Bug 1861526 - FSGroup e2e test added in 1.19 fails consistently on openshift
Summary: FSGroup e2e test added in 1.19 fails consistently on openshift
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Seth Jennings
QA Contact: Weinan Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-28 20:53 UTC by Maru Newby
Modified: 2020-10-27 16:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:21:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 25414 0 None closed Bug 1861526: test: extended: reenable service account test disabled during rebase 2020-09-07 02:26:41 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:21:40 UTC

Description Maru Newby 2020-07-28 20:53:36 UTC 
The following test added upstream in 1.19 fails consistently against openshift:

[sig-auth] ServiceAccounts should set ownership and permission when RunAsUser or FsGroup is present [LinuxOnly] [NodeFeature:FSGroup] [Feature:TokenRequestProjection] [Suite:openshift/conformance/parallel] [Suite:k8s]

Added in: https://github.com/kubernetes/kubernetes/pull/89193
Example of failure: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/25314/pull-ci-openshift-origin-master-e2e-aws-fips/1288149961694777344

This test is skipped in origin's rule.go until a fix is available.
Comment 1 Maru Newby 2020-07-28 20:54:44 UTC 
Failure mode: Test passes but AfterSuite fails due to the container it uses exiting non-zero.
Comment 2 Seth Jennings 2020-08-13 16:56:32 UTC 
failure context

Output of node "ip-10-0-153-213.ec2.internal" pod "test-pod-5c0eadb2-cadc-4bfe-83af-f1f4bd460e5c" container "test-container":
perms of file "/test-volume/token": -rw-------
owner UID of "/test-volume/token": 0
owner GID of "/test-volume/token": 0
error reading file content for "/test-volume/token": open /test-volume/token: permission denied

expected (hard to tell since the individual test cases don't have names but I think it is the first one):

https://github.com/kubernetes/kubernetes/blob/master/test/e2e/auth/service_accounts.go#L497-L502

perms of file "/test-volume/token": -rw-------
owner UID of "/test-volume/token": 1000
owner GID of "/test-volume/token": 0
content of file "/test-volume/token": <token>

seems the issue is the UID of the token volume is not set as expected (0 instead of 1000)

for this test case pod.Spec.SecurityContext.RunAsUser is set to 1000 and pod.Spec.SecurityContext.FSGroup is not set
Comment 3 Seth Jennings 2020-08-13 17:01:09 UTC 
Just ran against my own 4.6 cluster and the test passes.  Possible a transient skew issue during the rebase.  Re-enabling the test.
Comment 6 Weinan Liu 2020-09-07 07:07:27 UTC 
Issue got fixed basing on comment #3
Comment 8 errata-xmlrpc 2020-10-27 16:21:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196
Note You need to log in before you can comment on or make changes to this bug.