Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add run_as_group to container security contexts attributes #414

Merged
merged 2 commits into from
Apr 30, 2019
Merged

Add run_as_group to container security contexts attributes #414

merged 2 commits into from
Apr 30, 2019

Conversation

pdecat
Copy link
Contributor

@pdecat pdecat commented Apr 25, 2019
edited
Loading

@pdecat pdecat force-pushed the f-add-security-context-run_as_group branch from 66805d8 to e2c43cd Compare April 25, 2019 14:55
@ghost ghost added size/S and removed size/L labels Apr 25, 2019
@pdecat pdecat marked this pull request as ready for review April 25, 2019 14:56
@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019

Rebased on master.

@pdecat pdecat mentioned this pull request Apr 25, 2019
Merged
2 tasks
@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019
edited
Loading

As already noted in #249, acceptance tests for this one are failing against kubernetes clusters where the feature is not available and enabled, such as GKE 1.12:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1 -timeout 120m
=== RUN   TestAccKubernetesDeployment_basic
--- PASS: TestAccKubernetesDeployment_basic (31.05s)
=== RUN   TestAccKubernetesDeployment_initContainer
--- PASS: TestAccKubernetesDeployment_initContainer (40.67s)
=== RUN   TestAccKubernetesDeployment_importBasic
--- PASS: TestAccKubernetesDeployment_importBasic (40.51s)
=== RUN   TestAccKubernetesDeployment_generatedName
--- PASS: TestAccKubernetesDeployment_generatedName (7.87s)
=== RUN   TestAccKubernetesDeployment_importGeneratedName
--- PASS: TestAccKubernetesDeployment_importGeneratedName (12.05s)
=== RUN   TestAccKubernetesDeployment_with_security_context
--- FAIL: TestAccKubernetesDeployment_with_security_context (10.74s)
    testing.go:568: Step 0 error: Check failed: 1 error occurred:
                * Check 3/7 error: kubernetes_deployment.test: Attribute 'spec.0.template.0.spec.0.security_context.0.run_as_group' expected "100", got "0"


=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_exec (5.70s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get (5.68s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp (5.62s)
=== RUN   TestAccKubernetesDeployment_with_container_lifecycle
--- PASS: TestAccKubernetesDeployment_with_container_lifecycle (5.59s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- FAIL: TestAccKubernetesDeployment_with_container_security_context (10.74s)
    testing.go:568: Step 0 error: Check failed: 1 error occurred:
                * Check 17/21 error: kubernetes_deployment.test: Attribute 'spec.0.template.0.spec.0.container.1.security_context.0.run_as_group' expected "200", got "0"


=== RUN   TestAccKubernetesDeployment_with_volume_mount
--- PASS: TestAccKubernetesDeployment_with_volume_mount (6.52s)
=== RUN   TestAccKubernetesDeployment_with_resource_requirements
--- PASS: TestAccKubernetesDeployment_with_resource_requirements (5.62s)
=== RUN   TestAccKubernetesDeployment_with_empty_dir_volume
--- PASS: TestAccKubernetesDeployment_with_empty_dir_volume (11.88s)
=== RUN   TestAccKubernetesDeploymentUpdate_basic
--- PASS: TestAccKubernetesDeploymentUpdate_basic (39.43s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate (7.87s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_30perc_max_unavailable_40perc
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_30perc_max_unavailable_40perc (5.64s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_1_max_unavailable_2
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_1_max_unavailable_2 (5.60s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_recreate
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_recreate (5.54s)
=== RUN   TestAccKubernetesDeployment_with_host_aliases
--- PASS: TestAccKubernetesDeployment_with_host_aliases (5.81s)
=== RUN   TestAccKubernetesPod_basic
--- PASS: TestAccKubernetesPod_basic (23.40s)
=== RUN   TestAccKubernetesPod_initContainer_updateForcesNew
--- PASS: TestAccKubernetesPod_initContainer_updateForcesNew (42.46s)
=== RUN   TestAccKubernetesPod_updateArgsForceNew
--- PASS: TestAccKubernetesPod_updateArgsForceNew (93.93s)
=== RUN   TestAccKubernetesPod_updateEnvForceNew
--- PASS: TestAccKubernetesPod_updateEnvForceNew (33.56s)
=== RUN   TestAccKubernetesPod_importBasic
--- FAIL: TestAccKubernetesPod_importBasic (5.10s)
    testing.go:568: Step 0 error: After applying this step, the plan was not empty:

