Merge pull request #2732 from camilamacedo86/test-improvements

🌱 : e2e test: do tests with restricted pods
kubernetes-sigs · Jun 20, 2022 · dcc5bb4 · dcc5bb4
2 parents 8ec681a + 793161d
commit dcc5bb4
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 7 deletions.
diff --git a/test/e2e/v3/generate_test.go b/test/e2e/v3/generate_test.go
@@ -130,7 +130,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string) {
+func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) {
 	var err error
 
 	By("initializing a project")
@@ -228,10 +228,52 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 	if crdAndWebhookVersion == "v1beta1" {
 		_ = pluginutil.RunCmd("Update dependencies", "go", "mod", "tidy")
 	}
+
+	if restrictive {
+		By("uncomment kustomize files to ensure that pods are restricted")
+		uncommentPodStandards(kbc)
+	}
+}
+
+func uncommentPodStandards(kbc *utils.TestContext) {
+	configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml")
+	managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml")
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault`, `seccompProfile:
+          type: RuntimeDefault`); err == nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string) {
+func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) {
 	var err error
 
 	By("initializing a project")

diff --git a/test/e2e/v3/plugin_cluster_test.go b/test/e2e/v3/plugin_cluster_test.go
@@ -119,6 +119,38 @@ var _ = Describe("kubebuilder", func() {
 			})
 
 			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks", func() {
+				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 16 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks",
+						srvVer.GitVersion))
+				}
+
+				GenerateV3(kbc, "v1", false)
+				Run(kbc)
+			})
+			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
+				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 16 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks",
+						srvVer.GitVersion))
+				}
+				GenerateV3WithKustomizeV2(kbc, "v1", false)
+				Run(kbc)
+			})
+			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
+				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
+				// Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist.
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 15 ||
+					srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 {
+					Skip(fmt.Sprintf("cluster version %s does not support project defaults ",
+						srvVer.GitVersion))
+				}
+
+				GenerateV3(kbc, "v1beta1", false)
+				Run(kbc)
+			})
+
+			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks with restricted pods", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -127,10 +159,11 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1")
+				GenerateV3(kbc, "v1", true)
 				Run(kbc)
 			})
-			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
+			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha"+
+				" with restricted pods", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -139,10 +172,10 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3WithKustomizeV2(kbc, "v1")
+				GenerateV3WithKustomizeV2(kbc, "v1", true)
 				Run(kbc)
 			})
-			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
+			It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() {
 				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -153,7 +186,7 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1beta1")
+				GenerateV3(kbc, "v1beta1", true)
 				Run(kbc)
 			})
 		})