kubernetes · BenTheElder · Dec 14, 2017 · Dec 14, 2017
diff --git a/prow/config.yaml b/prow/config.yaml
@@ -3032,223 +3032,15 @@ presubmits:
       - hostPath:
           path: /mnt/disks/ssd0
         name: cache-ssd
-  - name: pull-security-kubernetes-e2e-gce
-    agent: kubernetes
-    context: pull-security-kubernetes-e2e-gce
-    rerun_command: "/test pull-security-kubernetes-e2e-gce"
-    trigger: "(?m)^/test (all|pull-security-kubernetes-e2e-gce),?(\\s+|$)"
-    always_run: true
-    # TODO(bentheelder): enforce this pattern (skip all releases) or implement
-    # something better like https://github.com/kubernetes/test-infra/pull/4918
-    skip_branches:
-    - release-1.6 # per-release image
-    - release-1.7 # per-release image
-    - release-1.8 # per-release image
-    spec:
-      containers:
-      - args:
-        - --root=/go/src
-        - --repo=github.com/kubernetes-security/kubernetes=$(PULL_REFS)
-        - --repo=k8s.io/release
-        - --upload=gs://kubernetes-security-jenkins/pr-logs
-        - --git-cache=/root/.cache/git
-        - --clean
-        - --timeout=90
-         # the release-1.6 version of this job uses Jenkins, so here we override
-        # some args for jobs on Prow
-        - --
-        - --build=bazel
-        - --mode=local
-        # this only works for 1.7+
-        - --runtime-config=batch/v2alpha1=true,admissionregistration.k8s.io/v1alpha1=true
-        # Bazel needs privileged mode in order to sandbox builds.
-        securityContext:
-          privileged: true
-        env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /etc/service-account/service-account.json
-        - name: USER
-          value: prow
-        - name: JENKINS_GCE_SSH_PRIVATE_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-private
-        - name: JENKINS_GCE_SSH_PUBLIC_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-public
-        # Make Bazel use shared cache for its root
-        # https://docs.bazel.build/versions/master/output_directories.html#documentation-of-the-current-bazel-output-directory-layout
-        - name: TEST_TMPDIR
-          value: /root/.cache/bazel
-        image: gcr.io/k8s-testimages/kubekins-e2e:v20171212-9b2876568-master
-        volumeMounts:
-        - mountPath: /etc/service-account
-          name: service
-          readOnly: true
-        - mountPath: /etc/ssh-key-secret
-          name: ssh
-          readOnly: true
-        - mountPath: /root/.cache
-          name: cache-ssd
-        ports:
-        - containerPort: 9999
-          hostPort: 9999
-        resources:
-          requests:
-            memory: "6Gi"
-      volumes:
-      - name: service
-        secret:
-          secretName: service-account
-      - name: ssh
-        secret:
-          defaultMode: 256
-          secretName: ssh-key-secret
-      - hostPath:
-          path: /mnt/disks/ssd0
-        name: cache-ssd
-  - name: pull-security-kubernetes-e2e-gce
-    agent: kubernetes
-    context: pull-security-kubernetes-e2e-gce
-    rerun_command: "/test pull-security-kubernetes-e2e-gce"
-    trigger: "(?m)^/test (all|pull-security-kubernetes-e2e-gce),?(\\s+|$)"
-    always_run: true
-    branches:
-    - release-1.8
-    spec:
-      containers:
-      - args:
-        - --root=/go/src
-        - --repo=github.com/kubernetes-security/kubernetes=$(PULL_REFS)
-        - --repo=k8s.io/release
-        - --upload=gs://kubernetes-security-jenkins/pr-logs
-        - --git-cache=/root/.cache/git
-        - --clean
-        - --timeout=90
-        # the release-1.6 version of this job uses Jenkins, so here we override
-        # some args for jobs on Prow
-        - --
-        - --build=bazel
-        - --mode=local
-        # this only works for 1.7+
-        - --runtime-config=batch/v2alpha1=true,admissionregistration.k8s.io/v1alpha1=true
-        # Bazel needs privileged mode in order to sandbox builds.
-        securityContext:
-          privileged: true
-        env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /etc/service-account/service-account.json
-        - name: USER
-          value: prow
-        - name: JENKINS_GCE_SSH_PRIVATE_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-private
-        - name: JENKINS_GCE_SSH_PUBLIC_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-public
-        # Make Bazel use shared cache for its root
-        # https://docs.bazel.build/versions/master/output_directories.html#documentation-of-the-current-bazel-output-directory-layout