        DIFF:

        UPDATE: kubernetes_pod.test
          id:                                               "default/tf-acc-test-vlrxpqwh0y" => "default/tf-acc-test-vlrxpqwh0y"
          metadata.#:                                       "1" => "1"
          metadata.0.generate_name:                         "" => ""
          metadata.0.generation:                            "0" => "0"
          metadata.0.labels.app:                            "pod_label" => "pod_label"
          metadata.0.name:                                  "tf-acc-test-vlrxpqwh0y" => "tf-acc-test-vlrxpqwh0y"
          metadata.0.namespace:                             "default" => "default"
          metadata.0.resource_version:                      "80990" => "80990"
          metadata.0.self_link:                             "/api/v1/namespaces/default/pods/tf-acc-test-vlrxpqwh0y" => "/api/v1/namespaces/default/pods/tf-acc-test-vlrxpqwh0y"
          metadata.0.uid:                                   "a5063830-676b-11e9-acf8-42010a8e0fe3" => "a5063830-676b-11e9-acf8-42010a8e0fe3"
          spec.#:                                           "1" => "1"
          spec.0.active_deadline_seconds:                   "0" => "0"
          spec.0.container.#:                               "1" => "1"
          spec.0.container.0.env.#:                         "0" => "0"
          spec.0.container.0.env_from.#:                    "0" => "0"
          spec.0.container.0.image:                         "nginx:1.7.9" => "nginx:1.7.9"
          spec.0.container.0.image_pull_policy:             "IfNotPresent" => "IfNotPresent"
          spec.0.container.0.lifecycle.#:                   "0" => "0"
          spec.0.container.0.liveness_probe.#:              "0" => "0"
          spec.0.container.0.name:                          "containername" => "containername"
          spec.0.container.0.port.#:                        "0" => "0"
          spec.0.container.0.readiness_probe.#:             "0" => "0"
          spec.0.container.0.resources.#:                   "1" => "1"
          spec.0.container.0.resources.0.limits.#:          "0" => "0"
          spec.0.container.0.resources.0.requests.#:        "1" => "1"
          spec.0.container.0.resources.0.requests.0.cpu:    "100m" => "100m"
          spec.0.container.0.resources.0.requests.0.memory: "" => ""
          spec.0.container.0.security_context.#:            "0" => "0"
          spec.0.container.0.stdin:                         "false" => "false"
          spec.0.container.0.stdin_once:                    "false" => "false"
          spec.0.container.0.termination_message_path:      "/dev/termination-log" => "/dev/termination-log"
          spec.0.container.0.tty:                           "false" => "false"
          spec.0.container.0.volume_mount.#:                "0" => "0"
          spec.0.container.0.working_dir:                   "" => ""
          spec.0.dns_config.#:                              "0" => "0"
          spec.0.dns_policy:                                "ClusterFirst" => "ClusterFirst"
          spec.0.host_aliases.#:                            "0" => "0"
          spec.0.host_ipc:                                  "false" => "false"
          spec.0.host_network:                              "false" => "false"
          spec.0.host_pid:                                  "false" => "false"
          spec.0.hostname:                                  "" => ""
          spec.0.image_pull_secrets.#:                      "0" => "0"
          spec.0.init_container.#:                          "0" => "0"
          spec.0.node_name:                                 "gke-tf-acc-test-2d0d814e-default-pool-a44fdd1d-hsvr" => "gke-tf-acc-test-2d0d814e-default-pool-a44fdd1d-hsvr"
          spec.0.restart_policy:                            "Always" => "Always"
          spec.0.security_context.#:                        "1" => "1"
          spec.0.security_context.0.fs_group:               "100" => "100"
          spec.0.security_context.0.run_as_group:           "0" => "100"
          spec.0.security_context.0.run_as_non_root:        "true" => "true"
          spec.0.security_context.0.run_as_user:            "101" => "101"
          spec.0.security_context.0.se_linux_options.#:     "0" => "0"
          spec.0.security_context.0.supplemental_groups.#:  "1" => "1"
          spec.0.security_context.0.supplemental_groups.0:  "101" => "101"
          spec.0.service_account_name:                      "default" => "default"
          spec.0.subdomain:                                 "" => ""
          spec.0.termination_grace_period_seconds:          "30" => "30"
          spec.0.volume.#:                                  "0" => "0"



