Setting security context for kuryr demo pod

Otherwise for k8s >= 1.26 it fails with:
kuryr-pod-1568568478 is forbidden: violates PodSecurity

Change-Id: I5593c78b6809b945fa690c723525bc8b6473c58f
Depends-On: I7a51b3553a17c21160f76e527a61ef829610a888
This commit is contained in:
Itzik Brown 2023-02-15 17:33:17 +02:00
parent 3acaa0062a
commit 9db5ded1e7
2 changed files with 23 additions and 6 deletions

View File

@ -118,5 +118,8 @@ kuryr_k8s_opts = [
cfg.BoolOpt("annotation_project_driver", default=False, cfg.BoolOpt("annotation_project_driver", default=False,
help="Whether or not annotation project tests will be " help="Whether or not annotation project tests will be "
"running"), "running"),
cfg.BoolOpt("set_pod_security_context", default=False,
help="Whether or not to set security context for Kuryr demo "
"pods"),
] ]

View File

@ -167,17 +167,31 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest):
@classmethod @classmethod
def create_pod(cls, name=None, labels=None, image='quay.io/kuryr/demo', def create_pod(cls, name=None, labels=None, image='quay.io/kuryr/demo',
namespace="default", annotations=None, wait_for_status=True, namespace="default", annotations=None, wait_for_status=True,
affinity=None): affinity=None, pod_security=True):
if not name: if not name:
name = data_utils.rand_name(prefix='kuryr-pod') name = data_utils.rand_name(prefix='kuryr-pod')
pod = cls.k8s_client.V1Pod() pod = cls.k8s_client.V1Pod()
pod.metadata = cls.k8s_client.V1ObjectMeta(name=name, labels=labels, pod.metadata = cls.k8s_client.V1ObjectMeta(name=name, labels=labels,
annotations=annotations) annotations=annotations)
container = kubernetes.client.V1Container( security_context = None
name=name, image=image, image_pull_policy='IfNotPresent') security_context_container = None
spec = cls.k8s_client.V1PodSpec(containers=[container]) if CONF.kuryr_kubernetes.set_pod_security_context and pod_security:
seccomp_profile = cls.k8s_client.V1SeccompProfile(
type='RuntimeDefault')
capabilities = cls.k8s_client.V1Capabilities(
drop=['ALL'], add=["NET_BIND_SERVICE"])
security_context_container = cls.k8s_client.V1SecurityContext(
allow_privilege_escalation=False, capabilities=capabilities)
security_context = cls.k8s_client.V1PodSecurityContext(
run_as_non_root=True, seccomp_profile=seccomp_profile)
container = kubernetes.client.V1Container(
name=name, image=image,
image_pull_policy='IfNotPresent',
security_context=security_context_container)
spec = cls.k8s_client.V1PodSpec(containers=[container],
security_context=security_context)
pod.spec = spec pod.spec = spec
pod.spec.affinity = affinity pod.spec.affinity = affinity
@ -785,7 +799,7 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest):
if protocol == "SCTP": if protocol == "SCTP":
pod_name, pod = cls.create_pod( pod_name, pod = cls.create_pod(
labels={"app": label}, image='quay.io/kuryr/sctp-demo', labels={"app": label}, image='quay.io/kuryr/sctp-demo',
namespace=namespace) namespace=namespace, pod_security=False)
else: else:
pod_name, pod = cls.create_pod( pod_name, pod = cls.create_pod(
labels={"app": label}, namespace=namespace) labels={"app": label}, namespace=namespace)
@ -1465,7 +1479,7 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest):
if protocol == "SCTP": if protocol == "SCTP":
pod_name, _ = self.create_pod( pod_name, _ = self.create_pod(
labels=labels, image='quay.io/kuryr/sctp-demo', labels=labels, image='quay.io/kuryr/sctp-demo',
namespace=namespace) namespace=namespace, pod_security=False)
else: else:
pod_name, _ = self.create_pod( pod_name, _ = self.create_pod(
namespace=namespace, labels=labels) namespace=namespace, labels=labels)