From 0f8e575f1c9913bcb68e450ef44663f8a9b1f709 Mon Sep 17 00:00:00 2001 From: Ondra Kupka Date: Wed, 27 May 2026 10:51:42 +0200 Subject: [PATCH] Use generated names in oc adm policy SCC test The SCC section of this test operates on a cluster-scoped ClusterRoleBinding with hardcoded subject names. Unlike namespaced resources, cluster-scoped resources are not cleaned up between test retries. When the first attempt fails partway through the removes, leftover subjects cause the retry's adds to be no-ops at the etcd level, preventing resourceVersion from advancing and disabling 409 conflict detection on subsequent writes. Use unique generated names so each attempt is independent. --- test/extended/cli/admin.go | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/test/extended/cli/admin.go b/test/extended/cli/admin.go index 90db69ac05f9..be9c6eb434ce 100644 --- a/test/extended/cli/admin.go +++ b/test/extended/cli/admin.go @@ -212,38 +212,42 @@ var _ = g.Describe("[sig-cli] oc adm", func() { o.Expect(err).To(o.HaveOccurred()) o.Expect(out).To(o.ContainSubstring("error: rolebinding custom found for role view, not other")) - o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", "fake-user").Execute()).To(o.Succeed()) - o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", "-z", "fake-sa").Execute()).To(o.Succeed()) - o.Expect(oc.Run("adm", "policy", "add-scc-to-group").Args("privileged", "fake-group").Execute()).To(o.Succeed()) + fakeUser := gen.GenerateName("fake-user-") + fakeSA := gen.GenerateName("fake-sa-") + fakeGroup := gen.GenerateName("fake-group-") + + o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", fakeUser).Execute()).To(o.Succeed()) + o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", "-z", fakeSA).Execute()).To(o.Succeed()) + o.Expect(oc.Run("adm", "policy", "add-scc-to-group").Args("privileged", fakeGroup).Execute()).To(o.Succeed()) out, err = oc.Run("get").Args("clusterrolebinding/system:openshift:scc:privileged", "-o", "yaml").Output() o.Expect(err).NotTo(o.HaveOccurred()) - o.Expect(out).To(o.ContainSubstring("fake-user")) - o.Expect(out).To(o.ContainSubstring("fake-sa")) - o.Expect(out).To(o.ContainSubstring("fake-group")) + o.Expect(out).To(o.ContainSubstring(fakeUser)) + o.Expect(out).To(o.ContainSubstring(fakeSA)) + o.Expect(out).To(o.ContainSubstring(fakeGroup)) - o.Expect(oc.Run("adm", "policy", "remove-scc-from-user").Args("privileged", "fake-user").Execute()).To(o.Succeed()) - o.Expect(oc.Run("adm", "policy", "remove-scc-from-user").Args("privileged", "-z", "fake-sa").Execute()).To(o.Succeed()) - o.Expect(oc.Run("adm", "policy", "remove-scc-from-group").Args("privileged", "fake-group").Execute()).To(o.Succeed()) + o.Expect(oc.Run("adm", "policy", "remove-scc-from-user").Args("privileged", fakeUser).Execute()).To(o.Succeed()) + o.Expect(oc.Run("adm", "policy", "remove-scc-from-user").Args("privileged", "-z", fakeSA).Execute()).To(o.Succeed()) + o.Expect(oc.Run("adm", "policy", "remove-scc-from-group").Args("privileged", fakeGroup).Execute()).To(o.Succeed()) out, err = oc.Run("get").Args("clusterrolebinding/system:openshift:scc:privileged", "-o", "yaml").Output() // there are two possible outcomes here: if err == nil { // 1. the binding exists, but it should not contain the removed entities - o.Expect(out).NotTo(o.ContainSubstring("fake-user")) - o.Expect(out).NotTo(o.ContainSubstring("fake-sa")) - o.Expect(out).NotTo(o.ContainSubstring("fake-group")) + o.Expect(out).NotTo(o.ContainSubstring(fakeUser)) + o.Expect(out).NotTo(o.ContainSubstring(fakeSA)) + o.Expect(out).NotTo(o.ContainSubstring(fakeGroup)) } else { // 2. the binding does not exists, if we removed all entities from the binding o.Expect(out).To(o.ContainSubstring(`clusterrolebindings.rbac.authorization.k8s.io "system:openshift:scc:privileged" not found`)) } // check pruning - o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", "fake-user").Execute()).To(o.Succeed()) - out, err = oc.Run("adm", "prune", "auth").Args("users/fake-user").Output() + o.Expect(oc.Run("adm", "policy", "add-scc-to-user").Args("privileged", fakeUser).Execute()).To(o.Succeed()) + out, err = oc.Run("adm", "prune", "auth").Args(fmt.Sprintf("users/%s", fakeUser)).Output() o.Expect(err).NotTo(o.HaveOccurred()) o.Expect(out).To(o.ContainSubstring("clusterrolebinding.rbac.authorization.k8s.io/system:openshift:scc:privileged updated")) - o.Expect(oc.Run("adm", "policy", "add-scc-to-group").Args("privileged", "fake-group").Execute()).To(o.Succeed()) - out, err = oc.Run("adm", "prune", "auth").Args("group/fake-group").Output() + o.Expect(oc.Run("adm", "policy", "add-scc-to-group").Args("privileged", fakeGroup).Execute()).To(o.Succeed()) + out, err = oc.Run("adm", "prune", "auth").Args(fmt.Sprintf("group/%s", fakeGroup)).Output() o.Expect(err).NotTo(o.HaveOccurred()) o.Expect(out).To(o.ContainSubstring("clusterrolebinding.rbac.authorization.k8s.io/system:openshift:scc:privileged updated")) })