        STATE:

        kubernetes_pod.test:
          ID = default/tf-acc-test-vlrxpqwh0y
          provider = provider.kubernetes
          metadata.# = 1
          metadata.0.generate_name =
          metadata.0.generation = 0
          metadata.0.labels.app = pod_label
          metadata.0.name = tf-acc-test-vlrxpqwh0y
          metadata.0.namespace = default
          metadata.0.resource_version = 80990
          metadata.0.self_link = /api/v1/namespaces/default/pods/tf-acc-test-vlrxpqwh0y
          metadata.0.uid = a5063830-676b-11e9-acf8-42010a8e0fe3
          spec.# = 1
          spec.0.active_deadline_seconds = 0
          spec.0.container.# = 1
          spec.0.container.0.image = nginx:1.7.9
          spec.0.container.0.image_pull_policy = IfNotPresent
          spec.0.container.0.name = containername
          spec.0.container.0.resources.# = 1
          spec.0.container.0.resources.0.requests.# = 1
          spec.0.container.0.resources.0.requests.0.cpu = 100m
          spec.0.container.0.resources.0.requests.0.memory =
          spec.0.container.0.stdin = false
          spec.0.container.0.stdin_once = false
          spec.0.container.0.termination_message_path = /dev/termination-log
          spec.0.container.0.tty = false
          spec.0.container.0.working_dir =
          spec.0.dns_policy = ClusterFirst
          spec.0.host_ipc = false
          spec.0.host_network = false
          spec.0.host_pid = false
          spec.0.hostname =
          spec.0.node_name = gke-tf-acc-test-2d0d814e-default-pool-a44fdd1d-hsvr
          spec.0.restart_policy = Always
          spec.0.security_context.# = 1
          spec.0.security_context.0.fs_group = 100
          spec.0.security_context.0.run_as_group = 0
          spec.0.security_context.0.run_as_non_root = true
          spec.0.security_context.0.run_as_user = 101
          spec.0.security_context.0.supplemental_groups.# = 1
          spec.0.security_context.0.supplemental_groups.0 = 101
          spec.0.service_account_name = default
          spec.0.subdomain =
          spec.0.termination_grace_period_seconds = 30
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- FAIL: TestAccKubernetesPod_with_pod_security_context (19.55s)
    testing.go:568: Step 0 error: Check failed: 1 error occurred:
                * Check 3/7 error: kubernetes_pod.test: Attribute 'spec.0.security_context.0.run_as_group' expected "100", got "0"


