CNTRLPLANE-1662: Migrate OCP-32383 to upstream

[gangwgr]

Test verifies:

• Container securityContext.privileged is set to true
• Init container securityContext.privileged is set to true
• Covers openshift-kube-apiserver and openshift-apiserver namespaces

Addresses: OCP-32383
Related: bug 1793694

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: cbb5903

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	High - "[sig-api-machinery] E2E QE API Server Init container setup should have the proper securityContext-[OCP-32383]-bug 1793694 [Suite:openshift/conformance/parallel]" is a new test that failed 1 time(s) against the current commit

New tests seen in this PR at sha: cbb5903

• "[sig-api-machinery] E2E QE API Server Init container setup should have the proper securityContext-[OCP-32383]-bug 1793694 [Suite:openshift/conformance/parallel]" [Total: 5, Pass: 4, Fail: 1, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New tests seen in this PR at sha: 0e2b3c0

• "[sig-api-machinery][E2E-QE-APIServer] Init container setup should have the proper securityContext-[OCP-32383]-bug 1793694 [Suite:openshift/conformance/parallel]" [Total: 6, Pass: 6, Fail: 0, Flake: 0]

[gangwgr]

/retest-required

[wangke19]

1. Create one Jira task of https://issues.redhat.com/browse/CNTRLPLANE-1660 to track

2. The current filename qe_apiserver.go is a bit generic.
   Suggestions:

   • security_context.go

These names clearly indicate what the test is verifying.

3. Refactor the test to use client-go instead of shelling out to oc. For this specific test, the goal is to verify a field within the pod's API object (securityContext.privileged), not the behavior of an oc command. Using client-go to fetch the pod object
   and inspect its spec directly is the standard practice in this repository for API-level validation. This approach is more robust against changes in CLI output formatting and avoids the overhead of
   shell commands. test/extended/authorization/podsecurity_admission.go as a reference for the style of API
   interaction.

[wangke19]

Consider oauth-apiserver

[wangke19]

Checkpoints Advice

Simply checking for privileged: true is good, but for core platform components, you can add more specific and robust checkpoints to ensure they are configured correctly and securely.

1. runAsUser: 0: For these pods, running as root is expected and required. You should explicitly check that securityContext.runAsUser is 0. This is a stronger assertion than just checking for
   privilege.

2. Host Namespace Usage (hostNetwork, hostPID, hostIPC): These pods often require access to the host's network and process namespaces. Verifying hostNetwork: true is a very common and important
   check for static pods.

3. Critical hostPath Mounts: The most robust check is to verify that the pod is mounting critical host directories. This proves it has the access it needs. For example, API servers always mount
   /etc/kubernetes/.

        // Example Checkpoint
        foundHostPath := false
        for _, volMount := range container.VolumeMounts {
            if volMount.MountPath == "/etc/kubernetes/" {
                foundHostPath = true
                break
            }
        }
        o.Expect(foundHostPath).To(o.BeTrue(), "expected to find /etc/kubernetes/ hostPath mount")

4. SELinux Context: On SELinux-enabled systems, these pods run with a specific context. While more complex to check, verifying seLinuxOptions can be a powerful validation for security posture.

[wangke19]

• g.It (The Test Case Name):

  • Current: "Init container setup should have the proper securityContext-[OCP-32383]-bug 1793694"

  • Problem: It's too specific ("Init container"), contains internal bug trackers (OCP-32383), and is verbose.

  • Suggestion: The test case should state the expected outcome clearly and concisely.

    g.It("should run core API server pods with a privileged security context", func() {
    Reasoning:

    • This is a clear, readable statement of the test's purpose.
    • It removes all internal references, making it suitable for the public origin repository.
    • Specifics about which pods and containers are checked can be detailed inside the test using g.By() blocks.

[wangke19]

make title clean, add one comment to descirbe CaseID and bug ID.

[wangke19]

The naming of your test blocks is critical for communicating intent to the open-source community. Internal references should be removed.

