Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix functional test that checks if tenant PVC cannot access unlabeled infra PVCs #125

Merged
merged 1 commit into from
Jan 28, 2025
Merged

Fix functional test that checks if tenant PVC cannot access unlabeled infra PVCs #125

merged 1 commit into from
Jan 28, 2025

Conversation

awels
Copy link
Member

@awels awels commented Jan 16, 2025

What this PR does / why we need it:
This test creates a PVC in the infra cluster manually and then tries to access it from a tenant cluster by crafting a special PVC that references the infra PVC.

Since the labels will not match the PVC should not be accessible. After wards one will not be able to delete the tenant PV because there is no matching PVC in the infra cluster.

This removes the check that the tenant PV can be deleted.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

NONE

@kubevirt-bot kubevirt-bot added the release-note-none Denotes a PR that doesn't merit a release note. label Jan 16, 2025
@kubevirt-bot kubevirt-bot requested a review from aglitke January 16, 2025 15:05
@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jan 16, 2025
@kubevirt-bot kubevirt-bot requested a review from mhenriks January 16, 2025 15:05
@awels
Fix functional test that checks if tenant PVC cannot access unlabeled…
9eb053a 
… infra PVCs

This test creates a PVC in the infra cluster manually
and then tries to access it from a tenant cluster by
crafting a special PVC that references the infra PVC.

Since the labels will not match the PVC should not be
accessible. After wards one will not be able to delete
the tenant PV because there is no matching PVC in the
infra cluster.

This removes the check that the tenant PV can be deleted.

Signed-off-by: Alexander Wels <[email protected]>
@awels awels force-pushed the fix_functional_test branch from d9e6cc9 to 9eb053a Compare January 16, 2025 20:09
@akalenyu
Copy link
Contributor

Since the labels will not match the PVC should not be accessible

This was the key part for me.
That CVE test is negative, so the pod that mounts this volume is going to fail (and that is asserted).

What still feels off to me is that I don't understand why this started failing just now.
Unless, some of the commits went in without CI? CSI Sidecar bumps that contain changes in behavior?
Maybe this commit? 906c86e

Sorry for being a pain I am hesitant to give out an lgtm here without having rock solid understanding of what it is that made it start failing now when it should have in fact failed when the test was introduced

@awels
Copy link
Member Author

awels commented Jan 21, 2025

Yeah I honestly don't know either, that commit did add the code so it is likely that is culprit. But it passed CI without issues.

@akalenyu
Copy link
Contributor

akalenyu commented Jan 21, 2025
edited
Loading

Yeah I honestly don't know either, that commit did add the code so it is likely that is culprit. But it passed CI without issues.

How come the PV is even around if we're using PersistentVolumeReclaimDelete?

csi-driver/e2e/create-pvc_test.go

Line 572 in 35836e0

PersistentVolumeReclaimPolicy: k8sv1.PersistentVolumeReclaimDelete,
https://kubernetes.io/docs/concepts/storage/persistent-volumes/#delete

@akalenyu
Copy link
Contributor

Can https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2644-honor-pv-reclaim-policy be related somehow? It went beta in 1.31.

@awels
Copy link
Member Author

awels commented Jan 23, 2025

I don't think so, the problem is that when we delete the PV in the tenant cluster, it can't find (correctly) the matching PV in the infra cluster, and returns an error. This causes the PV to not get deleted.

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 28, 2025
@awels
Copy link
Member Author

awels commented Jan 28, 2025

/approve

@kubevirt-bot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awels

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 28, 2025
@kubevirt-bot kubevirt-bot merged commit a783e55 into kubevirt:main Jan 28, 2025
8 checks passed
@awels awels mentioned this pull request Jan 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akalenyu akalenyu akalenyu approved these changes

@aglitke aglitke Awaiting requested review from aglitke

@mhenriks mhenriks Awaiting requested review from mhenriks

Assignees

@akalenyu akalenyu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@awels @akalenyu @kubevirt-bot