=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_exec (50.49s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_http_get (6.92s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_tcp (11.94s)
=== RUN   TestAccKubernetesPod_with_container_lifecycle
--- PASS: TestAccKubernetesPod_with_container_lifecycle (20.08s)
=== RUN   TestAccKubernetesPod_with_container_security_context
--- PASS: TestAccKubernetesPod_with_container_security_context (7.85s)
=== RUN   TestAccKubernetesPod_with_volume_mount
--- PASS: TestAccKubernetesPod_with_volume_mount (7.76s)
=== RUN   TestAccKubernetesPod_with_cfg_map_volume_mount
--- PASS: TestAccKubernetesPod_with_cfg_map_volume_mount (12.89s)
=== RUN   TestAccKubernetesPod_with_resource_requirements
--- PASS: TestAccKubernetesPod_with_resource_requirements (7.80s)
=== RUN   TestAccKubernetesPod_with_empty_dir_volume
--- PASS: TestAccKubernetesPod_with_empty_dir_volume (11.96s)
=== RUN   TestAccKubernetesPod_with_secret_vol_items
--- PASS: TestAccKubernetesPod_with_secret_vol_items (20.91s)
=== RUN   TestAccKubernetesPod_gke_with_nodeSelector
--- PASS: TestAccKubernetesPod_gke_with_nodeSelector (7.15s)
=== RUN   TestAccKubernetesReplicationController_deprecated_basic
--- PASS: TestAccKubernetesReplicationController_deprecated_basic (122.34s)
=== RUN   TestAccKubernetesReplicationController_deprecated_initContainer
--- PASS: TestAccKubernetesReplicationController_deprecated_initContainer (118.70s)
=== RUN   TestAccKubernetesReplicationController_deprecated_importBasic
--- PASS: TestAccKubernetesReplicationController_deprecated_importBasic (118.19s)
=== RUN   TestAccKubernetesReplicationController_deprecated_generatedName
--- PASS: TestAccKubernetesReplicationController_deprecated_generatedName (5.19s)
=== RUN   TestAccKubernetesReplicationController_deprecated_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_deprecated_importGeneratedName (5.21s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_security_context (5.57s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_exec (5.47s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_http_get (5.43s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_tcp (5.51s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_lifecycle (5.52s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_security_context (6.71s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_deprecated_with_volume_mount (6.25s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_deprecated_with_resource_requirements (5.34s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_deprecated_with_empty_dir_volume (5.29s)
=== RUN   TestAccKubernetesReplicationController_basic
--- PASS: TestAccKubernetesReplicationController_basic (123.08s)
=== RUN   TestAccKubernetesReplicationController_initContainer
--- PASS: TestAccKubernetesReplicationController_initContainer (119.06s)
=== RUN   TestAccKubernetesReplicationController_importBasic
--- PASS: TestAccKubernetesReplicationController_importBasic (118.57s)
=== RUN   TestAccKubernetesReplicationController_generatedName
--- PASS: TestAccKubernetesReplicationController_generatedName (5.14s)
=== RUN   TestAccKubernetesReplicationController_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_importGeneratedName (5.24s)
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- FAIL: TestAccKubernetesReplicationController_with_security_context (3.70s)
    testing.go:568: Step 0 error: Check failed: 1 error occurred:
                * Check 3/7 error: kubernetes_replication_controller.test: Attribute 'spec.0.template.0.spec.0.security_context.0.run_as_group' expected "100", got "0"


=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec (5.12s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get (5.21s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp (5.12s)
=== RUN   TestAccKubernetesReplicationController_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_with_container_lifecycle (5.15s)
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_with_container_security_context (5.12s)
=== RUN   TestAccKubernetesReplicationController_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_with_volume_mount (5.99s)
=== RUN   TestAccKubernetesReplicationController_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_with_resource_requirements (5.11s)
=== RUN   TestAccKubernetesReplicationController_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_with_empty_dir_volume (5.16s)
FAIL
FAIL    github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 1491.510s
make: *** [GNUmakefile:17: testacc] Error 1

