Ensure Security Context Compliance in Tests and User-Scaffolded Tests for Restricted Environments

[camilamacedo86]

What do you want to happen?

Background

To ensure compliance with restricted environments, all Pods in our tests and test scaffolds must use a Security Context. This ensures that even when namespaces enforce strict security policies, the tests will pass, and the scaffolds users rely on will remain functional.

Currently:

• The manager is configured by default to work in such environments.
• However, in tests and test scaffolds, the curl Pod (used to verify metrics logs) lacks the necessary SecurityContext configuration.

Tasks

1. Namespace Labeling for Security Policy Enforcement

• Update the e2e test namespace to be labeled for restricted environments. See that in our e2e tests we are just warning : https://github.com/kubernetes-sigs/kubebuilder/blob/master/test/e2e/v4/plugin_cluster_test.go#L60-L62 we need change it to enforce can also use the same in the scaffolds produced for end-users
• Modify testdata/project-v4/test/e2e/e2e_test.go#L51-L55 to scaffold the command that applies the required labels to the namespace.

2. Secure curl Pod Configuration

• Change the curl Pod creation command in testdata/project-v4/test/e2e/e2e_test.go#L209-L217 to include a proper SecurityContext. For example:

  cmd = exec.Command("kubectl", "run", curlPod,
      "--image=curlimages/curl:7.87.0", "-n", namespace,
      "--restart=Never",
      "--overrides", `{
          "spec": {
              "containers": [{
                  "name": "curl",
                  "image": "curlimages/curl:7.87.0",
                  "command": ["sh", "-c", "sleep 3600"],
                  "securityContext": {
                      "allowPrivilegeEscalation": false,
                      "capabilities": {
                          "drop": ["ALL"]
                      },
                      "runAsNonRoot": true,
                      "runAsUser": 1000,
                      "seccompProfile": {
                          "type": "RuntimeDefault"
                      }
                  }
              }],
              "serviceAccountName": "<project>-controller-manager"
          }
      }`)

3. Update e2e Test Framework

• Modify e2e tests in test/e2e to ensure that all created Pods include a SecurityContext and are compatible with namespaces enforcing restricted security policies.

Expected Outcome

• All e2e tests will pass in restricted environments with strict security contexts enforced.
• User-scaffolded tests will include the necessary configurations to operate in restricted environments without requiring manual adjustments.

Additional Notes

• To change the scaffolds, we change the sample. In this case, we need to change: https://github.com/kubernetes-sigs/kubebuilder/blob/master/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go
• Then, we run make generate to ensure that all samples under docs and testdata are properly updated.
• If you need to check what is Pod Security Standards see: https://kubernetes.io/docs/concepts/security/pod-security-standards/

Extra Labels

No response

[lunarwhite]

I'd like to take this one.

/assign

[lunarwhite]

PR #4435 is ready for review