diff --git a/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go b/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go index edb8ef44a24..b620071b151 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go b/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go index 18d160e7477..0d1fd91039b 100644 --- a/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go b/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go index 3ffffed2ce8..3cbf8ef8457 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go index 5338ac4a3fe..498828b63b5 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go @@ -207,13 +207,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -371,6 +378,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(` + "`" + `{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }` + "`" + `, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/test/e2e/deployimage/plugin_cluster_test.go b/test/e2e/deployimage/plugin_cluster_test.go index 3597d4a1d91..e2b38327d24 100644 --- a/test/e2e/deployimage/plugin_cluster_test.go +++ b/test/e2e/deployimage/plugin_cluster_test.go @@ -93,7 +93,7 @@ func Run(kbc *utils.TestContext) { By("deploying the controller-manager") cmd := exec.Command("make", "deploy", "IMG="+kbc.ImageName) - Expect(kbc.Run(cmd)).NotTo(ContainSubstring("Warning: would violate PodSecurity")) + Expect(kbc.Run(cmd)).To(Succeed()) By("validating that the controller-manager pod is running as expected") verifyControllerUp := func(g Gomega) { diff --git a/test/e2e/utils/test_context.go b/test/e2e/utils/test_context.go index 5ce58f18a3d..4eb1e735b36 100644 --- a/test/e2e/utils/test_context.go +++ b/test/e2e/utils/test_context.go @@ -252,18 +252,18 @@ func (t *TestContext) CreateManagerNamespace() error { return err } -// LabelNamespacesToWarnAboutRestricted will label all namespaces so that we can verify -// if a warning with `Warning: would violate PodSecurity` will be raised when the manifests are applied -func (t *TestContext) LabelNamespacesToWarnAboutRestricted() error { +// LabelNamespacesToEnforceRestricted will label specified namespaces so that we can verify +// if the manifests can be applied in restricted environments with strict security policy enforced +func (t *TestContext) LabelNamespacesToEnforceRestricted() error { _, err := t.Kubectl.Command("label", "--overwrite", "ns", t.Kubectl.Namespace, - "pod-security.kubernetes.io/warn=restricted") + "pod-security.kubernetes.io/enforce=restricted") return err } -// RemoveNamespaceLabelToWarnAboutRestricted will remove the `pod-security.kubernetes.io/warn` label +// RemoveNamespaceLabelToEnforceRestricted will remove the `pod-security.kubernetes.io/warn` label // from the specified namespace -func (t *TestContext) RemoveNamespaceLabelToWarnAboutRestricted() error { - _, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/warn-") +func (t *TestContext) RemoveNamespaceLabelToEnforceRestricted() error { + _, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/enforce-") return err } diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go index 009ea15e0ba..f44fd1e52af 100644 --- a/test/e2e/v4/plugin_cluster_test.go +++ b/test/e2e/v4/plugin_cluster_test.go @@ -58,7 +58,7 @@ var _ = Describe("kubebuilder", func() { AfterEach(func() { By("By removing restricted namespace label") - _ = kbc.RemoveNamespaceLabelToWarnAboutRestricted() + _ = kbc.RemoveNamespaceLabelToEnforceRestricted() By("clean up API objects created during the test") _ = kbc.Make("undeploy") @@ -114,8 +114,8 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, isToUseHelmChart, err = kbc.CreateManagerNamespace() ExpectWithOffset(1, err).NotTo(HaveOccurred()) - By("labeling all namespaces to warn about restricted") - err = kbc.LabelNamespacesToWarnAboutRestricted() + By("labeling the namespace to enforce the restricted security policy") + err = kbc.LabelNamespacesToEnforceRestricted() ExpectWithOffset(1, err).NotTo(HaveOccurred()) By("updating the go.mod") @@ -582,6 +582,26 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string { "--restart=Never", "--namespace", kbc.Kubectl.Namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, kbc.Kubectl.ServiceAccount), "--", "/bin/sh", "-c", fmt.Sprintf("curl -v -k -H 'Authorization: Bearer %s' https://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8443/metrics", token, kbc.TestSuffix, kbc.Kubectl.Namespace), diff --git a/testdata/project-v4-multigroup/test/e2e/e2e_test.go b/testdata/project-v4-multigroup/test/e2e/e2e_test.go index dbcdfbdcca3..63f26da3f20 100644 --- a/testdata/project-v4-multigroup/test/e2e/e2e_test.go +++ b/testdata/project-v4-multigroup/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/testdata/project-v4-with-plugins/test/e2e/e2e_test.go b/testdata/project-v4-with-plugins/test/e2e/e2e_test.go index 0f2508e2f8a..55e75f850f4 100644 --- a/testdata/project-v4-with-plugins/test/e2e/e2e_test.go +++ b/testdata/project-v4-with-plugins/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace)) diff --git a/testdata/project-v4/test/e2e/e2e_test.go b/testdata/project-v4/test/e2e/e2e_test.go index 5956c9fe687..984f73006bf 100644 --- a/testdata/project-v4/test/e2e/e2e_test.go +++ b/testdata/project-v4/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -210,6 +217,26 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, "--image=curlimages/curl:7.78.0", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, serviceAccountName), "--", "/bin/sh", "-c", fmt.Sprintf( "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", token, metricsServiceName, namespace))