Skip to content

e2e: verify spire-agent runs as root with namespace GID range#142

Draft
sayak-redhat wants to merge 1 commit into
openshift:mainfrom
sayak-redhat:test-verified
Draft

e2e: verify spire-agent runs as root with namespace GID range#142
sayak-redhat wants to merge 1 commit into
openshift:mainfrom
sayak-redhat:test-verified

Conversation

@sayak-redhat

@sayak-redhat sayak-redhat commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Tests
    • Added an end-to-end test validating the SPIRE Agent runs with effective UID 0 and that at least one supplemental GID falls within the OpenShift SCC supplemental-groups range for the operator namespace.
  • Tests
    • Enhanced end-to-end test utilities with parsing helpers to extract UID/GIDs from /proc/*/status content and parse start/size supplemental group annotation values.
  • Chores
    • Added a named constant for the SPIRE Agent container name.

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

A new e2e test checks SPIRE Agent pod identity in OpenShift by reading process status inside the container, asserting UID 0, and verifying a supplemental GID falls within the namespace range. Shared helpers and a container-name constant support the test.

Changes

SPIRE Agent OpenShift Security Test

Layer / File(s) Summary
Parsing helpers and container constant
test/e2e/utils/constants.go, test/e2e/utils/utils.go
Adds SpireAgentContainerName and helpers for parsing proc-status content and supplemental-group range annotations.
Process status collection
test/e2e/e2e_test.go
Adds a Ginkgo e2e test that selects a ready SPIRE Agent pod, retries container execs to read /proc/1/status, and parses UID/GID values.
UID and range assertions
test/e2e/e2e_test.go
Asserts UID 0, reads the namespace supplemental-groups annotation, parses the range, and checks that a supplemental GID falls within it.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Microshift Test Compatibility ⚠️ Warning The new e2e test sits in an unguarded Describe whose BeforeAll calls config.openshift.io DNSes(), which MicroShift does not serve. Tag the enclosing Describe/It with [apigroup:config.openshift.io] or add an exutil.IsMicroShiftCluster() g.Skip() guard before the shared setup.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: an e2e check that spire-agent runs as root and has a GID in the namespace range.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The added Ginkgo title is a fixed string with no dynamic values; no changed Describe/Context/When names include generated data.
Test Structure And Quality ✅ Passed The new e2e test is focused on one security-context behavior, uses a BeforeEach timeout context, includes bounded Eventually calls, and provides diagnostic assertion messages.
Single Node Openshift (Sno) Test Compatibility ✅ Passed New e2e test inspects a single ready spire-agent pod and namespace annotation only; no multi-node, HA, or node-spread assumptions found.
Topology-Aware Scheduling Compatibility ✅ Passed Touched files are e2e tests and parsing helpers only; no deployment manifests, controllers, or pod scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed No new stdout writes were added in main/init/TestMain/RunSpecs setup; the new code only uses GinkgoWriter and in-test helpers.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed New e2e test only execs into a pod and parses /proc/1/status plus a namespace annotation; no IPv4 literals or external/public connectivity found.
No-Weak-Crypto ✅ Passed Touched files only add UID/GID parsing and e2e checks; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto found.
Container-Privileges ✅ Passed Only e2e tests/helpers changed; no manifests or securityContext/privileged/host* settings were added, and searches found none in the modified files.
No-Sensitive-Data-In-Logs ✅ Passed New logs only print pod/namespace names and exec errors; no passwords, tokens, PII, or customer data are logged.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from TrilokGeer and swghosh June 23, 2026 12:47
@openshift-ci

openshift-ci Bot commented Jun 23, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sayak-redhat
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/utils/utils.go`:
- Around line 283-293: The strconv.Atoi function accepts negative numbers, but
supplemental group ranges with negative values like -1/100 are invalid and can
cause incorrect GID namespace handling. After parsing the start value from
parts[0] and the size value from parts[1] in the current error handling blocks,
add validation checks to ensure both start and size are non-negative (greater
than or equal to 0), and return an error with a descriptive message if either
value is negative.
- Around line 231-267: The parsing logic in this function has a vulnerability
where the uid variable defaults to 0, so if the id command output is malformed
and lacks a uid= token, the function will still return uid as 0, potentially
causing incorrect assertions in tests. Add boolean flags to track whether the
uid and groups fields were actually found during parsing of the output. After
the loop completes, check these flags and return an error if the uid field was
not found in the parsed output, ensuring that malformed id command output is
properly rejected rather than defaulting to values that might satisfy root
assertions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 21fce4db-fc5d-45be-b13f-7f6d01881c16

📥 Commits

Reviewing files that changed from the base of the PR and between 6a7cb74 and 489de11.

📒 Files selected for processing (3)
  • test/e2e/e2e_test.go
  • test/e2e/utils/constants.go
  • test/e2e/utils/utils.go

Comment thread test/e2e/utils/utils.go Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
test/e2e/e2e_test.go (1)

321-322: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the stale assertion message.

The failure text still says "id" output, but this test now parses /proc/self/status. Keeping the old wording will send the next failure in the wrong direction.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/e2e_test.go` around lines 321 - 322, The assertion message in the
e2e test is stale and still references "id" output even though the logic now
reads from /proc/self/status. Update the failure text in the relevant
Expect(inRange).To(BeTrue()) call so it matches the current source of the
supplemental GID data, using the same test block in e2e_test.go to keep the
message aligned with the parsing logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/e2e_test.go`:
- Around line 283-287: The test is inspecting the exec helper process instead of
the SPIRE agent process, so update the status read in the e2e test to target the
agent’s actual PID rather than /proc/self/status. In the block that uses
utils.ExecInPod and utils.ParseProcStatusUIDGIDs, change the command to read the
running agent’s status (for example /proc/1/status if the agent is PID 1 in the
container, or resolve the agent PID first) so the assertion reflects the real
agent credentials.

---

Outside diff comments:
In `@test/e2e/e2e_test.go`:
- Around line 321-322: The assertion message in the e2e test is stale and still
references "id" output even though the logic now reads from /proc/self/status.
Update the failure text in the relevant Expect(inRange).To(BeTrue()) call so it
matches the current source of the supplemental GID data, using the same test
block in e2e_test.go to keep the message aligned with the parsing logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5216c478-a415-4796-9c20-b628ad0af586

📥 Commits

Reviewing files that changed from the base of the PR and between ca3f25d and d046606.

📒 Files selected for processing (2)
  • test/e2e/e2e_test.go
  • test/e2e/utils/utils.go

Comment thread test/e2e/e2e_test.go Outdated
@sayak-redhat

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/e2e_test.go`:
- Around line 283-318: The `/proc/1/status` read in the command list under the
agent PID inspection block uses a shell-specific `$(<...)` form that is not
POSIX-portable. Update the commands used by `utils.ExecInPod` to rely on POSIX
`sh` syntax for reading the file so it works in BusyBox/dash-based images, while
keeping the existing fallback loop, error aggregation, and
`ParseProcStatusUIDGIDs` flow unchanged.

In `@test/e2e/utils/utils.go`:
- Around line 297-313: The supplemental range parsing in the annotation parser
currently validates start and size separately, but still allows an overflow when
the end is derived later. Update the range parsing helper that returns start and
size to also validate the combined end using the parsed values before returning,
rejecting cases where start + size would overflow int or wrap negative. Keep the
existing start/size checks, and make the error path explicit in the parser used
by the e2e supplemental group membership check.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 77301dd2-34b4-43c5-b573-f358d36a78d7

📥 Commits

Reviewing files that changed from the base of the PR and between 0ed5eed and f5302ee.

📒 Files selected for processing (3)
  • test/e2e/e2e_test.go
  • test/e2e/utils/constants.go
  • test/e2e/utils/utils.go
✅ Files skipped from review due to trivial changes (1)
  • test/e2e/utils/constants.go

Comment thread test/e2e/e2e_test.go Outdated
Comment thread test/e2e/utils/utils.go
Replace the buggy pod-spec-based supplemental GID test with a runtime
verification test that execs into the spire-agent container and reads
/proc/self/status to verify:
- Process runs as root (UID 0)
- Process has root group (GID 0) in Groups
- Process has supplemental GID within OpenShift namespace range
The test is placed after all operand installations to ensure stable
verification when the system is fully deployed.
Changes:
- Add GetReadySpireAgentPod() utility to find a ready spire-agent pod
- Add GetProcStatusFromPod() utility to exec and parse /proc/self/status
- Replace buggy test with runtime verification test
- Move test after ZeroTrustWorkloadIdentityManager aggregation check
@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

@sayak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-operator 02fb21d link true /test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sayak-redhat sayak-redhat marked this pull request as draft July 3, 2026 05:23
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant