🌱 : clean up and improve ci to test with Pod Standards restricted (in…

…crease the coverage)
kubernetes-sigs · Jun 16, 2022 · f0d128a · f0d128a
1 parent 0dbbf57
commit f0d128a
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 51 deletions.
diff --git a/test/e2e/v3/generate_test.go b/test/e2e/v3/generate_test.go
@@ -130,7 +130,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string) {
+func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictived bool) {
 	var err error
 
 	By("initializing a project")
@@ -182,56 +182,57 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
 	By("uncomment kustomization.yaml to enable webhook and ca injection")
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		"#- ../webhook", "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		"#- ../certmanager", "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		"#- ../prometheus", "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		"#- manager_webhook_patch.yaml", "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(
-		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		"#- webhookcainjection_patch.yaml", "#")).To(Succeed())
-	ExpectWithOffset(1, pluginutil.UncommentCode(filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
-		`#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service`, "#")).To(Succeed())
+	unableKustomizeFeatures(kbc)
 
 	if crdAndWebhookVersion == "v1beta1" {
 		_ = pluginutil.RunCmd("Update dependencies", "go", "mod", "tidy")
 	}
+
+	if restrictived {
+		By("uncomment kustomize files to ensure that pods are restricted")
+		uncommentPodStandards(kbc)
+	}
+}
+
+func uncommentPodStandards(kbc *utils.TestContext) {
+	configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml")
+	managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml")
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
+
+	//nolint:lll
+	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault`, `seccompProfile:
+          type: RuntimeDefault`); err == nil {
+		ExpectWithOffset(1, err).NotTo(HaveOccurred())
+	}
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string) {
+func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string, restrictived bool) {
 	var err error
 
 	By("initializing a project")
@@ -283,6 +284,16 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
 	By("uncomment kustomization.yaml to enable webhook and ca injection")
+	unableKustomizeFeatures(kbc)
+
+	if restrictived {
+		By("uncomment kustomize files to ensure that pods are restricted")
+		uncommentPodStandards(kbc)
+	}
+
+}
+
+func unableKustomizeFeatures(kbc *utils.TestContext) {
 	ExpectWithOffset(1, pluginutil.UncommentCode(
 		filepath.Join(kbc.Dir, "config", "default", "kustomization.yaml"),
 		"#- ../webhook", "#")).To(Succeed())
@@ -396,5 +407,4 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 #          delimiter: '.'
 #          index: 1
 #          create: true`, "#")).To(Succeed())
-
 }
diff --git a/test/e2e/v3/plugin_cluster_test.go b/test/e2e/v3/plugin_cluster_test.go
@@ -109,7 +109,7 @@ var _ = Describe("kubebuilder", func() {
 				kbc.UninstallCertManager(false)
 			})
 
-			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks", func() {
+			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks with restricted pods", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -118,7 +118,7 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1")
+				GenerateV3(kbc, "v1", true)
 
 				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
 				// TODO: Remove this once a better implementation using something like the TokenRequest API
@@ -129,7 +129,7 @@ var _ = Describe("kubebuilder", func() {
 
 				Run(kbc, sat)
 			})
-			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
+			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha with restricted pods", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -138,7 +138,7 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3WithKustomizeV2(kbc, "v1")
+				GenerateV3WithKustomizeV2(kbc, "v1", true)
 
 				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
 				// TODO: Remove this once a better implementation using something like the TokenRequest API
@@ -149,7 +149,7 @@ var _ = Describe("kubebuilder", func() {
 
 				Run(kbc, sat)
 			})
-			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
+			It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() {
 				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
 				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
 				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
@@ -160,7 +160,62 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1beta1")
+				GenerateV3(kbc, "v1beta1", true)
+				Run(kbc, sat)
+			})
+
+			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks with restricted pods", func() {
+				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks"+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
+				}
+
+				GenerateV3(kbc, "v1", true)
+
+				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
+				// TODO: Remove this once a better implementation using something like the TokenRequest API
+				// is used in the e2e tests
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 {
+					sat = true
+				}
+
+				Run(kbc, sat)
+			})
+			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha with restricted pods", func() {
+				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
+				}
+
+				GenerateV3WithKustomizeV2(kbc, "v1", true)
+
+				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
+				// TODO: Remove this once a better implementation using something like the TokenRequest API
+				// is used in the e2e tests
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 {
+					sat = true
+				}
+
+				Run(kbc, sat)
+			})
+			It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() {
+				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				// Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist.
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 ||
+					srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 {
+					Skip(fmt.Sprintf("cluster version %s does not support project defaults "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
+				}
+
+				GenerateV3(kbc, "v1beta1", true)
 				Run(kbc, sat)
 			})
 		})