-
Task
-
Resolution: Done
-
Major
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
5
-
5
-
None
-
None
-
OpenShift SPLAT - Sprint 271, OpenShift SPLAT - Sprint 272
User Story:
As an OpenShift Engineer I want to update the kube test framework to make NLB e2e working on OCP by fixing security issues so we can enhance confidence and coverage of NLB+SG feature.
Description:
The kube test framework currently provides helper functions to quickly services in a standard way that can be used in the CCM projects to validate their provider-specific implementations.
One service is named "Jig"[1], and it is used by e2e on CCM-AWS[2].
Currently the CCM tests are crashing on OpenShift as it deploy pods exposing to low ports (80) without a security tunning, which is not recommended. The service does not provide an interface to be expanded by in the CCM level, leaving the default and permanent failure on OpenShift.
Considering this would be a security best practice, I would like to propose an upstream update to allow users to change the service and pod port, so CCM implementations can write more secure and flexible e2e tests according to each kube distribution.
I believe this change can be done regardless of the approach we are designing to CCM+SG feature, as this would enhance/fix CCM-AWS e2e tests on OCP.
This change would also be non-blocking of SPLAT-2137 as we can implement the knobs in the CCM-AWS e2e too, having in the test framework is nice to have.
Example of an working e2e test hacking the lib of e2e service framework: https://github.com/openshift/cloud-provider-aws/pull/107/files#diff-c6730a0abfdbcc519cd5a359124d0687c43f43610bb9370be95e2cf3760ac1f3
Acceptance Criteria:
- Review if there is similar e2e implemented in the origin
- Review feasible change in kube e2e framework
- ask feedback of this change to cloud-infra team, if it is ok to:
- submit the change to the e2e test framework,
- once merged, submit the changes to CCM-AWS
- update the
Other Information:
[1]https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/service/jig.go
[2] https://github.com/kubernetes/cloud-provider-aws/blob/master/tests/e2e/loadbalancer.go#L51-L88
[3] Ref e2e hacking on NLB+SG e2e feature for OCP https://github.com/openshift/cloud-provider-aws/pull/107/files#diff-c6730a0abfdbcc519cd5a359124d0687c43f43610bb9370be95e2cf3760ac1f3
$ /path/to/hacked/OCPSTRAT-1553/cloud-provider-aws/e2e.test --ginkgo.focus='.*NLB*' --ginkgo.dry-run W0519 16:22:47.148547 893518 test_context.go:478] Unable to find in-cluster config, using default host : https://127.0.0.1:6443 May 19 16:22:47.148: INFO: The --provider flag is not set. Continuing as if --provider=skeleton had been used. Running Suite: AWS Cloud Provider End-to-End Tests - /path/to/cloud-provider-aws ========================================================================================= Random Seed: 1747682567 - will randomize all specsWill run 2 of 5 specs SSS ------------------------------ [cloud-provider-aws-e2e] loadbalancer should configure the loadbalancer type NLB with security groups /path/to/cloud-provider-aws/tests/e2e/loadbalancer.go:135 • [0.000 seconds] ------------------------------ [cloud-provider-aws-e2e] loadbalancer should configure the loadbalancer type NLB with security groups on workers /path/to/cloud-provider-aws/tests/e2e/loadbalancer.go:135 • [0.000 seconds] ------------------------------Ran 2 of 5 Specs in 0.000 seconds SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 3 Skipped PASS $ /path/to/cloud-provider-aws/e2e.test --ginkgo.focus='.*NLB*' ... • [233.014 seconds] ------------------------------ SRan 2 of 5 Specs in 564.376 seconds SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 3 Skipped PASS
- relates to
-
SPLAT-2220 [AWS Service NLB SG]: CCM Test - e2e test service load balancer NLB with support of Security Group
-
- Backlog
-
- links to