• g.Describe (The Suite Name):

  • Current: [sig-api-machinery][E2E-QE-APIServer]

  • Problem: E2E-QE-APIServer is an internal-sounding name that doesn't describe the feature under test.

  • Suggestion: The suite should describe the broad feature area. Since this test verifies the security posture of core control plane components, a better name would be:

    var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() {
    Reasoning:

    • [sig-auth] is appropriate because securityContext and privileged pods are a core security and authorization concern.
    • [Feature:ControlPlaneSecurity] clearly states that you are testing the security configuration of the control plane itself, not user workloads.

[wangke19]

Your final Describe line would look like this:

var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity][Suite:openshift/conformance/parallel]", func() {

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-1662 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.21.0" version, but no target version was set.

In response to this:

Test verifies:

• Container securityContext.privileged is set to true
• Init container securityContext.privileged is set to true
• Covers openshift-kube-apiserver and openshift-apiserver namespaces

Addresses: OCP-32383
Related: bug 1793694

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

@wangke19 Updated feedbacks
test run -

 ./openshift-tests run-test "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]"
  I1015 14:17:37.232677   57929 i18n.go:139] Couldn't find translations for en_IN, using default
  I1015 14:17:37.232830   57929 i18n.go:157] Setting language to default
  I1015 14:17:37.363565   57929 binary.go:77] Found 8081 test specs
  I1015 14:17:37.364724   57929 binary.go:94] 1042 test specs remain, after filtering out k8s
openshift-tests v4.1.0-10137-g0e4d7b0
  I1015 14:17:45.586731   57929 test_setup.go:94] Extended test version v4.1.0-10137-g0e4d7b0
  I1015 14:17:45.586871   57929 test_context.go:558] Tolerating taints "node-role.kubernetes.io/control-plane" when considering if nodes are ready
  I1015 14:17:45.911454 57929 framework.go:2334] microshift-version configmap not found
  I1015 14:17:45.911624   57929 binary.go:111] Loaded test configuration: &framework.TestContextType{KubeConfig:"/Users/rgangwar/office-work/kubeconfig/kube.txt", KubeContext:"", KubeAPIContentType:"application/vnd.kubernetes.protobuf", KubeletRootDir:"/var/lib/kubelet", KubeletConfigDropinDir:"", CertDir:"", Host:"https://api.bgpyw-1015.qe.devcluster.openshift.com:6443", BearerToken:"cUCiijPtgs4qnv_o", RepoRoot:"../../", ListImages:false, listTests:false, listLabels:false, ListConformanceTests:false, Provider:"aws", Tooling:"", timeouts:framework.TimeoutContext{Poll:2000000000, PodStart:300000000000, PodStartShort:120000000000, PodStartSlow:900000000000, PodDelete:300000000000, ClaimProvision:300000000000, DataSourceProvision:300000000000, ClaimProvisionShort:60000000000, ClaimBound:180000000000, PVReclaim:180000000000, PVBound:180000000000, PVCreate:180000000000, PVDelete:300000000000, PVDeleteSlow:1200000000000, SnapshotCreate:300000000000, SnapshotDelete:300000000000, SnapshotControllerMetrics:300000000000, SystemPodsStartup:600000000000, NodeSchedulable:1800000000000, SystemDaemonsetStartup:300000000000, NodeNotReady:180000000000}, CloudConfig:framework.CloudConfig{APIEndpoint:"", ProjectID:"", Zone:"us-east-2a", Zones:[]string{"us-east-2a", "us-east-2b"}, Region:"us-east-2", MultiZone:true, MultiMaster:true, Cluster:"", MasterName:"", NodeInstanceGroup:"", NumNodes:3, ClusterIPRange:"", ClusterTag:"", Network:"", ConfigFile:"", NodeTag:"", MasterTag:"", Provider:(*aws.Provider)(0x10bb9ab08)}, KubectlPath:"kubectl", OutputDir:"/tmp", ReportDir:"", ReportPrefix:"", ReportCompleteGinkgo:false, ReportCompleteJUnit:false, Prefix:"e2e", MinStartupPods:-1, EtcdUpgradeStorage:"", EtcdUpgradeVersion:"", GCEUpgradeScript:"", ContainerRuntimeEndpoint:"unix:///run/containerd/containerd.sock", ContainerRuntimeProcessName:"containerd", ContainerRuntimePidFile:"/run/containerd/containerd.pid", SystemdServices:"containerd*", DumpSystemdJournal:false, ImageServiceEndpoint:"", MasterOSDistro:"custom", NodeOSDistro:"custom", NodeOSArch:"amd64", VerifyServiceAccount:true, DeleteNamespace:true, DeleteNamespaceOnFailure:true, AllowedNotReadyNodes:-1, CleanStart:false, GatherKubeSystemResourceUsageData:"false", GatherLogsSizes:false, GatherMetricsAfterTest:"false", GatherSuiteMetricsAfterTest:false, MaxNodesToGather:0, IncludeClusterAutoscalerMetrics:false, OutputPrintType:"json", CreateTestingNS:(framework.CreateTestingNSFn)(0x104044910), DumpLogsOnFailure:true, DisableLogDump:false, LogexporterGCSPath:"", NodeTestContextType:framework.NodeTestContextType{NodeE2E:false, NodeName:"", NodeConformance:false, PrepullImages:false, ImageDescription:"", RuntimeConfig:map[string]string(nil), SystemSpecName:"", RestartKubelet:false, ExtraEnvs:map[string]string(nil), StandaloneMode:false, CriProxyEnabled:false}, ClusterDNSDomain:"cluster.local", NodeKiller:framework.NodeKillerConfig{Enabled:false, FailureRatio:0.01, Interval:60000000000, JitterFactor:60, SimulatedDowntime:600000000000, NodeKillerStopCtx:context.Context(nil), NodeKillerStop:(func())(nil)}, IPFamily:"ipv4", NonblockingTaints:"node-role.kubernetes.io/control-plane", ProgressReportURL:"", SriovdpConfigMapFile:"", SpecSummaryOutput:"", DockerConfigFile:"", E2EDockerConfigFile:"", KubeTestRepoList:"", SnapshotControllerPodName:"", SnapshotControllerHTTPPort:0, RequireDevices:false, EnabledVolumeDrivers:[]string(nil)}
  Running Suite:  - /Users/rgangwar/Downloads/backupoffice/origin
  ===============================================================
  Random Seed: 1760518057 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers
  github.com/openshift/origin/test/extended/apiserver/security_context.go:28
    STEP: Creating a kubernetes client @ 10/15/25 14:17:45.929
  I1015 14:17:45.930499   57929 discovery.go:214] Invalidating discovery information
  I1015 14:17:51.414191 57929 client.go:288] configPath is now "/var/folders/14/wkhr28xn4x10z1rxnvh42bdh0000gn/T/configfile2423195921"
  I1015 14:17:51.414277 57929 client.go:363] The user is now "e2e-test-control-plane-security-sx6b9-user"
  I1015 14:17:51.414290 57929 client.go:365] Creating project "e2e-test-control-plane-security-sx6b9"
  I1015 14:17:51.862888 57929 client.go:373] Waiting on permissions in project "e2e-test-control-plane-security-sx6b9" ...
  I1015 14:17:53.348204 57929 client.go:402] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs
  I1015 14:17:53.702339 57929 client.go:417] Waiting for ServiceAccount "default" to be provisioned...
  I1015 14:17:54.543909 57929 client.go:417] Waiting for ServiceAccount "builder" to be provisioned...
  I1015 14:17:55.351112 57929 client.go:417] Waiting for ServiceAccount "deployer" to be provisioned...
  I1015 14:17:57.585544 57929 client.go:427] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I1015 14:17:58.277767 57929 client.go:427] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I1015 14:17:59.048432 57929 client.go:427] Waiting for RoleBinding "system:deployers" to be provisioned...
  I1015 14:18:00.346496 57929 client.go:460] Project "e2e-test-control-plane-security-sx6b9" has been fully provisioned.
  I1015 14:18:00.688543 57929 framework.go:2334] microshift-version configmap not found
    STEP: Getting pods in openshift-kube-apiserver @ 10/15/25 14:18:01.041
  I1015 14:18:01.041799 57929 security_context.go:75] Checking namespace: openshift-kube-apiserver
  I1015 14:18:02.061189 57929 security_context.go:84] Found pod: kube-apiserver-ip-10-0-52-121.us-east-2.compute.internal in namespace openshift-kube-apiserver
    STEP: Verifying container securityContext.privileged for kube-apiserver @ 10/15/25 14:18:02.061
  I1015 14:18:02.061393 57929 security_context.go:106] Container kube-apiserver has securityContext.privileged=true
  I1015 14:18:02.061421 57929 security_context.go:125] Container kube-apiserver runs as root (privileged=true, runAsUser not explicitly set)
  I1015 14:18:02.061671 57929 security_context.go:129] Pod kube-apiserver-ip-10-0-52-121.us-east-2.compute.internal has hostNetwork=true
  I1015 14:18:02.061724 57929 security_context.go:138] ✓ Container kube-apiserver mounts /etc/kubernetes at /etc/kubernetes/static-pod-resources
    STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.061
  I1015 14:18:02.061876 57929 security_context.go:162] Init container setup has securityContext.privileged=true
    STEP: Getting pods in openshift-apiserver @ 10/15/25 14:18:02.061
  I1015 14:18:02.061920 57929 security_context.go:75] Checking namespace: openshift-apiserver
  I1015 14:18:02.509707 57929 security_context.go:84] Found pod: apiserver-65dd578cb5-jgp8f in namespace openshift-apiserver
    STEP: Verifying container securityContext.privileged for openshift-apiserver @ 10/15/25 14:18:02.509
  I1015 14:18:02.509876 57929 security_context.go:106] Container openshift-apiserver has securityContext.privileged=true
  I1015 14:18:02.509900 57929 security_context.go:111] Container openshift-apiserver has container-level runAsUser set
  I1015 14:18:02.509930 57929 security_context.go:122] Container openshift-apiserver has runAsUser=0 (root)
  I1015 14:18:02.509952 57929 security_context.go:129] Pod apiserver-65dd578cb5-jgp8f has hostNetwork=false
  I1015 14:18:02.509977 57929 security_context.go:145] Container openshift-apiserver is a deployment (uses ConfigMaps/Secrets, not hostPath)
    STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.51
  I1015 14:18:02.510118 57929 security_context.go:162] Init container fix-audit-permissions has securityContext.privileged=true
    STEP: Getting pods in openshift-oauth-apiserver @ 10/15/25 14:18:02.51
  I1015 14:18:02.510176 57929 security_context.go:75] Checking namespace: openshift-oauth-apiserver
  I1015 14:18:02.947669 57929 security_context.go:84] Found pod: apiserver-6d67568969-gn899 in namespace openshift-oauth-apiserver
    STEP: Verifying container securityContext.privileged for oauth-apiserver @ 10/15/25 14:18:02.947
  I1015 14:18:02.947857 57929 security_context.go:106] Container oauth-apiserver has securityContext.privileged=true
  I1015 14:18:02.947882 57929 security_context.go:111] Container oauth-apiserver has container-level runAsUser set
  I1015 14:18:02.947906 57929 security_context.go:122] Container oauth-apiserver has runAsUser=0 (root)
  I1015 14:18:02.947930 57929 security_context.go:129] Pod apiserver-6d67568969-gn899 has hostNetwork=false
  I1015 14:18:02.947952 57929 security_context.go:145] Container oauth-apiserver is a deployment (uses ConfigMaps/Secrets, not hostPath)
    STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.947
  I1015 14:18:02.948007 57929 security_context.go:162] Init container fix-audit-permissions has securityContext.privileged=true
  I1015 14:18:03.289135 57929 client.go:676] Deleted {user.openshift.io/v1, Resource=users  e2e-test-control-plane-security-sx6b9-user}, err: <nil>
  I1015 14:18:03.803890 57929 client.go:676] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-control-plane-security-sx6b9}, err: <nil>
  I1015 14:18:04.139532 57929 client.go:676] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~d1AubQiuEdV9L4Es-I8RIL5UrkjjCWLg_R0-h3013KY}, err: <nil>
    STEP: Destroying namespace "e2e-test-control-plane-security-sx6b9" for this suite. @ 10/15/25 14:18:04.14
  • [18.589 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 18.589 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]",
    "lifecycle": "blocking",
    "duration": 18589,
    "startTime": "2025-10-15 08:47:45.912384 UTC",
    "endTime": "2025-10-15 08:48:04.502332 UTC",
    "result": "passed",
    "output": "  STEP: Creating a kubernetes client @ 10/15/25 14:17:45.929\nI1015 14:17:51.414191 57929 client.go:288] configPath is now \"/var/folders/14/wkhr28xn4x10z1rxnvh42bdh0000gn/T/configfile2423195921\"\nI1015 14:17:51.414277 57929 client.go:363] The user is now \"e2e-test-control-plane-security-sx6b9-user\"\nI1015 14:17:51.414290 57929 client.go:365] Creating project \"e2e-test-control-plane-security-sx6b9\"\nI1015 14:17:51.862888 57929 client.go:373] Waiting on permissions in project \"e2e-test-control-plane-security-sx6b9\" ...\nI1015 14:17:53.348204 57929 client.go:402] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs\nI1015 14:17:53.702339 57929 client.go:417] Waiting for ServiceAccount \"default\" to be provisioned...\nI1015 14:17:54.543909 57929 client.go:417] Waiting for ServiceAccount \"builder\" to be provisioned...\nI1015 14:17:55.351112 57929 client.go:417] Waiting for ServiceAccount \"deployer\" to be provisioned...\nI1015 14:17:57.585544 57929 client.go:427] Waiting for RoleBinding \"system:image-pullers\" to be provisioned...\nI1015 14:17:58.277767 57929 client.go:427] Waiting for RoleBinding \"system:image-builders\" to be provisioned...\nI1015 14:17:59.048432 57929 client.go:427] Waiting for RoleBinding \"system:deployers\" to be provisioned...\nI1015 14:18:00.346496 57929 client.go:460] Project \"e2e-test-control-plane-security-sx6b9\" has been fully provisioned.\nI1015 14:18:00.688543 57929 framework.go:2334] microshift-version configmap not found\n  STEP: Getting pods in openshift-kube-apiserver @ 10/15/25 14:18:01.041\nI1015 14:18:01.041799 57929 security_context.go:75] Checking namespace: openshift-kube-apiserver\nI1015 14:18:02.061189 57929 security_context.go:84] Found pod: kube-apiserver-ip-10-0-52-121.us-east-2.compute.internal in namespace openshift-kube-apiserver\n  STEP: Verifying container securityContext.privileged for kube-apiserver @ 10/15/25 14:18:02.061\nI1015 14:18:02.061393 57929 security_context.go:106] Container kube-apiserver has securityContext.privileged=true\nI1015 14:18:02.061421 57929 security_context.go:125] Container kube-apiserver runs as root (privileged=true, runAsUser not explicitly set)\nI1015 14:18:02.061671 57929 security_context.go:129] Pod kube-apiserver-ip-10-0-52-121.us-east-2.compute.internal has hostNetwork=true\nI1015 14:18:02.061724 57929 security_context.go:138] ✓ Container kube-apiserver mounts /etc/kubernetes at /etc/kubernetes/static-pod-resources\n  STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.061\nI1015 14:18:02.061876 57929 security_context.go:162] Init container setup has securityContext.privileged=true\n  STEP: Getting pods in openshift-apiserver @ 10/15/25 14:18:02.061\nI1015 14:18:02.061920 57929 security_context.go:75] Checking namespace: openshift-apiserver\nI1015 14:18:02.509707 57929 security_context.go:84] Found pod: apiserver-65dd578cb5-jgp8f in namespace openshift-apiserver\n  STEP: Verifying container securityContext.privileged for openshift-apiserver @ 10/15/25 14:18:02.509\nI1015 14:18:02.509876 57929 security_context.go:106] Container openshift-apiserver has securityContext.privileged=true\nI1015 14:18:02.509900 57929 security_context.go:111] Container openshift-apiserver has container-level runAsUser set\nI1015 14:18:02.509930 57929 security_context.go:122] Container openshift-apiserver has runAsUser=0 (root)\nI1015 14:18:02.509952 57929 security_context.go:129] Pod apiserver-65dd578cb5-jgp8f has hostNetwork=false\nI1015 14:18:02.509977 57929 security_context.go:145] Container openshift-apiserver is a deployment (uses ConfigMaps/Secrets, not hostPath)\n  STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.51\nI1015 14:18:02.510118 57929 security_context.go:162] Init container fix-audit-permissions has securityContext.privileged=true\n  STEP: Getting pods in openshift-oauth-apiserver @ 10/15/25 14:18:02.51\nI1015 14:18:02.510176 57929 security_context.go:75] Checking namespace: openshift-oauth-apiserver\nI1015 14:18:02.947669 57929 security_context.go:84] Found pod: apiserver-6d67568969-gn899 in namespace openshift-oauth-apiserver\n  STEP: Verifying container securityContext.privileged for oauth-apiserver @ 10/15/25 14:18:02.947\nI1015 14:18:02.947857 57929 security_context.go:106] Container oauth-apiserver has securityContext.privileged=true\nI1015 14:18:02.947882 57929 security_context.go:111] Container oauth-apiserver has container-level runAsUser set\nI1015 14:18:02.947906 57929 security_context.go:122] Container oauth-apiserver has runAsUser=0 (root)\nI1015 14:18:02.947930 57929 security_context.go:129] Pod apiserver-6d67568969-gn899 has hostNetwork=false\nI1015 14:18:02.947952 57929 security_context.go:145] Container oauth-apiserver is a deployment (uses ConfigMaps/Secrets, not hostPath)\n  STEP: Verifying init container securityContext.privileged @ 10/15/25 14:18:02.947\nI1015 14:18:02.948007 57929 security_context.go:162] Init container fix-audit-permissions has securityContext.privileged=true\nI1015 14:18:03.289135 57929 client.go:676] Deleted {user.openshift.io/v1, Resource=users  e2e-test-control-plane-security-sx6b9-user}, err: \u003cnil\u003e\nI1015 14:18:03.803890 57929 client.go:676] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-control-plane-security-sx6b9}, err: \u003cnil\u003e\nI1015 14:18:04.139532 57929 client.go:676] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~d1AubQiuEdV9L4Es-I8RIL5UrkjjCWLg_R0-h3013KY}, err: \u003cnil\u003e\n  STEP: Destroying namespace \"e2e-test-control-plane-security-sx6b9\" for this suite. @ 10/15/25 14:18:04.14\n"
  }
]%          

[wangke19]

We check test result from CI jobs, local test is for debugging. Waiting for CI jobs.

[wangke19]

/lgtm

[stbenjam]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, stbenjam, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangke19]

/verified by e2e jobs

[openshift-ci-robot]

@wangke19: This PR has been marked as verified by e2e jobs.

In response to this:

/verified by e2e jobs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 43159a2 and 2 for PR HEAD 8334eeb in total

[gangwgr]

/retest-required

[gangwgr]

/retest-required

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 8334eeb

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	High - "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn	High - "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	High - "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-vsphere-ovn	High - "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	High - "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: 8334eeb

• "[sig-auth][Feature:ControlPlaneSecurity] should have privileged securityContext for control plane init and main containers [Suite:openshift/conformance/parallel]" [Total: 16, Pass: 16, Fail: 0, Flake: 0]

[gangwgr]

/test go-verify-deps

[petr-muller]

/cc

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2bc51b3 and 1 for PR HEAD 8334eeb in total

[openshift-ci]

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.