
+			}
+
 			namespace := oc.Namespace()
 			adminConfigClient := oc.AdminConfigClient()
 			k8sClient := oc.KubeClient()
@@ -175,7 +190,7 @@ var _ = Describe("[sig-network] services", func() {
 			By("create service of type load balancer with default cluster networks config")
 			serviceName := names.SimpleNameGenerator.GenerateName("svc-without-ext-ip-3")
 			By("check load balance service creation fails")
-			err := createWebserverLBService(k8sClient, namespace, serviceName, "", []string{"192.168.132.10"}, nil)
+			err = createWebserverLBService(k8sClient, namespace, serviceName, "", []string{"192.168.132.10"}, nil)
 			Expect(kapierrs.IsForbidden(err)).Should(Equal(true))
 
 			// Test external ip policy configured with both policy and auto assign cidr. Make sure service
diff --git a/test/extended/networking/util.go b/test/extended/networking/util.go
@@ -29,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/storage/names"
@@ -976,3 +977,21 @@ func getMachineConfigPoolByLabel(oc *exutil.CLI, mcSelectorLabel labels.Set) ([]
 	}
 	return pools, nil
 }
+
+// hasNetworkConfigWriteAccess determines if the admin client can patch the cluster/network.config.openshift.io object
+// by patching the resource in a dry-run mode(no changes are persisted).
+func hasNetworkConfigWriteAccess(oc *exutil.CLI) (bool, error) {
+	_, err := oc.AdminConfigClient().ConfigV1().Networks().Patch(context.TODO(),
+		clusterConfig,
+		types.MergePatchType,
+		[]byte(`{"spec":{"networkType": ""}}`),
+		metav1.PatchOptions{FieldManager: oc.Namespace(), DryRun: []string{metav1.DryRunAll}})
+
+	if err != nil {
+		if kapierrs.IsInvalid(err) || kapierrs.IsForbidden(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
