Open deads2k opened 1 month ago
@deads2k: This pull request explicitly references no jira issue.
Checking that skip now
/retest
/test e2e-gcp-ovn-techpreview
/retest
Job Failure Risk Analysis for sha: 9e430ae8c002146454cfc5d6ef8072a2014efa0a
Job Name | Failure Risk |
---|---|
pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd | IncompleteTests Tests for this run (26) are below the historical average (469): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems) |
: [sig-auth][Feature:ServiceAccountTokenNodeBinding][OCPFeatureGate:ValidatingAdmissionPolicy] per-node SA tokens can restrict access by-node [Suite:openshift/conformance/parallel]
passed on techpreview
fyi @cdoern @yuqi-zhang (for some of the items we need to address)
@deads2k any plans to make the extra info available on 4.17?
@deads2k any plans to make the extra info available on 4.17?
I think that promotion will happen by default.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: deads2k
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/test e2e-gcp-ovn-techpreview
Job Failure Risk Analysis for sha: 19700295bd747374026887ca4434b570c6b2e029
Job Name | Failure Risk |
---|---|
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node | Low [sig-arch] events should not repeat pathologically for ns/openshift-etcd This test has passed 75.51% of 49 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days. |
/test e2e-gcp-ovn-techpreview
@deads2k: The following tests failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
ci/prow/verify | 826a620367cf5478eb1963cb37095371e10ed732 | link | true | /test verify |
ci/prow/e2e-aws-ovn-single-node-upgrade | 826a620367cf5478eb1963cb37095371e10ed732 | link | false | /test e2e-aws-ovn-single-node-upgrade |
ci/prow/e2e-aws-ovn-single-node | 826a620367cf5478eb1963cb37095371e10ed732 | link | false | /test e2e-aws-ovn-single-node |
ci/prow/e2e-gcp-ovn-builds | 826a620367cf5478eb1963cb37095371e10ed732 | link | true | /test e2e-gcp-ovn-builds |
ci/prow/e2e-gcp-ovn-rt-upgrade | 826a620367cf5478eb1963cb37095371e10ed732 | link | false | /test e2e-gcp-ovn-rt-upgrade |
ci/prow/e2e-metal-ipi-ovn-ipv6 | 826a620367cf5478eb1963cb37095371e10ed732 | link | true | /test e2e-metal-ipi-ovn-ipv6 |
ci/prow/e2e-aws-ovn-edge-zones | 826a620367cf5478eb1963cb37095371e10ed732 | link | true | /test e2e-aws-ovn-edge-zones |
Full PR test history. Your PR dashboard.
By using the serviceaccount node claim and validatingadmissionpolicy it is possible to restrict the ability of a serviceaccount to write particular resources to only those instances of resource/foo that have
name == node-name
or.spec.nodeName == node-name
while allowing impeded access for other users. If it is using a serviceaccount token (most do), this requires no modification to the workload being restricted.I can write up a more detailed enhancement/blog post if desired, but this demonstrates how it can be done with today's TechPreview technology (may require https://github.com/openshift/api/pull/1831).
Once https://github.com/openshift/origin/pull/28670 merges, this will automatically only run on TechPreview and be skipped on Default installations.
per request /cc @derekwaynecarr
likely interest /cc @mrunalp @knobunc