Migrate OCP-56266: verify kubelet/crio deletes netns when pod deleted

BhargaviGudi · BhargaviGudi · commit 033cec1c8096 · 2026-06-01T12:47:10.000+05:30
diff --git a/test/extended/node/README.md b/test/extended/node/README.md
@@ -9,6 +9,7 @@ This directory contains OpenShift end-to-end tests for node-related features.
 - **kubeletconfig_features.go** - Tests applying KubeletConfig to custom machine config pools, requires node reboots
 - **kubelet_secret_pulled_images.go** - Tests kubelet credential verification for image pulls (`KubeletEnsureSecretPulledImages` feature gate). Covers multi-tenancy isolation, credential rotation, ImagePullPolicy behavior, credential verification policy (NeverVerify/AlwaysVerify), and registry availability scenarios. Requires `TechPreviewNoUpgrade` or `CustomNoUpgrade` FeatureSet.
 - **node_e2e/image_registry_config.go** - Container registry config change (OCP-44820) - Verifies search registry update triggers MCO rollout and lands on nodes [Disruptive]
+- **node_e2e/netns_cleanup.go** - Network namespace cleanup (OCP-56266) - Verifies kubelet/CRI-O properly deletes network namespace when a pod is deleted [OTP]
 
 ### Suite: openshift/usernamespace
 
diff --git a/test/extended/node/node_e2e/netns_cleanup.go b/test/extended/node/node_e2e/netns_cleanup.go
@@ -0,0 +1,117 @@
+package node
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/utils/ptr"
+
+	nodeutils "github.com/openshift/origin/test/extended/node"
+	exutil "github.com/openshift/origin/test/extended/util"
+)
+
+var _ = g.Describe("[sig-node] [Jira:Node/Kubelet] Network namespace cleanup", func() {
+	var (
+		oc = exutil.NewCLIWithoutNamespace("netns-cleanup")
+	)
+
+	//author: minmli@redhat.com
+	g.It("[OTP] kubelet/crio will delete netns when a pod is deleted [OCP-56266]", func() {
+		ctx := context.Background()
+		oc.SetupProject()
+		namespace := oc.Namespace()
+		podName := "pod-56266"
+
+		g.By("Create a test pod")
+		pod := &corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      podName,
+				Namespace: namespace,
+				Labels: map[string]string{
+					"name": "hello-openshift",
+				},
+			},
+			Spec: corev1.PodSpec{
+				SecurityContext: &corev1.PodSecurityContext{
+					RunAsNonRoot: ptr.To(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
+				},
+				Containers: []corev1.Container{
+					{
+						Name:    "hello-openshift",
+						Image:   "quay.io/openshifttest/hello-openshift@sha256:4200f438cf2e9446f6bcff9d67ceea1f69ed07a2f83363b7fb52529f7ddd8a83",
+						Command: []string{"sleep", "infinity"},
+						SecurityContext: &corev1.SecurityContext{
+							AllowPrivilegeEscalation: ptr.To(false),
+							Capabilities: &corev1.Capabilities{
+								Drop: []corev1.Capability{"ALL"},
+							},
+						},
+					},
+				},
+			},
+		}
+		_, err := oc.KubeClient().CoreV1().Pods(namespace).Create(ctx, pod, metav1.CreateOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to create pod")
+
+		g.By("Wait for pod to be ready")
+		err = wait.PollUntilContextTimeout(ctx, 3*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
+			pod, pollErr := oc.KubeClient().CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+			if pollErr != nil {
+				e2e.Logf("Error getting pod: %v", pollErr)
+				return false, nil
+			}
+			for _, cond := range pod.Status.Conditions {
+				if cond.Type == corev1.PodReady && cond.Status == corev1.ConditionTrue {
+					e2e.Logf("Pod is ready")
+					return true, nil
+				}
+			}
+			e2e.Logf("Waiting for pod to be ready")
+			return false, nil
+		})
+		o.Expect(err).NotTo(o.HaveOccurred(), "pod did not become ready")
+
+		g.By("Get pod's node name")
+		podObj, err := oc.KubeClient().CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to get pod")
+		nodeName := podObj.Spec.NodeName
+		o.Expect(nodeName).NotTo(o.BeEmpty(), "pod node name is empty")
+		e2e.Logf("Pod is running on node: %s", nodeName)
+
+		g.By("Get pod's network namespace path from CRI-O journal logs")
+		netNsPath, err := nodeutils.GetPodNetNs(oc, nodeName, podName)
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to get pod NetNS")
+		e2e.Logf("Pod NetNS path: %s", netNsPath)
+
+		g.By("Delete the pod")
+		err = oc.KubeClient().CoreV1().Pods(namespace).Delete(ctx, podName, metav1.DeleteOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "failed to delete pod")
+
+		g.By("Wait for pod to be fully deleted")
+		err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 1*time.Minute, true, func(ctx context.Context) (bool, error) {
+			_, pollErr := oc.KubeClient().CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
+			if pollErr != nil && strings.Contains(pollErr.Error(), "not found") {
+				e2e.Logf("Pod deleted successfully")
+				return true, nil
+			}
+			e2e.Logf("Waiting for pod to be deleted")
+			return false, nil
+		})
+		o.Expect(err).NotTo(o.HaveOccurred(), "pod was not deleted")
+
+		g.By("Verify that the NetNS file has been cleaned up on the node")
+		err = nodeutils.CheckNetNsCleaned(oc, nodeName, netNsPath)
+		o.Expect(err).NotTo(o.HaveOccurred(), "NetNS file was not cleaned up")
+	})
+})
diff --git a/test/extended/node/node_utils.go b/test/extended/node/node_utils.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math/rand"
 	"os"
+	"regexp"
 	"strings"
 	"time"
 
@@ -764,3 +765,53 @@ func GetFirstReadyWorkerNode(oc *exutil.CLI) string {
 	o.Expect(false).To(o.BeTrue(), "no Ready worker node found among %v", workers)
 	return "" // unreachable; satisfies compiler
 }
+
+// GetPodNetNs retrieves the network namespace path for a pod from the CRI-O journal logs.
+// It searches the journal logs for the pod name and extracts the NetNS path.
+// Returns the NetNS path and an error if not found.
+func GetPodNetNs(oc *exutil.CLI, nodeName, podName string) (string, error) {
+	cmd := fmt.Sprintf("journalctl -u crio --since=\"5 minutes ago\" | grep %s | grep NetNS", podName)
+	netNsStr, err := ExecOnNodeWithChroot(oc, nodeName, "/bin/bash", "-c", cmd)
+	if err != nil {
+		framework.Logf("Failed to get NetNS from journal: %v", err)
+		return "", fmt.Errorf("failed to get NetNS from journal: %w", err)
+	}
+	framework.Logf("NetNs journal output: %v", netNsStr)
+
+	// Extract NetNS path using regex
+	re := regexp.MustCompile(`NetNS:[^\s]*`)
+	found := re.FindAllString(netNsStr, -1)
+	if len(found) == 0 {
+		framework.Logf("NetNS not found in journal logs for pod %s", podName)
+		return "", fmt.Errorf("NetNS not found in journal logs for pod %s", podName)
+	}
+	framework.Logf("Found NetNS: %v", found[0])
+
+	// Split "NetNS:/path/to/netns" to get the path
+	parts := strings.Split(found[0], ":")
+	if len(parts) < 2 {
+		framework.Logf("Invalid NetNS format: %s", found[0])
+		return "", fmt.Errorf("invalid NetNS format: %s", found[0])
+	}
+	netNsPath := parts[1]
+	framework.Logf("NetNs path: %v", netNsPath)
+	return netNsPath, nil
+}
+
+// CheckNetNsCleaned verifies that the network namespace file has been cleaned up.
+// It checks if the NetNS path no longer exists on the node.
+// Returns nil if the file is cleaned, error if it still exists.
+func CheckNetNsCleaned(oc *exutil.CLI, nodeName, netNsPath string) error {
+	result, err := ExecOnNodeWithChroot(oc, nodeName, "ls", "-l", netNsPath)
+	if err != nil {
+		framework.Logf("Error checking NetNS file: %v", err)
+	}
+	framework.Logf("NetNS check result: %v", result)
+
+	if strings.Contains(result, "No such file or directory") {
+		framework.Logf("NetNS file cleaned successfully")
+		return nil
+	}
+	framework.Logf("NetNS file still exists at %s", netNsPath)
+	return fmt.Errorf("NetNS file still exists at %s", netNsPath)
+}
