-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.20, 4.21
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The EnsureReadOnlyRootFilesystem e2e test is supposed to check that the pods have the SecurityContext.ReadOnlyRootFilesystem of the containers set to true. It also maintains a list of exceptions which, according to the code comment are allowed to have the readOnlyRootFilesystem set to false. However the code doesn't do that and instead enforces the readOnlyRootFilesystem to be set to false (fails if not). This complicates hardening of the containers since flipping the setting would fail hypershift e2e CI test.
Version-Release number of selected component (if applicable):
4.20 and newer
How reproducible:
Steps to Reproduce:
1. Try to change the SecurityContext setting of some of the pods listed as exceptions
2. Create a PR (https://github.com/openshift/csi-operator/pull/419)
Actual results:
The CI test fail (https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_csi-operator/419/pull-ci-openshift-csi-operator-main-hypershift-aws-e2e-external/1978063621854334976)
Expected results:
I think the ReadOnlyRootFilesystem setting should be ignored for the pods with exceptions as the code comment suggests.
Additional info:
https://github.com/openshift/hypershift/blob/main/test/e2e/util/util.go#L1656-L1699