diff --git a/test/e2e/v3/generate_test.go b/test/e2e/v3/generate_test.go index 02bcea9123d..4066fe8d182 100644 --- a/test/e2e/v3/generate_test.go +++ b/test/e2e/v3/generate_test.go @@ -130,7 +130,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+` } // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext. -func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string) { +func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) { var err error By("initializing a project") @@ -228,10 +228,52 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+` if crdAndWebhookVersion == "v1beta1" { _ = pluginutil.RunCmd("Update dependencies", "go", "mod", "tidy") } + + if restrictive { + By("uncomment kustomize files to ensure that pods are restricted") + uncommentPodStandards(kbc) + } +} + +func uncommentPodStandards(kbc *utils.TestContext) { + configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml") + managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml") + + //nolint:lll + if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges + # capabilities: + # drop: + # - "ALL"`, ` capabilities: + drop: + - "ALL"`); err != nil { + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + } + + //nolint:lll + if err := pluginutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges + # capabilities: + # drop: + # - "ALL"`, ` capabilities: + drop: + - "ALL"`); err != nil { + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + } + + //nolint:lll + if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault`, `seccompProfile: + type: RuntimeDefault`); err == nil { + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + } } // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext. -func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string) { +func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) { var err error By("initializing a project") diff --git a/test/e2e/v3/plugin_cluster_test.go b/test/e2e/v3/plugin_cluster_test.go index 2adb075ba30..f6aba1d1e6a 100644 --- a/test/e2e/v3/plugin_cluster_test.go +++ b/test/e2e/v3/plugin_cluster_test.go @@ -127,7 +127,7 @@ var _ = Describe("kubebuilder", func() { "and securityContext.seccompProfile", srvVer.GitVersion)) } - GenerateV3(kbc, "v1") + GenerateV3(kbc, "v1", false) Run(kbc) }) It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() { @@ -139,7 +139,7 @@ var _ = Describe("kubebuilder", func() { "and securityContext.seccompProfile", srvVer.GitVersion)) } - GenerateV3WithKustomizeV2(kbc, "v1") + GenerateV3WithKustomizeV2(kbc, "v1", false) Run(kbc) }) It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() { @@ -153,7 +153,47 @@ var _ = Describe("kubebuilder", func() { "and securityContext.seccompProfile", srvVer.GitVersion)) } - GenerateV3(kbc, "v1beta1") + GenerateV3(kbc, "v1beta1", false) + Run(kbc) + }) + + It("should generate a runnable project go/v3 with v1 CRDs and Webhooks with restricted pods", func() { + // Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist. + // Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 + // Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced + if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 { + Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks"+ + "and securityContext.seccompProfile", srvVer.GitVersion)) + } + + GenerateV3(kbc, "v1", true) + Run(kbc) + }) + It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha"+ + " with restricted pods", func() { + // Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist. + // Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 + // Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced + if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 { + Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks "+ + "and securityContext.seccompProfile", srvVer.GitVersion)) + } + + GenerateV3WithKustomizeV2(kbc, "v1", true) + Run(kbc) + }) + It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() { + // Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field. + // Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19 + // Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced + // Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist. + if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 || + srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 { + Skip(fmt.Sprintf("cluster version %s does not support project defaults "+ + "and securityContext.seccompProfile", srvVer.GitVersion)) + } + + GenerateV3(kbc, "v1beta1", true) Run(kbc) }) })