Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test_db_scc - webhook "scc-validation.managed.openshift.io" denied #11075

Open
DanielOsypenko opened this issue Dec 22, 2024 · 1 comment
Open

Comments

@DanielOsypenko
Copy link
Contributor

I tried to fix issue with non-default storage namespace, where openshift-storage was a part of NOOBAA_DB_SERVICE_ACCOUNT. It was failing the tests with output:

[2024-11-25T21:25:03.352Z]         log.info(f"Verifying {service_account} was added to the anyuid scc")
[2024-11-25T21:25:03.352Z] >       assert helpers.validate_scc_policy(
[2024-11-25T21:25:03.352Z]             sa_name=scc_name,
[2024-11-25T21:25:03.352Z]             namespace=config.ENV_DATA["cluster_namespace"],
[2024-11-25T21:25:03.352Z]             scc_name=constants.ANYUID,
[2024-11-25T21:25:03.352Z]         ), "SA name is not present in anyuid scc"
[2024-11-25T21:25:03.352Z] �[1m�[31mE       AssertionError: SA name is not present in anyuid scc�[0m
[2024-11-25T21:25:03.352Z] �[1m�[31mE       assert False�[0m
[2024-11-25T21:25:03.352Z] �[1m�[31mE        +  where False = <function validate_scc_policy at 0x7fb730d11670>(sa_name='noobaa-db', namespace='odf-storage', scc_name='anyuid')�[0m
[2024-11-25T21:25:03.352Z] �[1m�[31mE        +    where <function validate_scc_policy at 0x7fb730d11670> = helpers.validate_scc_policy�[0m
[2024-11-25T21:25:03.352Z] �[1m�[31mE        +    and   'anyuid' = constants.ANYUID�[0m
[2024-11-25T21:25:03.352Z] 
[2024-11-25T21:25:03.352Z] �[1m�[31mtests/functional/object/mcg/test_mcg_resources_disruptions.py�[0m:275: AssertionError
[2024-11-25T21:25:03.352Z] 

now we are failing with this output.
Requires investigation from Red squad.

2024-12-22 15:38:14  tests/functional/object/mcg/test_mcg_resources_disruptions.py::TestMCGResourcesDisruptions::test_db_scc 
2024-12-22 15:38:14  -------------------------------- live log setup --------------------------------
2024-12-22 15:38:14  08:38:12 - MainThread - ocs_ci.utility.utils - INFO  - testrun_name: dosypenk-OCS4-17-Downstream-OCP4-17-ROSA_HCP-MANAGED_CP-1AZ-RHCOS-0M-3W
2024-12-22 15:38:14  08:38:12 - MainThread - ocs_ci.utility.utils - INFO  - testrun_name: dosypenk-OCS4-17-Downstream-OCP4-17-ROSA_HCP-MANAGED_CP-1AZ-RHCOS-0M-3W
2024-12-22 15:38:14  08:38:12 - MainThread - ocs_ci.utility.utils - INFO  - Retrieving the authentication config dictionary
2024-12-22 15:38:14  08:38:12 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc -n odf-storage get pods -o name
2024-12-22 15:38:14  08:38:13 - MainThread - ocs_ci.ocs.utils - INFO  - pod name match found appending rook-ceph-tools-66586d894d-xhsw4
2024-12-22 15:38:14  08:38:13 - MainThread - ocs_ci.ocs.utils - INFO  - Ceph toolbox already exists, skipping
2024-12-22 15:38:14  08:38:13 - MainThread - ocs_ci.utility.reporting - INFO  - Setting live must gather image to: registry.redhat.io/odf4/odf-must-gather-rhel9:v4.17
2024-12-22 15:38:14  08:38:13 - MainThread - tests.conftest - INFO  - All logs located at /home/jenkins/current-cluster-dir/logs/ocs-ci-logs-1734874672
2024-12-22 15:38:14  08:38:13 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: /home/jenkins/bin/oc version --client -o json
2024-12-22 15:38:14  08:38:14 - MainThread - ocs_ci.utility.utils - INFO  - OpenShift Client version: None
2024-12-22 15:38:14  08:38:14 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get csv  -n odf-storage -o yaml
2024-12-22 15:38:16  08:38:16 - MainThread - ocs_ci.ocs.version - INFO  - collecting ocp version
2024-12-22 15:38:16  08:38:16 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig get clusterversion version -o yaml
2024-12-22 15:38:16  08:38:16 - MainThread - ocs_ci.ocs.version - INFO  - collecting ocs version
