Add podsecuritypolicy test

This adds a test for the podsecuritypolicy chart, as well as a script
to reconfigure minikube with PodSecurityPolity enabled when appropriate.

This change doesn't add the PSP chart to the existing tests, because
the psp chart will have secure defaults in the future, which may
interfere with other charts by default; and it doesn't enable the
admission controller broadly, because turning the AC on without
providing a podsecuritypolicy will break k8s functionality.

Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a

tools/deployment/podsecuritypolicy/000-install-packages.sh

@@ -0,0 +1 @@
+../common/000-install-packages.sh

tools/deployment/podsecuritypolicy/005-deploy-k8s.sh

@@ -0,0 +1 @@
+../common/005-deploy-k8s.sh

tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+# Copyright 2019, AT&T Intellectual Property
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+# This restarts minikube with podsecuritypolicy admission controller enabled
+sudo -E minikube stop
+sleep 10
+sudo -E minikube start \
+  --docker-env HTTP_PROXY="${HTTP_PROXY}" \
+  --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
+  --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
+  --extra-config=kubelet.network-plugin=cni \
+  --extra-config=controller-manager.allocate-node-cidrs=true \
+  --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
+  --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
+
+# NOTE: Wait for node to be ready.
+kubectl wait --timeout=240s --for=condition=Ready nodes/minikube
+
+kubectl --namespace=kube-system wait \
+  --timeout=240s \
+  --for=condition=Ready \
+  pod -l app=helm,name=tiller
+

tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make podsecuritypolicy
+
+#NOTE: Create a privileged pod to test with
+tee /tmp/psp-test-pod.yaml << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: psp-test
+spec:
+  hostNetwork: true
+  containers:
+  - name: psp-test
+    image: na
+EOF
+
+#NOTE: Deploy with host networking off, and test for failure
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=false \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is disallowed
+if kubectl apply -f /tmp/psp-test-pod.yaml; then
+  echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
+  kubectl delete pod psp-test
+  exit 1
+fi
+
+#NOTE: Deploy with host networking on, and test for success
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=true \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is allowed
+kubectl apply -f /tmp/psp-test-pod.yaml
+
+kubectl delete pod psp-test

zuul.d/jobs.yaml

@@ -355,3 +355,20 @@
     run: playbooks/osh-infra-airship-divingbell-check.yaml
     required-projects:
       - openstack/airship-divingbell
+
+- job:
+    name: openstack-helm-infra-aio-podsecuritypolicy
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run:
+      - playbooks/osh-infra-upgrade-host.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      gate_scripts:
+        - ./tools/deployment/podsecuritypolicy/000-install-packages.sh
+        - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
+        - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
+        - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
+

zuul.d/project.yaml

@@ -29,6 +29,7 @@
         # override functionality
         - openstack-helm-infra-airship-divingbell:
             voting: false
+        - openstack-helm-infra-aio-podsecuritypolicy
     gate:
       jobs:
         - openstack-helm-lint
@@ -36,6 +37,7 @@
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-openstack-support
         - openstack-helm-infra-kubernetes-keystone-auth
+        - openstack-helm-infra-aio-podsecuritypolicy
     periodic:
       jobs:
         - openstack-helm-infra-tenant-ceph