From 9db5ded1e76c600af9c56b8b8b7edd1b780edbc7 Mon Sep 17 00:00:00 2001 From: Itzik Brown Date: Wed, 15 Feb 2023 17:33:17 +0200 Subject: [PATCH] Setting security context for kuryr demo pod Otherwise for k8s >= 1.26 it fails with: kuryr-pod-1568568478 is forbidden: violates PodSecurity Change-Id: I5593c78b6809b945fa690c723525bc8b6473c58f Depends-On: I7a51b3553a17c21160f76e527a61ef829610a888 --- kuryr_tempest_plugin/config.py | 3 +++ kuryr_tempest_plugin/tests/scenario/base.py | 26 ++++++++++++++++----- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/kuryr_tempest_plugin/config.py b/kuryr_tempest_plugin/config.py index 05f5ec70..0bc6e2a7 100644 --- a/kuryr_tempest_plugin/config.py +++ b/kuryr_tempest_plugin/config.py @@ -118,5 +118,8 @@ kuryr_k8s_opts = [ cfg.BoolOpt("annotation_project_driver", default=False, help="Whether or not annotation project tests will be " "running"), + cfg.BoolOpt("set_pod_security_context", default=False, + help="Whether or not to set security context for Kuryr demo " + "pods"), ] diff --git a/kuryr_tempest_plugin/tests/scenario/base.py b/kuryr_tempest_plugin/tests/scenario/base.py index cac1fec5..dbe687fc 100644 --- a/kuryr_tempest_plugin/tests/scenario/base.py +++ b/kuryr_tempest_plugin/tests/scenario/base.py @@ -167,17 +167,31 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest): @classmethod def create_pod(cls, name=None, labels=None, image='quay.io/kuryr/demo', namespace="default", annotations=None, wait_for_status=True, - affinity=None): + affinity=None, pod_security=True): if not name: name = data_utils.rand_name(prefix='kuryr-pod') pod = cls.k8s_client.V1Pod() pod.metadata = cls.k8s_client.V1ObjectMeta(name=name, labels=labels, annotations=annotations) - container = kubernetes.client.V1Container( - name=name, image=image, image_pull_policy='IfNotPresent') + security_context = None + security_context_container = None - spec = cls.k8s_client.V1PodSpec(containers=[container]) + if CONF.kuryr_kubernetes.set_pod_security_context and pod_security: + seccomp_profile = cls.k8s_client.V1SeccompProfile( + type='RuntimeDefault') + capabilities = cls.k8s_client.V1Capabilities( + drop=['ALL'], add=["NET_BIND_SERVICE"]) + security_context_container = cls.k8s_client.V1SecurityContext( + allow_privilege_escalation=False, capabilities=capabilities) + security_context = cls.k8s_client.V1PodSecurityContext( + run_as_non_root=True, seccomp_profile=seccomp_profile) + container = kubernetes.client.V1Container( + name=name, image=image, + image_pull_policy='IfNotPresent', + security_context=security_context_container) + spec = cls.k8s_client.V1PodSpec(containers=[container], + security_context=security_context) pod.spec = spec pod.spec.affinity = affinity @@ -785,7 +799,7 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest): if protocol == "SCTP": pod_name, pod = cls.create_pod( labels={"app": label}, image='quay.io/kuryr/sctp-demo', - namespace=namespace) + namespace=namespace, pod_security=False) else: pod_name, pod = cls.create_pod( labels={"app": label}, namespace=namespace) @@ -1465,7 +1479,7 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest): if protocol == "SCTP": pod_name, _ = self.create_pod( labels=labels, image='quay.io/kuryr/sctp-demo', - namespace=namespace) + namespace=namespace, pod_security=False) else: pod_name, _ = self.create_pod( namespace=namespace, labels=labels)