2024-12-22 15:38:16  08:38:16 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig get namespace  -o yaml
2024-12-22 15:38:17  08:38:17 - MainThread - ocs_ci.ocs.version - INFO  - found storage namespaces ['openshift-cluster-storage-operator', 'openshift-kube-storage-version-migrator', 'openshift-kube-storage-version-migrator-operator']
2024-12-22 15:38:17  08:38:17 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n openshift-cluster-storage-operator get pod  -n openshift-cluster-storage-operator -o yaml
2024-12-22 15:38:18  08:38:18 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n openshift-kube-storage-version-migrator get pod  -n openshift-kube-storage-version-migrator -o yaml
2024-12-22 15:38:19  08:38:18 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n openshift-kube-storage-version-migrator-operator get pod  -n openshift-kube-storage-version-migrator-operator -o yaml
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - ClusterVersion .spec.channel: stable-4.17
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - ClusterVersion .status.desired.version: 4.17.4
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - ClusterVersion .status.desired.image: quay.io/openshift-release-dev/ocp-release@sha256:e6487ca1e630152977392bbcf0ad1318217d539d2b641ad4ece92d6ba25444a3
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - storage namespace openshift-cluster-storage-operator
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - storage namespace openshift-kube-storage-version-migrator
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:37c05ad22692544d394b81b751280f0ccbe127df2da98e6e3953a40f433f65bb {'quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:37c05ad22692544d394b81b751280f0ccbe127df2da98e6e3953a40f433f65bb'}
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - storage namespace openshift-kube-storage-version-migrator-operator
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.ocs.version - INFO  - image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:52a3be9228abc0a629eab80aefc30045b756aa44e95a7885f98ecb1dccd9b9e3 {'quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:52a3be9228abc0a629eab80aefc30045b756aa44e95a7885f98ecb1dccd9b9e3'}
2024-12-22 15:38:19  08:38:19 - MainThread - tests.conftest - INFO  - human readable ocs version info written into /home/jenkins/current-cluster-dir/openshift-cluster-dir/ocs_version.2024-12-22T08:38:19.415199
2024-12-22 15:38:19  08:38:19 - MainThread - tests.conftest - INFO  - PagerDuty service is not created because platform from ['openshiftdedicated', 'rosa', 'fusion_aas'] is not used
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.utility.utils - INFO  - testrun_name: dosypenk-OCS4-17-Downstream-OCP4-17-ROSA_HCP-MANAGED_CP-1AZ-RHCOS-0M-3W
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.utility.utils - INFO  - testrun_name: dosypenk-OCS4-17-Downstream-OCP4-17-ROSA_HCP-MANAGED_CP-1AZ-RHCOS-0M-3W
2024-12-22 15:38:19  08:38:19 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get csv  -n odf-storage -o yaml
2024-12-22 15:38:22  08:38:21 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get CephCluster  -n odf-storage -o yaml
2024-12-22 15:38:22  08:38:22 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get CephFilesystem  -n odf-storage -o yaml
2024-12-22 15:38:22  08:38:22 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get CephBlockPool  -n odf-storage -o yaml
2024-12-22 15:38:23  08:38:23 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:26  08:38:26 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-mon -o yaml
2024-12-22 15:38:27  08:38:27 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod rook-ceph-mon-a-888c65c89-dbl6r -n odf-storage
2024-12-22 15:38:28  08:38:28 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:32  08:38:31 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod rook-ceph-mon-b-87795866f-x7pdv -n odf-storage
2024-12-22 15:38:32  08:38:32 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:36  08:38:36 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod rook-ceph-mon-c-85dd98c697-qwqbx -n odf-storage
2024-12-22 15:38:36  08:38:36 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:40  08:38:40 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-mds -o yaml
2024-12-22 15:38:41  08:38:41 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-mgr -o yaml
2024-12-22 15:38:42  08:38:42 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-osd -o yaml
2024-12-22 15:38:43  08:38:43 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=noobaa -o yaml
2024-12-22 15:38:44  08:38:43 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-rgw -o yaml
2024-12-22 15:38:44  08:38:44 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-tools -o yaml
2024-12-22 15:38:45  08:38:44 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-tools -o yaml
2024-12-22 15:38:45  08:38:45 - MainThread - ocs_ci.ocs.resources.pod - INFO  - These are the ceph tool box pods: ['rook-ceph-tools-66586d894d-xhsw4']
2024-12-22 15:38:45  08:38:45 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod rook-ceph-tools-66586d894d-xhsw4 -n odf-storage
2024-12-22 15:38:45  08:38:45 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.ocs.resources.pod - INFO  - Pod name: rook-ceph-tools-66586d894d-xhsw4
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.ocs.resources.pod - INFO  - Pod status: Running
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.ocs.cluster - INFO  - port=3300
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.ocs.cluster - INFO  - port=3300
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.ocs.cluster - INFO  - port=3300
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get CephCluster ocs-storagecluster-cephcluster -n odf-storage -o yaml
2024-12-22 15:38:50  08:38:49 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get CephFilesystem ocs-storagecluster-cephfilesystem -n odf-storage -o yaml
2024-12-22 15:38:50  08:38:50 - MainThread - ocs_ci.ocs.cluster - INFO  - Number of mons = 3
2024-12-22 15:38:50  08:38:50 - MainThread - ocs_ci.ocs.cluster - INFO  - Number of mds = 2
2024-12-22 15:38:50  08:38:50 - MainThread - tests.conftest - INFO  - Checking for Ceph Health OK 
2024-12-22 15:38:50  08:38:50 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-tools -o yaml
2024-12-22 15:38:50  08:38:50 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=app=rook-ceph-tools -o yaml
2024-12-22 15:38:51  08:38:51 - MainThread - ocs_ci.ocs.resources.pod - INFO  - These are the ceph tool box pods: ['rook-ceph-tools-66586d894d-xhsw4']
2024-12-22 15:38:51  08:38:51 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod rook-ceph-tools-66586d894d-xhsw4 -n odf-storage
2024-12-22 15:38:51  08:38:51 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage -o yaml
2024-12-22 15:38:55  08:38:55 - MainThread - ocs_ci.ocs.resources.pod - INFO  - Pod name: rook-ceph-tools-66586d894d-xhsw4
2024-12-22 15:38:55  08:38:55 - MainThread - ocs_ci.ocs.resources.pod - INFO  - Pod status: Running
2024-12-22 15:38:55  08:38:55 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc -n odf-storage rsh rook-ceph-tools-66586d894d-xhsw4 ceph health
2024-12-22 15:38:57  08:38:57 - MainThread - ocs_ci.utility.utils - INFO  - Ceph cluster health is HEALTH_OK.
2024-12-22 15:38:57  08:38:57 - MainThread - tests.conftest - INFO  - Ceph health check passed at setup
2024-12-22 15:38:57  08:38:57 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: ['oc', 'login', '-u', 'cluster-admin', '-p', '*****']
2024-12-22 15:39:00  08:39:00 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n openshift-monitoring whoami --show-token
2024-12-22 15:39:00  08:39:00 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n openshift-monitoring get Route prometheus-k8s -n openshift-monitoring -o yaml
2024-12-22 15:39:01  08:39:01 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get storagecluster  -n odf-storage -o yaml
2024-12-22 15:39:02  08:39:01 - MainThread - tests.conftest - INFO  - Changing minimum Noobaa endpoints to 2
2024-12-22 15:39:02  08:39:01 - MainThread - ocs_ci.ocs.ocp - INFO  - Command: patch storagecluster ocs-storagecluster -n odf-storage -p '{"spec":{"multiCloudGateway":{"endpoints":{"minCount":2}}}}' --type merge
2024-12-22 15:39:02  08:39:01 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc -n odf-storage patch storagecluster ocs-storagecluster -n odf-storage -p '{"spec":{"multiCloudGateway":{"endpoints":{"minCount":2}}}}' --type merge
2024-12-22 15:39:02  08:39:02 - MainThread - tests.conftest - INFO  - Changing maximum Noobaa endpoints to 2
2024-12-22 15:39:02  08:39:02 - MainThread - ocs_ci.ocs.ocp - INFO  - Command: patch storagecluster ocs-storagecluster -n odf-storage -p '{"spec":{"multiCloudGateway":{"endpoints":{"maxCount":2}}}}' --type merge
2024-12-22 15:39:02  08:39:02 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc -n odf-storage patch storagecluster ocs-storagecluster -n odf-storage -p '{"spec":{"multiCloudGateway":{"endpoints":{"maxCount":2}}}}' --type merge
2024-12-22 15:39:03  08:39:03 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=noobaa-s3=noobaa -o yaml
2024-12-22 15:39:04  08:39:03 - MainThread - tests.conftest - INFO  - Waiting for the NooBaa endpoints to stabilize. Current ready count: 1
2024-12-22 15:39:04  08:39:03 - MainThread - ocs_ci.utility.utils - INFO  - Going to sleep for 30 seconds before next iteration
2024-12-22 15:39:36  08:39:33 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=noobaa-s3=noobaa -o yaml
2024-12-22 15:39:36  08:39:34 - MainThread - tests.conftest - INFO  - NooBaa endpoints stabilized. Ready endpoints: 2
2024-12-22 15:39:36  08:39:34 - MainThread - ocs_ci.framework.pytest_customization.reports - INFO  - duration reported by tests/functional/object/mcg/test_mcg_resources_disruptions.py::TestMCGResourcesDisruptions::test_db_scc immediately after test execution: 81.71
2024-12-22 15:39:36  -------------------------------- live log call ---------------------------------
2024-12-22 15:39:36  08:39:34 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod  -n odf-storage --selector=noobaa-db=postgres -o yaml
2024-12-22 15:39:36  08:39:35 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get Pod noobaa-db-pg-0 -n odf-storage -o yaml
2024-12-22 15:39:36  08:39:35 - MainThread - mcg.test_mcg_resources_disruptions - INFO  - Verifying current SCC is noobaa-db in db pod
2024-12-22 15:39:36  08:39:35 - MainThread - mcg.test_mcg_resources_disruptions - INFO  - Verifying the SA is not present in noobaa scc
2024-12-22 15:39:36  08:39:35 - MainThread - ocs_ci.helpers.helpers - INFO  - system:serviceaccount:odf-storage:noobaa-db
2024-12-22 15:39:36  08:39:35 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc --kubeconfig /home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig -n odf-storage get SecurityContextConstraints noobaa-db -n odf-storage -o yaml
2024-12-22 15:39:36  08:39:36 - MainThread - mcg.test_mcg_resources_disruptions - INFO  - Adding the noobaa-db system sa user to anyuid scc
2024-12-22 15:39:36  08:39:36 - MainThread - ocs_ci.ocs.ocp - INFO  - Command: patch SecurityContextConstraints anyuid -n odf-storage -p '[{"op": "add", "path": "/users/0", "value": "system:serviceaccount:odf-storage:noobaa-db"}]' --type json
2024-12-22 15:39:36  08:39:36 - MainThread - ocs_ci.utility.utils - INFO  - Executing command: oc -n odf-storage patch SecurityContextConstraints anyuid -n odf-storage -p '[{"op": "add", "path": "/users/0", "value": "system:serviceaccount:odf-storage:noobaa-db"}]' --type json
2024-12-22 15:39:37  08:39:36 - MainThread - ocs_ci.utility.utils - WARNING  - Command stderr: Error from server (Modifying default SCCs [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2] is not allowed): admission webhook "scc-validation.managed.openshift.io" denied the request: Modifying default SCCs [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2] is not allowed
2024-12-22 15:39:37  
2024-12-22 15:39:37  08:39:37 - MainThread - ocs_ci.framework.pytest_customization.reports - INFO  - duration reported by tests/functional/object/mcg/test_mcg_resources_disruptions.py::TestMCGResourcesDisruptions::test_db_scc immediately after test execution: 2.24
2024-12-22 15:39:37  FAILED
2024-12-22 15:39:37  ___________________ TestMCGResourcesDisruptions.test_db_scc ____________________
2024-12-22 15:39:37  
2024-12-22 15:39:37  self = <mcg.test_mcg_resources_disruptions.TestMCGResourcesDisruptions object at 0x7fed9160a520>
2024-12-22 15:39:37  teardown = None
2024-12-22 15:39:37  
2024-12-22 15:39:37      @tier3
2024-12-22 15:39:37      @pytest.mark.polarion_id("OCS-2513")
2024-12-22 15:39:37      @marks.bugzilla("1903573")
2024-12-22 15:39:37      @skipif_managed_service
2024-12-22 15:39:37      @skipif_ocs_version("<4.7")
2024-12-22 15:39:37      def test_db_scc(self, teardown):
2024-12-22 15:39:37          """
2024-12-22 15:39:37          Test noobaa db is assigned with scc(anyuid) after changing the default noobaa SCC
2024-12-22 15:39:37      
2024-12-22 15:39:37          """
2024-12-22 15:39:37          scc_name = constants.NOOBAA_DB_SERVICE_ACCOUNT_NAME
2024-12-22 15:39:37          service_account = constants.NOOBAA_DB_SERVICE_ACCOUNT.replace(
2024-12-22 15:39:37              "openshift-storage", config.ENV_DATA["cluster_namespace"]
2024-12-22 15:39:37          )
2024-12-22 15:39:37          pod_obj = pod.Pod(
2024-12-22 15:39:37              **pod.get_pods_having_label(
2024-12-22 15:39:37                  label=self.labels_map["noobaa_db"],
2024-12-22 15:39:37                  namespace=config.ENV_DATA["cluster_namespace"],
2024-12-22 15:39:37              )[0]
2024-12-22 15:39:37          )
2024-12-22 15:39:37          ocp_scc = ocp.OCP(
2024-12-22 15:39:37              kind=constants.SCC, namespace=config.ENV_DATA["cluster_namespace"]
2024-12-22 15:39:37          )
2024-12-22 15:39:37          pod_data = pod_obj.get()
2024-12-22 15:39:37      
2024-12-22 15:39:37          log.info(f"Verifying current SCC is {scc_name} in db pod")
2024-12-22 15:39:37          assert (
2024-12-22 15:39:37              pod_data.get("metadata").get("annotations").get("openshift.io/scc")
2024-12-22 15:39:37              == scc_name
2024-12-22 15:39:37          ), "Invalid default scc"
2024-12-22 15:39:37      
2024-12-22 15:39:37          log.info("Verifying the SA is not present in noobaa scc")
2024-12-22 15:39:37          assert not helpers.validate_scc_policy(
2024-12-22 15:39:37              sa_name=scc_name,
2024-12-22 15:39:37              namespace=config.ENV_DATA["cluster_namespace"],