@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019

They do pass on minikube with kubernetes 1.14.1:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\|DaemonSet\|StatefulSet\).* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\|DaemonSet\|StatefulSet\).* -count=1 -timeout 120m
=== RUN   TestAccKubernetesDaemonSet_minimal
--- PASS: TestAccKubernetesDaemonSet_minimal (3.33s)
=== RUN   TestAccKubernetesDaemonSet_basic
--- PASS: TestAccKubernetesDaemonSet_basic (5.54s)
=== RUN   TestAccKubernetesDaemonSet_importBasic
--- PASS: TestAccKubernetesDaemonSet_importBasic (2.82s)
=== RUN   TestAccKubernetesDaemonSet_with_template_metadata
--- PASS: TestAccKubernetesDaemonSet_with_template_metadata (5.20s)
=== RUN   TestAccKubernetesDaemonSet_initContainer
--- PASS: TestAccKubernetesDaemonSet_initContainer (2.84s)
=== RUN   TestAccKubernetesDaemonSet_noTopLevelLabels
--- PASS: TestAccKubernetesDaemonSet_noTopLevelLabels (2.73s)
=== RUN   TestAccKubernetesDeployment_basic
--- PASS: TestAccKubernetesDeployment_basic (2.90s)
=== RUN   TestAccKubernetesDeployment_initContainer
--- PASS: TestAccKubernetesDeployment_initContainer (2.96s)
=== RUN   TestAccKubernetesDeployment_importBasic
--- PASS: TestAccKubernetesDeployment_importBasic (3.06s)
=== RUN   TestAccKubernetesDeployment_generatedName
--- PASS: TestAccKubernetesDeployment_generatedName (2.71s)
=== RUN   TestAccKubernetesDeployment_importGeneratedName
--- PASS: TestAccKubernetesDeployment_importGeneratedName (2.74s)
=== RUN   TestAccKubernetesDeployment_with_security_context
--- PASS: TestAccKubernetesDeployment_with_security_context (2.88s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_exec (2.80s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get (2.83s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp (2.92s)
=== RUN   TestAccKubernetesDeployment_with_container_lifecycle
--- PASS: TestAccKubernetesDeployment_with_container_lifecycle (2.85s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- PASS: TestAccKubernetesDeployment_with_container_security_context (2.75s)
=== RUN   TestAccKubernetesDeployment_with_volume_mount
--- PASS: TestAccKubernetesDeployment_with_volume_mount (2.74s)
=== RUN   TestAccKubernetesDeployment_with_resource_requirements
--- PASS: TestAccKubernetesDeployment_with_resource_requirements (2.57s)
=== RUN   TestAccKubernetesDeployment_with_empty_dir_volume
--- PASS: TestAccKubernetesDeployment_with_empty_dir_volume (2.66s)
=== RUN   TestAccKubernetesDeploymentUpdate_basic
--- PASS: TestAccKubernetesDeploymentUpdate_basic (4.85s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate (2.61s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_30perc_max_unavailable_40perc
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_30perc_max_unavailable_40perc (2.61s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_1_max_unavailable_2
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_rollingupdate_max_surge_1_max_unavailable_2 (2.59s)
=== RUN   TestAccKubernetesDeployment_with_deployment_strategy_recreate
--- PASS: TestAccKubernetesDeployment_with_deployment_strategy_recreate (2.70s)
=== RUN   TestAccKubernetesDeployment_with_host_aliases
--- PASS: TestAccKubernetesDeployment_with_host_aliases (2.77s)
=== RUN   TestAccKubernetesPod_basic
--- PASS: TestAccKubernetesPod_basic (160.16s)
=== RUN   TestAccKubernetesPod_initContainer_updateForcesNew
--- PASS: TestAccKubernetesPod_initContainer_updateForcesNew (78.22s)
=== RUN   TestAccKubernetesPod_updateArgsForceNew
--- PASS: TestAccKubernetesPod_updateArgsForceNew (92.19s)
=== RUN   TestAccKubernetesPod_updateEnvForceNew
--- PASS: TestAccKubernetesPod_updateEnvForceNew (14.91s)
=== RUN   TestAccKubernetesPod_importBasic
--- PASS: TestAccKubernetesPod_importBasic (19.59s)
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- PASS: TestAccKubernetesPod_with_pod_security_context (19.49s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_exec (39.51s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_http_get (19.46s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_tcp (19.49s)
=== RUN   TestAccKubernetesPod_with_container_lifecycle
--- PASS: TestAccKubernetesPod_with_container_lifecycle (7.47s)
=== RUN   TestAccKubernetesPod_with_container_security_context
--- PASS: TestAccKubernetesPod_with_container_security_context (19.49s)
=== RUN   TestAccKubernetesPod_with_volume_mount
--- PASS: TestAccKubernetesPod_with_volume_mount (9.98s)
=== RUN   TestAccKubernetesPod_with_cfg_map_volume_mount
--- PASS: TestAccKubernetesPod_with_cfg_map_volume_mount (11.61s)
=== RUN   TestAccKubernetesPod_with_resource_requirements
--- PASS: TestAccKubernetesPod_with_resource_requirements (19.50s)
=== RUN   TestAccKubernetesPod_with_empty_dir_volume
