Some tests are setting HostNetwork=true, even if it is not required
for them to pass.
This patch will set the HostNetwork to false for those tests, allowing
them to be run on Windows nodes as well.
Many TestJig methods made the caller pass a serviceName argument, even
though the jig already has a name, and every caller was passing the
same name to each function as they had passed to NewTestJig().
Likewise, many methods made the caller pass a namespace argument, but
only a single test used more than one namespace, and it can easily be
rewritten to use two test jigs as well.
e2e Windows tests can be run against Windows-only clusters, which
currently will cause the GMSA test to fail, as it needs to be able to
deploy pods to at least one Linux node, for the GMSA webhook; this patch leverages the new
`--tolerate-master` flag that was added to the GMSA webhook deploy
script in https://github.com/kubernetes-sigs/windows-gmsa/pull/18.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
The previously existing e2e GMSA test really only tests a small part of the
whole GMSA set up process, namely that once the API has inlined the GMSA
contents in the pod's spec, and sent that to a worker's kubelet, then the
kubelet passes that down to the runtime.
This new test, in contrast, really tests the whole thing, i.e. deploying the
admission webhook, then deploying a GMSA custom resource, and using that
resource within a pod.
The downside of this test though, is that it does need to make a lot of
assumptions about the cluster it runs against, notably that it runs on a worker
node that's already been joined to a working Active Directory domain (there are
other assumptions, all documented at the beginning of the test file); for that
reason, it is only intended to ever be run against an AKS cluster with the
custom AKS extension from
https://github.com/kubernetes-sigs/windows-testing/pull/98.
Note that this test doesn't aim at testing every edge-case, such as
a pod trying to use a GMSA it doesn't have access to; the webhook has
its own tests for these. This test's goal is to ensure the happy path
doesn't break.
Signed-off-by: Jean Rouge <rougej+github@gmail.com>
Currently, Kubernetes supports running as different user (RunAsUser),
but it only supports UIDs, which does not work on Windows.
Which is why the field SecurityContext.WindowsOptions.RunAsUserName
was introduced, to allow us to run the container entrypoints with
a different user than its default one.
This commit adds E2E tests which will validate this behaviour. The
tests are Windows only, and they will be skipped if --node-os-distro
is not "windows".
As https://github.com/kubernetes/kubernetes/pull/78478 we can use
ExpectNoError() instead of Expect(err).ToNot(HaveOccurred()) also.
This makes the test code check strict to cover the above case and
replaces the remaining in test/e2e/common/expansion.go