2024-12-22 15:39:37              scc_name=scc_name,
2024-12-22 15:39:37          ), "SA name is present in noobaa scc"
2024-12-22 15:39:37      
2024-12-22 15:39:37          log.info("Adding the noobaa-db system sa user to anyuid scc")
2024-12-22 15:39:37  >       ocp_scc.patch(
2024-12-22 15:39:37              resource_name=constants.ANYUID,
2024-12-22 15:39:37              params='[{"op": "add", "path": "/users/0", '
2024-12-22 15:39:37              f'"value": "{service_account}"}}]',
2024-12-22 15:39:37              format_type="json",
2024-12-22 15:39:37          )
2024-12-22 15:39:37  
2024-12-22 15:39:37  tests/functional/object/mcg/test_mcg_resources_disruptions.py:271: 
2024-12-22 15:39:37  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
2024-12-22 15:39:37  ocs_ci/ocs/ocp.py:519: in patch
2024-12-22 15:39:37      result = self.exec_oc_cmd(command)
2024-12-22 15:39:37  ocs_ci/ocs/ocp.py:212: in exec_oc_cmd
2024-12-22 15:39:37      out = run_cmd(
2024-12-22 15:39:37  ocs_ci/utility/utils.py:488: in run_cmd
2024-12-22 15:39:37      completed_process = exec_cmd(
2024-12-22 15:39:37  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
2024-12-22 15:39:37  
2024-12-22 15:39:37  cmd = ['oc', '--kubeconfig', '/home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig', '-n', 'odf-storage', 'patch', ...]
2024-12-22 15:39:37  secrets = None, timeout = 600, ignore_error = False, threading_lock = None
2024-12-22 15:39:37  silent = False, use_shell = False
2024-12-22 15:39:37  cluster_config = <ocs_ci.framework.MultiClusterConfig object at 0x7fedb86063a0>
2024-12-22 15:39:37  lock_timeout = 7200, kwargs = {}
2024-12-22 15:39:37  masked_cmd = 'oc -n odf-storage patch SecurityContextConstraints anyuid -n odf-storage -p \'[{"op": "add", "path": "/users/0", "value": "system:serviceaccount:odf-storage:noobaa-db"}]\' --type json'
2024-12-22 15:39:37  kubepath = '/home/jenkins/current-cluster-dir/openshift-cluster-dir/auth/kubeconfig'
2024-12-22 15:39:37  kube_index = 1, plugin_list = 'oc plugin list'
2024-12-22 15:39:37  cp = CompletedProcess(args=['oc', 'plugin', 'list'], returncode=1, stdout=b'', stderr=b'Unable to read directory "/home/jen.../jenkins/.local/bin: no such file or directory. Skipping...\nerror: unable to find any kubectl plugins in your PATH\n')
2024-12-22 15:39:37  subcmd = '_n'
2024-12-22 15:39:37  
2024-12-22 15:39:37      def exec_cmd(
2024-12-22 15:39:37          cmd,
2024-12-22 15:39:37          secrets=None,
2024-12-22 15:39:37          timeout=600,
2024-12-22 15:39:37          ignore_error=False,
2024-12-22 15:39:37          threading_lock=None,
2024-12-22 15:39:37          silent=False,
2024-12-22 15:39:37          use_shell=False,
2024-12-22 15:39:37          cluster_config=None,
2024-12-22 15:39:37          lock_timeout=7200,
2024-12-22 15:39:37          **kwargs,
2024-12-22 15:39:37      ):
2024-12-22 15:39:37          """
2024-12-22 15:39:37          Run an arbitrary command locally
2024-12-22 15:39:37      
2024-12-22 15:39:37          If the command is grep and matching pattern is not found, then this function
2024-12-22 15:39:37          returns "command terminated with exit code 1" in stderr.
2024-12-22 15:39:37      
2024-12-22 15:39:37          Args:
2024-12-22 15:39:37              cmd (str): command to run
2024-12-22 15:39:37              secrets (list): A list of secrets to be masked with asterisks
2024-12-22 15:39:37                  This kwarg is popped in order to not interfere with
2024-12-22 15:39:37                  subprocess.run(``**kwargs``)
2024-12-22 15:39:37              timeout (int): Timeout for the command, defaults to 600 seconds.
