diff --git a/acceptance/framework/connhelper/connect_helper.go b/acceptance/framework/connhelper/connect_helper.go index dc0bf9d402..b673ab7e86 100644 --- a/acceptance/framework/connhelper/connect_helper.go +++ b/acceptance/framework/connhelper/connect_helper.go @@ -141,11 +141,11 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) { k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-openshift-inject") } } else { - k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-server-inject") + k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-server-inject") if c.Cfg.EnableTransparentProxy { - k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy") + k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-tproxy") } else { - k8s.DeployKustomize(t, c.Ctx.KubectlOptions(t), c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-inject") + k8s.DeployKustomize(t, opts, c.Cfg.NoCleanupOnFailure, c.Cfg.DebugDirectory, "../fixtures/cases/static-client-inject") } } // Check that both static-server and static-client have been injected and diff --git a/acceptance/framework/consul/helm_cluster.go b/acceptance/framework/consul/helm_cluster.go index 3f4d31173d..cbd5e44fb8 100644 --- a/acceptance/framework/consul/helm_cluster.go +++ b/acceptance/framework/consul/helm_cluster.go @@ -54,6 +54,10 @@ func NewHelmCluster( cfg *config.TestConfig, releaseName string, ) *HelmCluster { + if cfg.EnableRestrictedPSAEnforcement { + configureNamespace(t, ctx.KubernetesClient(t), cfg, ctx.KubectlOptions(t).Namespace) + } + if cfg.EnablePodSecurityPolicies { configurePodSecurityPolicies(t, ctx.KubernetesClient(t), cfg, ctx.KubectlOptions(t).Namespace) } @@ -467,6 +471,35 @@ func createOrUpdateLicenseSecret(t *testing.T, client kubernetes.Interface, cfg CreateK8sSecret(t, client, cfg, namespace, config.LicenseSecretName, config.LicenseSecretKey, cfg.EnterpriseLicense) } +func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) { + ctx := context.Background() + + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: namespace, + Labels: map[string]string{}, + }, + } + if cfg.EnableRestrictedPSAEnforcement { + ns.ObjectMeta.Labels["pod-security.kubernetes.io/enforce"] = "restricted" + ns.ObjectMeta.Labels["pod-security.kubernetes.io/enforce-version"] = "latest" + } + + _, createErr := client.CoreV1().Namespaces().Create(ctx, ns, metav1.CreateOptions{}) + if createErr == nil { + logger.Logf(t, "Created namespace %s", namespace) + return + } + + _, updateErr := client.CoreV1().Namespaces().Update(ctx, ns, metav1.UpdateOptions{}) + if updateErr == nil { + logger.Logf(t, "Updated namespace %s", namespace) + return + } + + require.Failf(t, "Failed to create or update namespace", "Namespace=%s, CreateError=%s, UpdateError=%s", namespace, createErr, updateErr) +} + // configureSCCs creates RoleBindings that bind the default service account to cluster roles // allowing access to the anyuid and privileged Security Context Constraints on OpenShift. func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) { diff --git a/acceptance/framework/flags/flags.go b/acceptance/framework/flags/flags.go index 3e9b733047..1cca528e05 100644 --- a/acceptance/framework/flags/flags.go +++ b/acceptance/framework/flags/flags.go @@ -107,13 +107,13 @@ func (t *TestFlags) init() { flag.BoolVar(&t.flagEnableCNI, "enable-cni", false, "If true, the test suite will run tests with consul-cni plugin enabled. "+ "In general, this will only run against tests that are mesh related (connect, mesh-gateway, peering, etc") + flag.BoolVar(&t.flagEnableRestrictedPSAEnforcement, "enable-restricted-psa-enforcement", false, - "If true, this indicates that Consul is being run in a namespace with restricted PSA enforcement enabled. "+ - "The tests do not configure Consul's namespace with PSA enforcement enabled. This must configured before tests are run. "+ - "The CNI and test applications need more privilege than is allowed in a restricted namespace. "+ - "When set, the CNI will be deployed into the kube-system namespace, and in supported test cases, applications "+ - "are deployed, by default, into a namespace named '-apps' instead of being deployed into the "+ - "Consul namespace.") + "If true, deploy Consul into a namespace with restricted PSA enforcement enabled. "+ + "The Consul namespaces (-kube-namespaces) will be configured with restricted PSA enforcement. "+ + "The CNI and test applications are deployed in different namespaces because they need more privilege than is allowed in a restricted namespace. "+ + "The CNI will be deployed into the kube-system namespace, which is a privileged namespace that should always exist. "+ + "Test applications are deployed, by default, into a namespace named '-apps' instead of the Consul namespace.") flag.BoolVar(&t.flagEnableTransparentProxy, "enable-transparent-proxy", false, "If true, the test suite will run tests with transparent proxy enabled. "+