--- PASS: TestAccKubernetesPod_with_empty_dir_volume (5.93s)
=== RUN   TestAccKubernetesPod_with_secret_vol_items
--- PASS: TestAccKubernetesPod_with_secret_vol_items (7.57s)
=== RUN   TestAccKubernetesPod_gke_with_nodeSelector
--- SKIP: TestAccKubernetesPod_gke_with_nodeSelector (0.01s)
    provider_test.go:223: The Kubernetes endpoint must come from GKE for this test to run - skipping
=== RUN   TestAccKubernetesReplicationController_deprecated_basic
--- PASS: TestAccKubernetesReplicationController_deprecated_basic (118.48s)
=== RUN   TestAccKubernetesReplicationController_deprecated_initContainer
--- PASS: TestAccKubernetesReplicationController_deprecated_initContainer (114.94s)
=== RUN   TestAccKubernetesReplicationController_deprecated_importBasic
--- PASS: TestAccKubernetesReplicationController_deprecated_importBasic (114.86s)
=== RUN   TestAccKubernetesReplicationController_deprecated_generatedName
--- PASS: TestAccKubernetesReplicationController_deprecated_generatedName (4.63s)
=== RUN   TestAccKubernetesReplicationController_deprecated_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_deprecated_importGeneratedName (4.57s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_security_context (4.59s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_exec (4.63s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_http_get (4.58s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_liveness_probe_using_tcp (4.63s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_lifecycle (4.66s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_security_context (4.58s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_deprecated_with_volume_mount (4.65s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_deprecated_with_resource_requirements (4.71s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_deprecated_with_empty_dir_volume (4.66s)
=== RUN   TestAccKubernetesReplicationController_basic
--- PASS: TestAccKubernetesReplicationController_basic (118.55s)
=== RUN   TestAccKubernetesReplicationController_initContainer
--- PASS: TestAccKubernetesReplicationController_initContainer (114.96s)
=== RUN   TestAccKubernetesReplicationController_importBasic
--- PASS: TestAccKubernetesReplicationController_importBasic (116.13s)
=== RUN   TestAccKubernetesReplicationController_generatedName
--- PASS: TestAccKubernetesReplicationController_generatedName (4.65s)
=== RUN   TestAccKubernetesReplicationController_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_importGeneratedName (4.65s)
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- PASS: TestAccKubernetesReplicationController_with_security_context (4.68s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec (4.73s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get (4.64s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp (4.66s)
=== RUN   TestAccKubernetesReplicationController_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_with_container_lifecycle (4.70s)
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_with_container_security_context (4.68s)
=== RUN   TestAccKubernetesReplicationController_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_with_volume_mount (4.79s)
=== RUN   TestAccKubernetesReplicationController_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_with_resource_requirements (4.74s)
=== RUN   TestAccKubernetesReplicationController_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_with_empty_dir_volume (4.76s)
=== RUN   TestAccKubernetesStatefulSet_basic
--- PASS: TestAccKubernetesStatefulSet_basic (2.68s)
=== RUN   TestAccKubernetesStatefulSet_basic_idempotency
--- PASS: TestAccKubernetesStatefulSet_basic_idempotency (3.98s)
=== RUN   TestAccKubernetesStatefulSet_update_image
--- PASS: TestAccKubernetesStatefulSet_update_image (4.97s)
=== RUN   TestAccKubernetesStatefulSet_update_template_selector_labels
--- PASS: TestAccKubernetesStatefulSet_update_template_selector_labels (5.27s)
=== RUN   TestAccKubernetesStatefulSet_update_replicas
--- PASS: TestAccKubernetesStatefulSet_update_replicas (4.92s)
=== RUN   TestAccKubernetesStatefulSet_update_rolling_update_partition
--- PASS: TestAccKubernetesStatefulSet_update_rolling_update_partition (5.04s)
=== RUN   TestAccKubernetesStatefulSet_update_update_strategy_on_delete
--- PASS: TestAccKubernetesStatefulSet_update_update_strategy_on_delete (4.98s)
=== RUN   TestAccKubernetesStatefulSet_update_update_strategy_rolling_update
--- PASS: TestAccKubernetesStatefulSet_update_update_strategy_rolling_update (4.96s)
=== RUN   TestAccKubernetesStatefulSet_update_pod_template
--- PASS: TestAccKubernetesStatefulSet_update_pod_template (4.99s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 1466.897s

