kubernetes: Unable to run "PersistentVolumes-local" e2e tests due to SecurityContext and /rootfs permission denial
Is this a BUG REPORT or FEATURE REQUEST?: /kind bug
Uncomment only one, leave it on its own line:
/kind bug /kind feature
What happened: “PersistentVolumes-local” E2E tests are getting failed to execute on the local cluster (local-up-cluster.sh) due to securityContext.privileged mode.
• Failure in Spec Setup (BeforeEach) [6.162 seconds]
[sig-storage] PersistentVolumes-local
/home/vagrant/go-workspace/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/storage/utils/framework.go:22
[Volume type: dir]
/home/vagrant/go-workspace/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/storage/persistent_volumes-local.go:222
Set fsGroup for local volume [BeforeEach]
/home/vagrant/go-workspace/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/storage/persistent_volumes-local.go:285
should set fsGroup for one pod
/home/vagrant/go-workspace/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/storage/persistent_volumes-local.go:292
Expected error:
<*errors.StatusError | 0xc42110b5f0>: {
ErrStatus: {
TypeMeta: {Kind: "", APIVersion: ""},
ListMeta: {SelfLink: "", ResourceVersion: "", Continue: ""},
Status: "Failure",
Message: "Pod \"hostexec-127.0.0.1\" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy",
Reason: "Invalid",
Details: {
Name: "hostexec-127.0.0.1",
Group: "",
Kind: "Pod",
UID: "",
Causes: [
{
Type: "FieldValueForbidden",
Message: "Forbidden: disallowed by cluster policy",
Field: "spec.containers[0].securityContext.privileged",
},
],
RetryAfterSeconds: 0,
},
Code: 422,
},
}
Pod "hostexec-127.0.0.1" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by cluster policy
not to have occurred
/home/vagrant/go-workspace/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/test/e2e/storage/persistent_volumes-local.go:953
If we disable to Pod’s privileged mode by setting value false. e2e test execution passes this check but fails further while executing kubectl command on containers.
• Failure in Spec Setup (BeforeEach) [8.661 seconds]
[sig-storage] PersistentVolumes-local
test/e2e/storage/utils/framework.go:22
[Volume type: dir]
test/e2e/storage/persistent_volumes-local.go:222
Set fsGroup for local volume [BeforeEach]
test/e2e/storage/persistent_volumes-local.go:285
should set fsGroup for one pod
test/e2e/storage/persistent_volumes-local.go:292
Expected error:
<exec.CodeExitError>: {
Err: {
s: "error running &{/home/vagrant/go/src/k8s.io/kubernetes/_output/bin/kubectl [kubectl --kubeconfig=/var/run/kubernetes/admin.kubeconfig exec --namespace=e2e-tests-persistent-local-volumes-test-j2ff6 hostexec-127.0.0.1 -- nsenter --mount=/rootfs/proc/1/ns/mnt -- sh -c mkdir -p /tmp/local-volume-test-b7f1f0b4-957a-11e8-bdd7-080027420e40; echo test-file-content > /tmp/local-volume-test-b7f1f0b4-957a-11e8-bdd7-080027420e40/test-file] [] <nil> nsenter: can't open '/rootfs/proc/1/ns/mnt': Permission denied\ncommand terminated with exit code 1\n [] <nil> 0xc4223ac660 exit status 1 <nil> <nil> true [0xc42252acb0 0xc42252acc8 0xc42252ace0] [0xc42252acb0 0xc42252acc8 0xc42252ace0] [0xc42252acc0 0xc42252acd8] [0x8fd420 0x8fd420] 0xc4220dfa40 <nil>}:\nCommand stdout:\n\nstderr:\nnsenter: can't open '/rootfs/proc/1/ns/mnt': Permission denied\ncommand terminated with exit code 1\n\nerror:\nexit status 1\n",
},
Code: 1,
}
error running &{/home/vagrant/go/src/k8s.io/kubernetes/_output/bin/kubectl [kubectl --kubeconfig=/var/run/kubernetes/admin.kubeconfig exec --namespace=e2e-tests-persistent-local-volumes-test-j2ff6 hostexec-127.0.0.1 -- nsenter --mount=/rootfs/proc/1/ns/mnt -- sh -c mkdir -p /tmp/local-volume-test-b7f1f0b4-957a-11e8-bdd7-080027420e40; echo test-file-content > /tmp/local-volume-test-b7f1f0b4-957a-11e8-bdd7-080027420e40/test-file] [] <nil> nsenter: can't open '/rootfs/proc/1/ns/mnt': Permission denied
command terminated with exit code 1
[] <nil> 0xc4223ac660 exit status 1 <nil> <nil> true [0xc42252acb0 0xc42252acc8 0xc42252ace0] [0xc42252acb0 0xc42252acc8 0xc42252ace0] [0xc42252acc0 0xc42252acd8] [0x8fd420 0x8fd420] 0xc4220dfa40 <nil>}:
Command stdout:
stderr:
nsenter: can't open '/rootfs/proc/1/ns/mnt': Permission denied
command terminated with exit code 1
error:
exit status 1
not to have occurred
test/e2e/storage/persistent_volumes-local.go:892
What you expected to happen: Should be able to run “PersistentVolumes-local” e2e tests locally or any provider.
How to reproduce it (as minimally and precisely as possible):
- Bringup k8s cluster from k8s source (master) and run
go run hack/e2e.go -- --provider=local --deployment=local --test --test_args="--ginkgo.focus=PersistentVolumes-local" --alsologtostderr --verbose-commands
or
./bazel-bin/test/e2e/e2e.test --provider local -ginkgo.focus="PersistentVolumes-local"
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version):
Client Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.0.2479+0e9b1dd20f8c20-dirty", GitCommit:"0e9b1dd20f8c202d5118b8712c4a9dcfe67dbf4a", GitTreeState:"dirty", BuildDate:"2018-07-31T14:48:22Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.0.2479+0e9b1dd20f8c20-dirty", GitCommit:"0e9b1dd20f8c202d5118b8712c4a9dcfe67dbf4a", GitTreeState:"dirty", BuildDate:"2018-07-31T14:48:22Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
- OS (e.g. from /etc/os-release):
Ubuntu 16.04.2 LTS - Kernel (e.g.
uname -a):Linux minimal-xenial 4.4.0-62-generic
/help-wanted
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 15 (14 by maintainers)
/close please re-open if this is incorrect, but AFAICT this is working as intended, the cluster should be configured to allow the test.