Skip to content

Commit

Permalink
feat: enforce restricted Pod Security Context Compliance in testing
Browse files Browse the repository at this point in the history
  • Loading branch information
lunarwhite committed Dec 20, 2024
1 parent e54dabf commit 0c45cf3
Show file tree
Hide file tree
Showing 11 changed files with 261 additions and 51 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() {
var controllerPodName string

// Before running the tests, set up the environment by creating the namespace,
// installing CRDs, and deploying the controller.
// enforce the restricted security policy to the namespace, installing CRDs,
// and deploying the controller.
BeforeAll(func() {
By("creating manager namespace")
cmd := exec.Command("kubectl", "create", "ns", namespace)
_, err := utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")

By("labeling the namespace to enforce the restricted security policy")
cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace,
"pod-security.kubernetes.io/enforce=restricted")
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy")

By("installing CRDs")
cmd = exec.Command("make", "install")
_, err = utils.Run(cmd)
Expand Down Expand Up @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() {
By("creating the curl-metrics pod to access the metrics endpoint")
cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never",
"--namespace", namespace,
"--image=curlimages/curl:7.78.0",
"--", "/bin/sh", "-c", fmt.Sprintf(
"curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics",
token, metricsServiceName, namespace))
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(`{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}`, token, metricsServiceName, namespace, serviceAccountName))
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() {
var controllerPodName string

// Before running the tests, set up the environment by creating the namespace,
// installing CRDs, and deploying the controller.
// enforce the restricted security policy to the namespace, installing CRDs,
// and deploying the controller.
BeforeAll(func() {
By("creating manager namespace")
cmd := exec.Command("kubectl", "create", "ns", namespace)
_, err := utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")

By("labeling the namespace to enforce the restricted security policy")
cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace,
"pod-security.kubernetes.io/enforce=restricted")
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy")

By("installing CRDs")
cmd = exec.Command("make", "install")
_, err = utils.Run(cmd)
Expand Down Expand Up @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() {
By("creating the curl-metrics pod to access the metrics endpoint")
cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never",
"--namespace", namespace,
"--image=curlimages/curl:7.78.0",
"--", "/bin/sh", "-c", fmt.Sprintf(
"curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics",
token, metricsServiceName, namespace))
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(`{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}`, token, metricsServiceName, namespace, serviceAccountName))
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() {
var controllerPodName string

// Before running the tests, set up the environment by creating the namespace,
// installing CRDs, and deploying the controller.
// enforce the restricted security policy to the namespace, installing CRDs,
// and deploying the controller.
BeforeAll(func() {
By("creating manager namespace")
cmd := exec.Command("kubectl", "create", "ns", namespace)
_, err := utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")

By("labeling the namespace to enforce the restricted security policy")
cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace,
"pod-security.kubernetes.io/enforce=restricted")
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy")

By("installing CRDs")
cmd = exec.Command("make", "install")
_, err = utils.Run(cmd)
Expand Down Expand Up @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() {
By("creating the curl-metrics pod to access the metrics endpoint")
cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never",
"--namespace", namespace,
"--image=curlimages/curl:7.78.0",
"--", "/bin/sh", "-c", fmt.Sprintf(
"curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics",
token, metricsServiceName, namespace))
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(`{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}`, token, metricsServiceName, namespace, serviceAccountName))
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")

Expand Down
2 changes: 1 addition & 1 deletion docs/book/src/reference/metrics.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ spec:
serviceAccountName: controller-manager
containers:
- name: metrics-consumer
image: curlimages/curl:7.78.0
image: curlimages/curl:latest
command: ["/bin/sh"]
args:
- "-c"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -207,13 +207,20 @@ var _ = Describe("Manager", Ordered, func() {
var controllerPodName string
// Before running the tests, set up the environment by creating the namespace,
// installing CRDs, and deploying the controller.
// enforce the restricted security policy to the namespace, installing CRDs,
// and deploying the controller.
BeforeAll(func() {
By("creating manager namespace")
cmd := exec.Command("kubectl", "create", "ns", namespace)
_, err := utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")
By("labeling the namespace to enforce the restricted security policy")
cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace,
"pod-security.kubernetes.io/enforce=restricted")
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy")
By("installing CRDs")
cmd = exec.Command("make", "install")
_, err = utils.Run(cmd)
Expand Down Expand Up @@ -370,10 +377,30 @@ var _ = Describe("Manager", Ordered, func() {
By("creating the curl-metrics pod to access the metrics endpoint")
cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never",
"--namespace", namespace,
"--image=curlimages/curl:7.78.0",
"--", "/bin/sh", "-c", fmt.Sprintf(
"curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics",
token, metricsServiceName, namespace))
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(` + "`" + `{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}` + "`" + `, token, metricsServiceName, namespace, serviceAccountName))
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")
Expand Down
3 changes: 2 additions & 1 deletion test/e2e/deployimage/plugin_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,8 @@ func Run(kbc *utils.TestContext) {