Not sure how to move this forward, maybe with a DiffSuppressFunc taking the availability of the feature and/or version of the cluster into account.

@jhoblitt
Copy link
Contributor

I know that gke "alpha clusters" with more feature gates enabled can be created with gcloud -- it looks like the google provider has this functionality but I've never personally used it:

https://www.terraform.io/docs/providers/google/r/container_cluster.html#enable_kubernetes_alpha

@jhoblitt
Copy link
Contributor

I don't know if it is possible to directly inspect feature gates via the api. The only way know of to check them is via kubectl cluster-info dump and looking at the kubelet flags.

@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019

If kubectl cluster-info dump can do it, it's exposed by the apiserver so this could be an option to detect the feature availability.

@alexsomesan did you have something similar in mind when you created #378?

@jhoblitt
Copy link
Contributor

@pdecat yes but its just a a string with the cli command.

@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019

Indeed:

# kubectl get pod -n kube-system kube-proxy-gke-tf-acc-test-2d0d814e-default-pool-99f381e6-jz8s -o yaml | grep feature-gates
      --feature-gates=DynamicKubeletConfig=false,RotateKubeletServerCertificate=true,ExperimentalCriticalPodAnnotation=true

It may be acceptable to rely on that just for the acceptance tests.

For real world setups, it could be left up to the user to know the limitations of its target cluster.

alexsomesan
alexsomesan reviewed Apr 26, 2019
View reviewed changes
Copy link
Member

@alexsomesan alexsomesan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great!
However, since most of our CI environments are not at 1.14 yet, it's going to be mostly going to be showing red.
To avoid that, I think we need some logic in the tests to skip if not running against a cluster that supports it.
Can you have a look at how difficult would that be to add?

@pdecat
Copy link
Contributor Author

pdecat commented Apr 26, 2019
edited
Loading

@alexsomesan yeah, that's what we were discussing above.

Checking the kubernetes cluster version in acceptance tests could be enough, and is certainly the easiest, as I don't believe the provider targets non standard configurations with alpha features.

@pdecat
Copy link
Contributor Author

pdecat commented Apr 26, 2019
edited
Loading

And what about implementing a CustomizeDiff or a DiffSuppressFunc for the run_as_group field like what's done for persistent volumes?

Note: the only other place where server version is checked is for services updates.

Edit: on second thought, this is probably more troubling to the user as it will think the configuration was accepted by the api server while it was actually silently discarded.

@ghost ghost added size/XL and removed size/S labels Apr 26, 2019
@pdecat
Copy link
Contributor Author

pdecat commented Apr 26, 2019

I've implemented the acceptance tests skipping option.

With minikube 1.0.0 and kubernetes 1.14.1:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes.*security_context.* -count=1'                                                                                        
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes.*security_context.* -count=1 -timeout 120m                                                                                      
=== RUN   TestAccKubernetesDeployment_with_security_context
--- PASS: TestAccKubernetesDeployment_with_security_context (3.19s)
=== RUN   TestAccKubernetesDeployment_with_security_context_run_as_group
--- PASS: TestAccKubernetesDeployment_with_security_context_run_as_group (2.94s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- PASS: TestAccKubernetesDeployment_with_container_security_context (2.91s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context_run_as_group
--- PASS: TestAccKubernetesDeployment_with_container_security_context_run_as_group (2.90s)
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- PASS: TestAccKubernetesPod_with_pod_security_context (5.84s)
=== RUN   TestAccKubernetesPod_with_pod_security_context_run_as_group
--- PASS: TestAccKubernetesPod_with_pod_security_context_run_as_group (3.90s)
=== RUN   TestAccKubernetesPod_with_container_security_context
--- PASS: TestAccKubernetesPod_with_container_security_context (3.85s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_security_context (4.79s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_security_context (4.79s)                                                                                     
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- PASS: TestAccKubernetesReplicationController_with_security_context (4.96s)
=== RUN   TestAccKubernetesReplicationController_with_security_context_run_as_group
--- PASS: TestAccKubernetesReplicationController_with_security_context_run_as_group (4.93s)
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_with_container_security_context (4.84s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 49.884s

