Konformitätstest Auswerten
Nachdem ich standalone gefahren habe, wäre für mich als Eduser die Frage wo kann ich mein result einsehen und auswerten
einsehen
aus den logs
-
dokumentieren
auswerten
was sagt mir:
kl.mueller@ocpbastionp001 [0] : ~/develop/konformitaetstest
$ oc whoami -c
igbvc-conformance-test/api-capc-muenchen-de:6443/kl.mueller
kl.mueller@ocpbastionp001 [0] : ~/develop/konformitaetstest
$ oc logs igbvc-conformance-test-7p4kg | tail
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'dc60dd31-f847-42b9-8e01-1dae74dd6c64', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': '557d371f-ad3e-454f-bc0d-94c9fa5b4549', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'a23a252d-3ec5-48a4-bd2f-746bde97fa01', 'Date': 'Tue, 19 Oct 2021 12:20:26 GMT', 'Content-Length': '997'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"privileged-container\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]","reason":"Forbidden","details":{"name":"privileged-container","kind":"pods"},"code":403}
----------------------------------------------------------------------
Ran 1 test in 0.059s
FAILED (errors=1)
kl.mueller@ocpbastionp001 [0] : ~/develop/konformitaetstestfull log
kl.mueller@ocpbastionp001 [1] : ~/develop/konformitaetstest
$ oc logs igbvc-conformance-test-7p4kg
Tests run 1
Errors:
[(<__main__.TestClusterPolicies testMethod=test_creation_of_privileged_container>,
'Traceback (most recent call last):\n'
' File "/usr/src/app/./conformance-test.py", line 31, in '
'test_creation_of_privileged_container\n'
' response, status_400 = '
'self.try_to_create_misconfigured_container(privileged_container_manifest)\n'
' File "/usr/src/app/./conformance-test.py", line 54, in '
'try_to_create_misconfigured_container\n'
' raise api_exception\n'
' File "/usr/src/app/./conformance-test.py", line 46, in '
'try_to_create_misconfigured_container\n'
' pod = create_pod_as_declared(test_case)\n'
' File "/usr/src/app/./conformance-test.py", line 89, in '
'create_pod_as_declared\n'
' return v1.create_namespaced_pod(body=manifest, '
'namespace=own_in_cluster_namespace)\n'
' File '
'"/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", '
'line 7320, in create_namespaced_pod\n'
' return self.create_namespaced_pod_with_http_info(namespace, body, '
'**kwargs) # noqa: E501\n'
' File '
'"/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", '
'line 7415, in create_namespaced_pod_with_http_info\n'
' return self.api_client.call_api(\n'
' File '
'"/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", '
'line 348, in call_api\n'
' return self.__call_api(resource_path, method,\n'
' File '
'"/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", '
'line 180, in __call_api\n'
' response_data = self.request(\n'
' File '
'"/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", '
'line 391, in request\n'
' return self.rest_client.POST(url,\n'
' File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", '
'line 274, in POST\n'
' return self.request("POST", url,\n'
' File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", '
'line 233, in request\n'
' raise ApiException(http_resp=r)\n'
'kubernetes.client.exceptions.ApiException: (403)\n'
'Reason: Forbidden\n'
"HTTP response headers: HTTPHeaderDict({'Audit-Id': "
"'dc60dd31-f847-42b9-8e01-1dae74dd6c64', 'Cache-Control': 'no-cache, "
"private', 'Content-Type': 'application/json', "
"'X-Kubernetes-Pf-Flowschema-Uid': '557d371f-ad3e-454f-bc0d-94c9fa5b4549', "
"'X-Kubernetes-Pf-Prioritylevel-Uid': "
"'a23a252d-3ec5-48a4-bd2f-746bde97fa01', 'Date': 'Tue, 19 Oct 2021 12:20:26 "
"GMT', 'Content-Length': '997'})\n"
'HTTP response body: '
'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods '
'\\"privileged-container\\" is forbidden: unable to validate against any '
'security context constraint: [provider \\"anyuid\\": Forbidden: not usable '
'by user or serviceaccount, spec.containers[0].securityContext.privileged: '
'Invalid value: true: Privileged containers are not allowed, provider '
'\\"nonroot\\": Forbidden: not usable by user or serviceaccount, provider '
'\\"hostmount-anyuid\\": Forbidden: not usable by user or serviceaccount, '
'provider \\"machine-api-termination-handler\\": Forbidden: not usable by '
'user or serviceaccount, provider \\"hostnetwork\\": Forbidden: not usable '
'by user or serviceaccount, provider \\"hostaccess\\": Forbidden: not usable '
'by user or serviceaccount, provider \\"node-exporter\\": Forbidden: not '
'usable by user or serviceaccount, provider \\"privileged\\": Forbidden: not '
'usable by user or '
'serviceaccount]","reason":"Forbidden","details":{"name":"privileged-container","kind":"pods"},"code":403}\n'
'\n'
'\n')]
Failures:
[]
Test output:
E
======================================================================
ERROR: test_creation_of_privileged_container (__main__.TestClusterPolicies)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/src/app/./conformance-test.py", line 31, in test_creation_of_privileged_container
response, status_400 = self.try_to_create_misconfigured_container(privileged_container_manifest)
File "/usr/src/app/./conformance-test.py", line 54, in try_to_create_misconfigured_container
raise api_exception
File "/usr/src/app/./conformance-test.py", line 46, in try_to_create_misconfigured_container
pod = create_pod_as_declared(test_case)
File "/usr/src/app/./conformance-test.py", line 89, in create_pod_as_declared
return v1.create_namespaced_pod(body=manifest, namespace=own_in_cluster_namespace)
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", line 7320, in create_namespaced_pod
return self.create_namespaced_pod_with_http_info(namespace, body, **kwargs) # noqa: E501
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", line 7415, in create_namespaced_pod_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 391, in request
return self.rest_client.POST(url,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", line 274, in POST
return self.request("POST", url,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", line 233, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'dc60dd31-f847-42b9-8e01-1dae74dd6c64', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': '557d371f-ad3e-454f-bc0d-94c9fa5b4549', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'a23a252d-3ec5-48a4-bd2f-746bde97fa01', 'Date': 'Tue, 19 Oct 2021 12:20:26 GMT', 'Content-Length': '997'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"privileged-container\" is forbidden: unable to validate against any security context constraint: [provider \"anyuid\": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]","reason":"Forbidden","details":{"name":"privileged-container","kind":"pods"},"code":403}
----------------------------------------------------------------------
Ran 1 test in 0.059s
FAILED (errors=1)Edited by Klaus Mueller