CAP_NET_RAW should be NET_RAW#95613
Conversation
Format of Capability adds CAP_ prefix automatically. Add commentary as test progress output. Clear up some existing comments.
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
area/test
sig/node
|
/sig node |
|
Creator of code segment |
|
@MHBauer: GitHub didn't allow me to request PR reviews from the following users: harche. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
It had worked fine on CRIO, but I can test it again on Monday. |
|
Alright, so, the documentation for kube seems to inherit the behavior of docker. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities Right above this link Docker, where the first support comes from |
| SecurityContext: &v1.SecurityContext{ | ||
| Capabilities: &v1.Capabilities{ | ||
| Add: []v1.Capability{"CAP_NET_RAW"}, | ||
| Add: []v1.Capability{"NET_RAW"}, |
There was a problem hiding this comment.
This is the main change.
|
/cc @dims |
|
@MHBauer This looks good to me (CRI-O maintainer). |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
As part of a NodeConformance test, I'm concerned about the original change assuming our defaults are lacking CAP_NET_DEFAULT. Reading deeper into the link:
|
|
Reversing my feelings on this, there may be a bunch of tests where we're assuming docker permissions, and it would be good to have them all explicitly set as requirements for the test to run. |
^ depends what you are testing the defaults, or that you can run tests in spite of default deltas... The problem is if you fix the test cases, customers will break if they don't change their specs like we did for our tests. Suggestions: 1) test if a container runs with all necessary caps explicitly set 2) test that a container runs as it did in prior releases using defaults (e.g. on docker shim when migrating to CRI runtimes) 3) test that a container fails to run as it failed in prior releases without additional caps set due to docker default 4) and if we are going to change the k8s expected defaults, or accept different defaults for particular runtimes, document and test the differences |
|
I'll make some long term issues to follow up on setting Capabilities in tests and updating the documentation beyond "when using docker, we use docker defaults." Seems implied that "when using a specific runtime we use the specific runtime defaults". Other things is obviously that the defaults can be configured for each runtime on each node, so consistency is probably needed on a cluster basis. It makes me wonder if there is already some explicit setting of Capabilities in kubelet and whether that can be configured to ensure that Capabilities are set consistently over a cluster without needing to explicitly set them on each node. Calling some other containerd people from https://github.com/containerd/project/blob/master/MAINTAINERS |
|
@dims still broke here.. should be an easy merge to bring us back on-line |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MHBauer, mrunalp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-node-crio-e2e |
|
Please let this |
|
/test pull-kubernetes-node-crio-e2e |
|
But here, it's failing even before starting any tests. |
|
I just started that test job on this PR, #96716, let's see how does that go. |
|
@MHBauer after checking out your PR locally and rebasing to master, the job is passing fine. make test-e2e-node REMOTE=true RUNTIME=remote IMAGE_CONFIG_FILE="/home/harshal/Downloads/image-config-cgrpv1.yaml" INSTANCE_PREFIX="harpatil" CLEANUP=false CONTAINER_RUNTIME_ENDPOINT="unix:///var/run/crio/crio.sock" FOCUS="\[NodeConformance\]|\[NodeFeature:.+\]" SKIP="\[Flaky\]|\[Slow\]|\[Serial\]" TEST_ARGS='--kubelet-flags="--cgroup-driver=systemd --cgroups-per-qos=true --cgroup-root=/ --runtime-cgroups=/system.slice/crio.service --non-masquerade-cidr=0.0.0.0/0" --extra-log="{\"name\": \"crio.log\", \"journalctl\": [\"-u\", \"crio\"]}"'Ran 196 of 336 Specs in 727.346 seconds
SUCCESS! -- 196 Passed | 0 Failed | 0 Pending | 140 SkippedI am guessing rebasing will help it pass here too. |
It passed there. |
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
|
Can I put it into the milestone or do I need a release manager? /milestone v1.20 |
|
@MHBauer: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Phew, good. |
|
need this revert pr on 1.20 as well can we get a cherry pick? |
9 participants
Format of Capability adds CAP_ prefix automatically.
Add commentary as test progress output.
Clear up some existing comments.
What type of PR is this?
/kind bug
/kind failing-test
What this PR does / why we need it:
Test currently fails 100% of the time with
Error: failed to create containerd task: OCI runtime create failed: container_linux.go:370: starting container process caused: unknown capability "CAP_CAP_NET_RAW": unknownWhich issue(s) this PR fixes:
Fixes #95612
Special notes for your reviewer:
I have no idea where this behavior is documented, I'm reversing my understanding of the test output.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: