Use k8s-admin user and disable root SSH for s390x VPC and VSI resources by sudharshanibm · Pull Request #71 · kubernetes-sigs/provider-ibmcloud-test-infra

sudharshanibm · 2026-02-24T12:53:40Z

Disable root SSH access on newly created VPC–VSI instances
Introduce and use a dedicated non-root user k8s-admin for all automation
Grant required privileges via sudo (wheel group), instead of direct root login
Remove any dependency on ansible_become_user: root

k8s-ci-robot · 2026-02-24T12:53:48Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sudharshanibm
Once this PR has been reviewed and has the lgtm label, please assign prajyot-parab for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot · 2026-02-24T12:53:49Z

Welcome @sudharshanibm!

It looks like this is your first PR to kubernetes-sigs/provider-ibmcloud-test-infra 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/provider-ibmcloud-test-infra has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2026-02-24T12:53:50Z

Hi @sudharshanibm. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

kishen-v · 2026-03-13T12:15:28Z

/ok-to-test

kishen-v · 2026-03-16T06:41:34Z

/test-pull-provider-ibmcloud-test-infra-kubernetes

kishen-v · 2026-03-24T02:45:36Z

/test pull-provider-ibmcloud-test-infra-kubernetes

kishen-v · 2026-03-24T04:10:02Z

/hold
/lgtm
/cc @Prajyot-Parab for a final review.

k8s-ci-robot · 2026-03-30T05:15:31Z

New changes are detected. LGTM label has been removed.

kishen-v · 2026-03-31T04:18:20Z

Please squash the commits.

sudharshanibm · 2026-04-01T07:19:39Z

Hi @kishen-v
Squashed the commits

kishen-v · 2026-04-01T09:41:52Z

+[workers:vars]
+ansible_user=k8s-admin
+ansible_become=true
+ansible_become_method=sudo


@sudharshanibm , just a thought. We're setting the same set of values under hosts.yml and the group_vars/all through deployer.go.

Based on the comment Extra-vars have the highest precedence in Ansible, so this overrides, setting them in group-vars alone should suffice?

https://github.com/kubernetes-sigs/provider-ibmcloud-test-infra/pull/71/changes#diff-fada1d1362e2ff82c6c7888d1d53ca5489fe572092a62f014d23a1be1b4ae38aR365-R369

thanks @kishen-v removed the redundant inventory template vars

mkumatag · 2026-04-06T06:43:56Z

+	// has disabled root SSH access for new VPC-VSI instances.
+	// Extra-vars have the highest precedence in Ansible, so this overrides
+	// the ansible_user: root in group_vars/all (shared with PowerVS).
+	if d.TargetProvider == "vpc" {


can we pass these variables while calling the tf command itself as an extra-vars argument..

thanks @mkumatag
removed this block and updated the job config in test-infra to pass these values directly via --extra-vars
here is the related PR for test-infra

kishen-v · 2026-04-06T11:36:40Z


 	// Add-in the extra-vars set to the final set.
 	maps.Insert(combinedAnsibleVars, maps.All(d.ExtraVars))
+


Please remove the new lines.

Prajyot-Parab · 2026-04-09T07:54:32Z

What are the implications of these changes on PowerVS? Why are they needed?

added it only to test whether returning an error instead of calling os.Exit(1) would work better with the periodic job wiring in kubernetes/test-infra#36659 but that did not fix the issue
reverting this so there is no unintended behavioral change for PowerVS from this PR

Create a non-root k8s-admin account on instances and update Terraform/Ansible to use it. Signed-off-by: Sudharshan Muralidharan <sudharshan.muralidharan1@ibm.com>

k8s-ci-robot requested review from Rajalakshmi-Girish and mkumatag February 24, 2026 12:53

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 24, 2026

k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 24, 2026

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 13, 2026

sudharshanibm force-pushed the test-user branch from 43e3e69 to e5e2d0e Compare March 14, 2026 23:49

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 24, 2026

k8s-ci-robot assigned kishen-v Mar 24, 2026

k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 24, 2026

sudharshanibm force-pushed the test-user branch 3 times, most recently from 012ea44 to ce623e8 Compare March 30, 2026 15:50

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 30, 2026

sudharshanibm force-pushed the test-user branch 4 times, most recently from ac40e59 to 97e3ce5 Compare March 30, 2026 17:57

sudharshanibm force-pushed the test-user branch from 97e3ce5 to e5e2d0e Compare March 31, 2026 05:30

sudharshanibm force-pushed the test-user branch from 4fed1c8 to 92433af Compare April 1, 2026 07:18

sudharshanibm force-pushed the test-user branch from 92433af to 94920ca Compare April 1, 2026 07:20

kishen-v reviewed Apr 1, 2026

View reviewed changes

sudharshanibm force-pushed the test-user branch 3 times, most recently from 0b647b4 to e2fdabe Compare April 6, 2026 06:19

mkumatag requested changes Apr 6, 2026

View reviewed changes

sudharshanibm force-pushed the test-user branch from 7a7bc4d to cd36d4c Compare April 6, 2026 08:25

kishen-v reviewed Apr 6, 2026

View reviewed changes

sudharshanibm force-pushed the test-user branch 2 times, most recently from 877f0f8 to b6f0918 Compare April 6, 2026 12:36

sudharshanibm mentioned this pull request Apr 6, 2026

Umbrella issue: Addition of prow jobs to run on s390x arch kubernetes/test-infra#36767

Open

2 tasks

Prajyot-Parab reviewed Apr 9, 2026

View reviewed changes

sudharshanibm force-pushed the test-user branch 4 times, most recently from 92bfcc8 to 620f61a Compare April 9, 2026 17:45

Add k8s-admin user

8b9d609

Create a non-root k8s-admin account on instances and update Terraform/Ansible to use it. Signed-off-by: Sudharshan Muralidharan <sudharshan.muralidharan1@ibm.com>

sudharshanibm force-pushed the test-user branch from 620f61a to 8b9d609 Compare April 9, 2026 21:00

Rajalakshmi-Girish mentioned this pull request Apr 13, 2026

Update typo error, ssh key and ansible vars kubernetes/test-infra#36778

Open

sudharshanibm mentioned this pull request Apr 17, 2026

REQUEST: New membership for sudharshanibm kubernetes/org#6298

Open

11 tasks


		// Add-in the extra-vars set to the final set.
		maps.Insert(combinedAnsibleVars, maps.All(d.ExtraVars))

Conversation

sudharshanibm commented Feb 24, 2026

Uh oh!

k8s-ci-robot commented Feb 24, 2026

Uh oh!

k8s-ci-robot commented Feb 24, 2026

Uh oh!

k8s-ci-robot commented Feb 24, 2026

Uh oh!

kishen-v commented Mar 13, 2026

Uh oh!

kishen-v commented Mar 16, 2026

Uh oh!

kishen-v commented Mar 24, 2026

Uh oh!

kishen-v commented Mar 24, 2026

Uh oh!

k8s-ci-robot commented Mar 30, 2026

Uh oh!

kishen-v commented Mar 31, 2026

Uh oh!

sudharshanibm commented Apr 1, 2026

Uh oh!

kishen-v Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

sudharshanibm Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

mkumatag Apr 6, 2026

Choose a reason for hiding this comment

Uh oh!

sudharshanibm Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

kishen-v Apr 6, 2026

Choose a reason for hiding this comment

Uh oh!

Prajyot-Parab Apr 9, 2026

Choose a reason for hiding this comment

Uh oh!

sudharshanibm Apr 9, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sudharshanibm Apr 6, 2026 •

edited

Loading