@@ -884,7 +884,45 @@ def generate_misc():
884884 # support SELinux and there are several subvariants of local volumes
885885 # that multiply nr. of tests.
886886 # - FeatureGate:SELinuxMount: the feature gate is alpha / disabled by default
887- # in v1.30.
887+ # in v1.32.
888+ # - FeatureGate:SELinuxChangePolicy: the feature gate is alpha / disabled by default
889+ # in v1.32.
890+ skip_regex = r"\[Feature:Volumes\]|\[Driver:.nfs\]|\[Driver:.local\]|\[FeatureGate:SELinuxMount\]|\[FeatureGate:SELinuxChangePolicy\]" ,
891+ # [Serial] and [Disruptive] are intentionally not skipped, therefore run
892+ # everything as serial.
893+ test_parallelism = 1 ,
894+ # Serial and Disruptive tests can be slow.
895+ test_timeout_minutes = 120 ,
896+ runs_per_day = 3 ),
897+
898+ # [sig-storage, @jsafrane] A one-off scenario testing SELinuxChangePolicy feature (alpha in v1.32).
899+ # and opt-in selinux-warning-controller.
900+ # This will need to merge with kops-aws-selinux when SELinuxMount gets enabled by default.
901+ build_test (name_override = "kops-aws-selinux-changepolicy" ,
902+ # RHEL8 VM image is enforcing SELinux by default.
903+ cloud = "aws" ,
904+ distro = "rhel8" ,
905+ networking = "cilium" ,
906+ k8s_version = "ci" ,
907+ kops_channel = "alpha" ,
908+ feature_flags = ['SELinuxMount' ],
909+ kubernetes_feature_gates = "SELinuxChangePolicy" ,
910+ extra_flags = [
911+ "--set=cluster.spec.containerd.selinuxEnabled=true" ,
912+ # Run all default controllers ("*") + selinux-warning-controller.
913+ "--set=cluster.spec.kubeControllerManager.controllers=*" ,
914+ "--set=cluster.spec.kubeControllerManager.controllers=selinux-warning-controller"
915+ ],
916+ focus_regex = r"\[Feature:SELinux\]" ,
917+ # Skip:
918+ # - Feature:Volumes: skips iSCSI and Ceph tests, they don't have client tools
919+ # installed on nodes.
920+ # - Driver: nfs: NFS does not have client tools installed on nodes.
921+ # - Driver: local: this is optimization only, the volume plugin does not
922+ # support SELinux and there are several subvariants of local volumes
923+ # that multiply nr. of tests.
924+ # - FeatureGate:SELinuxMount: the feature gate is alpha / disabled by default
925+ # in v1.32.
888926 skip_regex = r"\[Feature:Volumes\]|\[Driver:.nfs\]|\[Driver:.local\]|\[FeatureGate:SELinuxMount\]" ,
889927 # [Serial] and [Disruptive] are intentionally not skipped, therefore run
890928 # everything as serial.
@@ -893,7 +931,8 @@ def generate_misc():
893931 test_timeout_minutes = 120 ,
894932 runs_per_day = 3 ),
895933
896- # [sig-storage, @jsafrane] A one-off scenario testing SELinuxMount feature (alpha in v1.30).
934+ # [sig-storage, @jsafrane] A one-off scenario testing all SELinux related feature gates enabled
935+ # and opt-in selinux-warning-controller.
897936 # This will need to merge with kops-aws-selinux when SELinuxMount gets enabled by default.
898937 build_test (name_override = "kops-aws-selinux-alpha" ,
899938 # RHEL8 VM image is enforcing SELinux by default.
@@ -903,9 +942,12 @@ def generate_misc():
903942 k8s_version = "ci" ,
904943 kops_channel = "alpha" ,
905944 feature_flags = ['SELinuxMount' ],
906- kubernetes_feature_gates = "SELinuxMount" ,
945+ kubernetes_feature_gates = "SELinuxMount,SELinuxChangePolicy " ,
907946 extra_flags = [
908947 "--set=cluster.spec.containerd.selinuxEnabled=true" ,
948+ # Run all default controllers ("*") + selinux-warning-controller.
949+ "--set=cluster.spec.kubeControllerManager.controllers=*" ,
950+ "--set=cluster.spec.kubeControllerManager.controllers=selinux-warning-controller"
909951 ],
910952 focus_regex = r"\[Feature:SELinux\]" ,
911953 # Skip:
0 commit comments