-        - name: TEST_TMPDIR
-          value: /root/.cache/bazel
-        image: gcr.io/k8s-testimages/kubekins-e2e:v20171212-9b2876568-1.8
-        volumeMounts:
-        - mountPath: /etc/service-account
-          name: service
-          readOnly: true
-        - mountPath: /etc/ssh-key-secret
-          name: ssh
-          readOnly: true
-        - mountPath: /root/.cache
-          name: cache-ssd
-        ports:
-        - containerPort: 9999
-          hostPort: 9999
-        resources:
-          requests:
-            memory: "6Gi"
-      volumes:
-      - name: service
-        secret:
-          secretName: service-account
-      - name: ssh
-        secret:
-          defaultMode: 256
-          secretName: ssh-key-secret
-      - hostPath:
-          path: /mnt/disks/ssd0
-        name: cache-ssd
-  - name: pull-security-kubernetes-e2e-gce
-    agent: kubernetes
-    context: pull-security-kubernetes-e2e-gce
-    rerun_command: "/test pull-security-kubernetes-e2e-gce"
-    trigger: "(?m)^/test (all|pull-security-kubernetes-e2e-gce),?(\\s+|$)"
-    always_run: true
-    branches:
-    - release-1.7
-    spec:
-      containers:
-      - args:
-        - --root=/go/src
-        - --repo=github.com/kubernetes-security/kubernetes=$(PULL_REFS)
-        - --repo=k8s.io/release
-        - --upload=gs://kubernetes-security-jenkins/pr-logs
-        - --git-cache=/root/.cache/git
-        - --clean
-        - --timeout=90
-        # the release-1.6 version of this job uses Jenkins, so here we override
-        # some args for jobs on Prow
-        - --
-        - --build=bazel
-        - --mode=local
-        # this only works for 1.7+
-        - --runtime-config=batch/v2alpha1=true,admissionregistration.k8s.io/v1alpha1=true
-        # Bazel needs privileged mode in order to sandbox builds.
-        securityContext:
-          privileged: true
-        env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /etc/service-account/service-account.json
-        - name: USER
-          value: prow
-        - name: JENKINS_GCE_SSH_PRIVATE_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-private
-        - name: JENKINS_GCE_SSH_PUBLIC_KEY_FILE
-          value: /etc/ssh-key-secret/ssh-public
-        # Make Bazel use shared cache for its root
-        # https://docs.bazel.build/versions/master/output_directories.html#documentation-of-the-current-bazel-output-directory-layout
-        - name: TEST_TMPDIR
-          value: /root/.cache/bazel
-        image: gcr.io/k8s-testimages/kubekins-e2e:v20171212-9b2876568-1.7
-        volumeMounts:
-        - mountPath: /etc/service-account
-          name: service
-          readOnly: true
-        - mountPath: /etc/ssh-key-secret
-          name: ssh
-          readOnly: true
-        - mountPath: /root/.cache
-          name: cache-ssd
-        ports:
-        - containerPort: 9999
-          hostPort: 9999
-        resources:
-          requests:
-            memory: "6Gi"
-      volumes:
-      - name: service
-        secret:
-          secretName: service-account
-      - name: ssh
-        secret:
-          defaultMode: 256
-          secretName: ssh-key-secret
-      - hostPath:
-          path: /mnt/disks/ssd0
-        name: cache-ssd
-  # bazel build works for 1.6 but not bazel-release :-(
+
+  # TODO(BenTheElder): move security jobs back to Prow once we have
+  # https://github.com/kubernetes/test-infra/issues/5848
   - name: pull-security-kubernetes-e2e-gce
     agent: jenkins
     context: pull-security-kubernetes-e2e-gce
     rerun_command: "/test pull-security-kubernetes-e2e-gce"
     trigger: "(?m)^/test (all|pull-security-kubernetes-e2e-gce),?(\\s+|$)"
     always_run: true
-    branches:
-    - release-1.6
   - name: pull-security-kubernetes-e2e-gce-device-plugin-gpu
     agent: kubernetes
     skip_branches:

diff --git a/prow/config/config_test.go b/prow/config/config_test.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"reflect"
 	"regexp"
 	"strings"
 	"testing"
@@ -167,6 +166,9 @@ func TestRequiredRetestContextsMatch(t *testing.T) {
 	}
 }
 
+// TODO(BenTheElder): this needs to be disabled after:
+// https://github.com/kubernetes/test-infra/issues/5848
+/*
 func TestConfigSecurityJobsMatch(t *testing.T) {
 	conf, err := Load("../config.yaml")
 	if err != nil {
@@ -187,6 +189,7 @@ func TestConfigSecurityJobsMatch(t *testing.T) {
 		}
 	}
 }
+*/
 
 // checkDockerSocketVolumes returns an error if any volume uses a hostpath
 // to the docker socket. we do not want to allow this