By("deploying the controller-manager")
cmd := exec.Command("make", "deploy", "IMG="+kbc.ImageName)
Expect(kbc.Run(cmd)).NotTo(ContainSubstring("Warning: would violate PodSecurity"))
out, _ := kbc.Run(cmd)
Expect(string(out)).NotTo(ContainSubstring("Warning: would violate PodSecurity"))

By("validating that the controller-manager pod is running as expected")
verifyControllerUp := func(g Gomega) {
Expand Down
14 changes: 7 additions & 7 deletions test/e2e/utils/test_context.go
Original file line number Diff line number Diff line change
Expand Up @@ -252,18 +252,18 @@ func (t *TestContext) CreateManagerNamespace() error {
return err
}

// LabelNamespacesToWarnAboutRestricted will label all namespaces so that we can verify
// if a warning with `Warning: would violate PodSecurity` will be raised when the manifests are applied
func (t *TestContext) LabelNamespacesToWarnAboutRestricted() error {
// LabelNamespacesToEnforceRestricted will label specified namespaces so that we can verify
// if the manifests can be applied in restricted environments with strict security policy enforced
func (t *TestContext) LabelNamespacesToEnforceRestricted() error {
_, err := t.Kubectl.Command("label", "--overwrite", "ns", t.Kubectl.Namespace,
"pod-security.kubernetes.io/warn=restricted")
"pod-security.kubernetes.io/enforce=restricted")
return err
}

// RemoveNamespaceLabelToWarnAboutRestricted will remove the `pod-security.kubernetes.io/warn` label
// RemoveNamespaceLabelToEnforceRestricted will remove the `pod-security.kubernetes.io/enforce` label
// from the specified namespace
func (t *TestContext) RemoveNamespaceLabelToWarnAboutRestricted() error {
_, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/warn-")
func (t *TestContext) RemoveNamespaceLabelToEnforceRestricted() error {
_, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/enforce-")
return err
}

Expand Down
34 changes: 27 additions & 7 deletions test/e2e/v4/plugin_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ var _ = Describe("kubebuilder", func() {

AfterEach(func() {
By("By removing restricted namespace label")
_ = kbc.RemoveNamespaceLabelToWarnAboutRestricted()
_ = kbc.RemoveNamespaceLabelToEnforceRestricted()

By("clean up API objects created during the test")
_ = kbc.Make("undeploy")
Expand Down Expand Up @@ -114,8 +114,8 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, isToUseHelmChart,
err = kbc.CreateManagerNamespace()
ExpectWithOffset(1, err).NotTo(HaveOccurred())

By("labeling all namespaces to warn about restricted")
err = kbc.LabelNamespacesToWarnAboutRestricted()
By("labeling the namespace to enforce the restricted security policy")
err = kbc.LabelNamespacesToEnforceRestricted()
ExpectWithOffset(1, err).NotTo(HaveOccurred())

By("updating the go.mod")
Expand Down Expand Up @@ -581,10 +581,30 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string {
"run", "curl",
"--restart=Never",
"--namespace", kbc.Kubectl.Namespace,
"--image=curlimages/curl:7.78.0",
"--",
"/bin/sh", "-c", fmt.Sprintf("curl -v -k -H 'Authorization: Bearer %s' https://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8443/metrics",
token, kbc.TestSuffix, kbc.Kubectl.Namespace),
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(`{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}`, token, kbc.TestSuffix, kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount),
}
return cmdOpts
}
Expand Down
37 changes: 32 additions & 5 deletions testdata/project-v4-multigroup/test/e2e/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() {
var controllerPodName string

// Before running the tests, set up the environment by creating the namespace,
// installing CRDs, and deploying the controller.
// enforce the restricted security policy to the namespace, installing CRDs,
// and deploying the controller.
BeforeAll(func() {
By("creating manager namespace")
cmd := exec.Command("kubectl", "create", "ns", namespace)
_, err := utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")

By("labeling the namespace to enforce the restricted security policy")
cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace,
"pod-security.kubernetes.io/enforce=restricted")
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy")

By("installing CRDs")
cmd = exec.Command("make", "install")
_, err = utils.Run(cmd)
Expand Down Expand Up @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() {
By("creating the curl-metrics pod to access the metrics endpoint")
cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never",
"--namespace", namespace,
"--image=curlimages/curl:7.78.0",
"--", "/bin/sh", "-c", fmt.Sprintf(
"curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics",
token, metricsServiceName, namespace))
"--image=curlimages/curl:latest",
"--overrides",
fmt.Sprintf(`{
"spec": {
"containers": [{
"name": "curl",
"image": "curlimages/curl:latest",
"command": ["/bin/sh", "-c"],
"args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"],
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true,
"runAsUser": 1000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
}],
"serviceAccount": "%s"
}
}`, token, metricsServiceName, namespace, serviceAccountName))
_, err = utils.Run(cmd)
Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")

Expand Down
Loading

0 comments on commit 0c45cf3

Please sign in to comment.