With GKE 1.12.7-gke.7:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes.*security_context.* -count=1'                                                                                        
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes.*security_context.* -count=1 -timeout 120m                                                                                      
=== RUN   TestAccKubernetesDeployment_with_security_context
--- PASS: TestAccKubernetesDeployment_with_security_context (6.44s)
=== RUN   TestAccKubernetesDeployment_with_security_context_run_as_group
--- SKIP: TestAccKubernetesDeployment_with_security_context_run_as_group (0.11s)
    provider_test.go:246: The Kubernetes version must be 1.14.0 or newer for this test to run - skipping                                                                                
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- PASS: TestAccKubernetesDeployment_with_container_security_context (5.89s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context_run_as_group
--- SKIP: TestAccKubernetesDeployment_with_container_security_context_run_as_group (0.11s)
    provider_test.go:246: The Kubernetes version must be 1.14.0 or newer for this test to run - skipping                                                                                
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- PASS: TestAccKubernetesPod_with_pod_security_context (11.88s)
=== RUN   TestAccKubernetesPod_with_pod_security_context_run_as_group
--- SKIP: TestAccKubernetesPod_with_pod_security_context_run_as_group (0.11s)
    provider_test.go:246: The Kubernetes version must be 1.14.0 or newer for this test to run - skipping                                                                                
=== RUN   TestAccKubernetesPod_with_container_security_context
--- PASS: TestAccKubernetesPod_with_container_security_context (6.90s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_security_context (5.31s)
=== RUN   TestAccKubernetesReplicationController_deprecated_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_deprecated_with_container_security_context (5.24s)                                                                                     
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- PASS: TestAccKubernetesReplicationController_with_security_context (5.21s)
=== RUN   TestAccKubernetesReplicationController_with_security_context_run_as_group
--- SKIP: TestAccKubernetesReplicationController_with_security_context_run_as_group (0.12s)
    provider_test.go:246: The Kubernetes version must be 1.14.0 or newer for this test to run - skipping                                                                                
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_with_container_security_context (5.26s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 52.638s

@jhoblitt
Copy link
Contributor

This is a much better approach! I've discovered that some clusters don't use --feature-gates at all (pure defaults), so the only way to determine features sets in a lot of cases would be a version lookup table.

alexsomesan
alexsomesan approved these changes Apr 29, 2019
View reviewed changes
Copy link
Member

@alexsomesan alexsomesan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. CI is green.

Regarding the CustomizeDiff question, I think we should be good without. Unless I misunderstood something, if we actually get values back from the API in the RunAsGroup attribute, it means the feature is supported so we should be good to process. Do you mean to filter out user-provided values of run_as_group when the server doesn't support it?

@pdecat
Copy link
Contributor Author

pdecat commented Apr 30, 2019

Do you mean to filter out user-provided values of run_as_group when the server doesn't support it?

Yeah, that's what it would have resulted in. Bad idea IMO.

@alexsomesan
Copy link
Member

yeah, I think we're safer like this, given that we don't have a deterministic way of telling whether the feature is on or not.
I'll merge this and let's see how it behaves with users.

@alexsomesan alexsomesan merged commit 50ba01a into hashicorp:master Apr 30, 2019
@pdecat pdecat deleted the f-add-security-context-run_as_group branch April 30, 2019 21:08
alexsomesan pushed a commit to chanzuckerberg/terraform-provider-kubernetes that referenced this pull request May 10, 2019
@pdecat @alexsomesan
Add run_as_group to container security contexts attributes (hashicorp…
aac4c09 
…#414)

Add run_as_group property to container and pod security contexts, update documentation and acceptance tests
@pdecat pdecat mentioned this pull request Nov 11, 2019
Merged
@ghost ghost locked and limited conversation to collaborators Apr 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alexsomesan alexsomesan alexsomesan approved these changes

Assignees
No one assigned
Labels
documentation size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pdecat @jhoblitt @alexsomesan