2024-12-22 15:39:37              ignore_error (bool): True if ignore non zero return code and do not
2024-12-22 15:39:37                  raise the exception.
2024-12-22 15:39:37              threading_lock (threading.RLock): threading.RLock object that is used
2024-12-22 15:39:37                  for handling concurrent oc commands
2024-12-22 15:39:37              silent (bool): If True will silent errors from the server, default false
2024-12-22 15:39:37              use_shell (bool): If True will pass the cmd without splitting
2024-12-22 15:39:37              cluster_config (MultiClusterConfig): In case of multicluster environment this object
2024-12-22 15:39:37                      will be non-null
2024-12-22 15:39:37              lock_timeout (int): maximum timeout to wait for lock to prevent deadlocks (default 2 hours)
2024-12-22 15:39:37      
2024-12-22 15:39:37          Raises:
2024-12-22 15:39:37              CommandFailed: In case the command execution fails
2024-12-22 15:39:37      
2024-12-22 15:39:37          Returns:
2024-12-22 15:39:37              (CompletedProcess) A CompletedProcess object of the command that was executed
2024-12-22 15:39:37              CompletedProcess attributes:
2024-12-22 15:39:37              args: The list or str args passed to run().
2024-12-22 15:39:37              returncode (str): The exit code of the process, negative for signals.
2024-12-22 15:39:37              stdout     (str): The standard output (None if not captured).
2024-12-22 15:39:37              stderr     (str): The standard error (None if not captured).
2024-12-22 15:39:37      
2024-12-22 15:39:37          """
2024-12-22 15:39:37          masked_cmd = mask_secrets(cmd, secrets)
2024-12-22 15:39:37          log.info(f"Executing command: {masked_cmd}")
2024-12-22 15:39:37          if isinstance(cmd, str) and not kwargs.get("shell"):
2024-12-22 15:39:37              cmd = shlex.split(cmd)
2024-12-22 15:39:37          if config.RUN.get("custom_kubeconfig_location") and cmd[0] == "oc":
2024-12-22 15:39:37              if "--kubeconfig" in cmd:
2024-12-22 15:39:37                  cmd.pop(2)
2024-12-22 15:39:37                  cmd.pop(1)
2024-12-22 15:39:37              cmd = list_insert_at_position(cmd, 1, ["--kubeconfig"])
2024-12-22 15:39:37              cmd = list_insert_at_position(
2024-12-22 15:39:37                  cmd, 2, [config.RUN["custom_kubeconfig_location"]]
2024-12-22 15:39:37              )
2024-12-22 15:39:37          if cluster_config and cmd[0] == "oc" and "--kubeconfig" not in cmd:
2024-12-22 15:39:37              kubepath = cluster_config.RUN["kubeconfig"]
2024-12-22 15:39:37              kube_index = 1
2024-12-22 15:39:37              # check if we have an oc plugin in the command
2024-12-22 15:39:37              plugin_list = "oc plugin list"
2024-12-22 15:39:37              cp = subprocess.run(
2024-12-22 15:39:37                  shlex.split(plugin_list),
2024-12-22 15:39:37                  stdout=subprocess.PIPE,
2024-12-22 15:39:37                  stderr=subprocess.PIPE,
2024-12-22 15:39:37              )
2024-12-22 15:39:37              subcmd = cmd[1].split("-")
2024-12-22 15:39:37              if len(subcmd) > 1:
2024-12-22 15:39:37                  subcmd = "_".join(subcmd)
2024-12-22 15:39:37              if not isinstance(subcmd, str) and isinstance(subcmd, list):
2024-12-22 15:39:37                  subcmd = str(subcmd[0])
2024-12-22 15:39:37      
2024-12-22 15:39:37              for l in cp.stdout.decode().splitlines():
2024-12-22 15:39:37                  if subcmd in l:
2024-12-22 15:39:37                      # If oc cmdline has plugin name then we need to push the
2024-12-22 15:39:37                      # --kubeconfig to next index
