fix(ROX-33305): add StackRox image pull secret to qa-image-scanning-test namespace#19182
fix(ROX-33305): add StackRox image pull secret to qa-image-scanning-test namespace#19182tommartensen wants to merge 2 commits into
Conversation
…est namespace Image metadata from registry tests run in qa-image-scanning-test. The default service account in that namespace was never given image pull secrets; only per-deployment secrets (e.g. quay-image-scanning-test) were created for specific iterations. Call addStackroxImagePullSecret in ImageScanningTest.setupSpec() after ensuring the namespace exists so the default SA has quay and public-dockerhub secrets and can pull StackRox/Quay images when deployments do not set their own. Partially generated by AI.
|
/test help |
|
Skipping CI for Draft Pull Request. |
|
/test gke-latest-qa-e2e-tests |
|
Images are ready for the commit at f29555f. To use with deploy scripts, first |
|
/test gke-latest-qa-e2e-tests |
|
/test gke-latest-qa-e2e-tests |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19182 +/- ##
==========================================
+ Coverage 49.53% 49.56% +0.02%
==========================================
Files 2674 2675 +1
Lines 201755 201820 +65
==========================================
+ Hits 99945 100025 +80
+ Misses 94348 94337 -11
+ Partials 7462 7458 -4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@tommartensen: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
davdhacs
left a comment
davdhacs
left a comment
There was a problem hiding this comment.
I think this is desired for new kubernetes with default security setting to only allow image pulls by pods that have access to pull the image from the remote registry.
|
With the help of 🤖 claude, I think these are still failing because the nodes are hitting garbage collection because of exceeding 85% disk usage. Maybe increase to a 100 GB disk by default? |
I tested with a 120GB disk, but still hit the same failure. Then I tried removing the SHA from the test image pulls, and that appeared to fix the issue for many of the tests but I still saw one image pull failure (after 30 minutes of an image not being used, the kubelet deleted it. I'm guessing from garbage collection). So maybe we need more disk space, and to change/update the SHA in the tests or in the prefetched (so they match), and still to do something to prevent deletion. latest commit tests adding |
|
@davdhacs please continue with your approach if you see good results! |
ok, and I think we'll need this change also for when the image access requirement is enforced. I'll update here with my (re/pro)gress on the other PR before closing or code-review there. |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
3 participants
Image metadata from registry tests run in qa-image-scanning-test. The default service account in that namespace was never given image pull secrets; only per-deployment secrets (e.g. quay-image-scanning-test) were created for specific iterations. Call addStackroxImagePullSecret in ImageScanningTest.setupSpec() after ensuring the namespace exists so the default SA has quay and public-dockerhub secrets and can pull StackRox/Quay images when deployments do not set their own.
Partially generated by AI.
Description
change me!
User-facing documentation
Testing and quality
Automated testing
How I validated my change
change me!