2024-12-22 15:39:37                      kube_index = 2
2024-12-22 15:39:37                      log.info(f"Found oc plugin {subcmd}")
2024-12-22 15:39:37              cmd = list_insert_at_position(cmd, kube_index, ["--kubeconfig"])
2024-12-22 15:39:37              cmd = list_insert_at_position(cmd, kube_index + 1, [kubepath])
2024-12-22 15:39:37          try:
2024-12-22 15:39:37              if threading_lock and cmd[0] == "oc":
2024-12-22 15:39:37                  threading_lock.acquire(timeout=lock_timeout)
2024-12-22 15:39:37              completed_process = subprocess.run(
2024-12-22 15:39:37                  cmd,
2024-12-22 15:39:37                  stdout=subprocess.PIPE,
2024-12-22 15:39:37                  stderr=subprocess.PIPE,
2024-12-22 15:39:37                  stdin=subprocess.PIPE,
2024-12-22 15:39:37                  timeout=timeout,
2024-12-22 15:39:37                  **kwargs,
2024-12-22 15:39:37              )
2024-12-22 15:39:37          finally:
2024-12-22 15:39:37              if threading_lock and cmd[0] == "oc":
2024-12-22 15:39:37                  threading_lock.release()
2024-12-22 15:39:37          masked_stdout = mask_secrets(completed_process.stdout.decode(), secrets)
2024-12-22 15:39:37          if len(completed_process.stdout) > 0:
2024-12-22 15:39:37              log.debug(f"Command stdout: {masked_stdout}")
2024-12-22 15:39:37          else:
2024-12-22 15:39:37              log.debug("Command stdout is empty")
2024-12-22 15:39:37      
2024-12-22 15:39:37          masked_stderr = mask_secrets(completed_process.stderr.decode(), secrets)
2024-12-22 15:39:37          if len(completed_process.stderr) > 0:
2024-12-22 15:39:37              if not silent:
2024-12-22 15:39:37                  log.warning(f"Command stderr: {masked_stderr}")
2024-12-22 15:39:37          else:
2024-12-22 15:39:37              log.debug("Command stderr is empty")
2024-12-22 15:39:37          log.debug(f"Command return code: {completed_process.returncode}")
2024-12-22 15:39:37          if completed_process.returncode and not ignore_error:
2024-12-22 15:39:37              masked_stderr = bin_xml_escape(filter_out_emojis(masked_stderr))
2024-12-22 15:39:37              if (
2024-12-22 15:39:37                  "grep" in masked_cmd
2024-12-22 15:39:37                  and b"command terminated with exit code 1" in completed_process.stderr
2024-12-22 15:39:37              ):
2024-12-22 15:39:37                  log.info(f"No results found for grep command: {masked_cmd}")
2024-12-22 15:39:37              else:
2024-12-22 15:39:37  >               raise CommandFailed(
2024-12-22 15:39:37                      f"Error during execution of command: {masked_cmd}."
2024-12-22 15:39:37                      f"\nError is {masked_stderr}"
2024-12-22 15:39:37                  )
2024-12-22 15:39:37  E               ocs_ci.ocs.exceptions.CommandFailed: Error during execution of command: oc -n odf-storage patch SecurityContextConstraints anyuid -n odf-storage -p '[{"op": "add", "path": "/users/0", "value": "system:serviceaccount:odf-storage:noobaa-db"}]' --type json.
2024-12-22 15:39:37  E               Error is Error from server (Modifying default SCCs [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2] is not allowed): admission webhook "scc-validation.managed.openshift.io" denied the request: Modifying default SCCs [anyuid hostaccess hostmount-anyuid hostnetwork hostnetwork-v2 node-exporter nonroot nonroot-v2 privileged restricted restricted-v2] is not allowed
2024-12-22 15:39:37  
2024-12-22 15:39:37  ocs_ci/utility/utils.py:710: CommandFailed
@DanielOsypenko
Copy link
Contributor Author

linking initial PR - fix:
#11074

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants