Add podsecuritypolicy test
This adds a test for the podsecuritypolicy chart, as well as a script to reconfigure minikube with PodSecurityPolity enabled when appropriate. This change doesn't add the PSP chart to the existing tests, because the psp chart will have secure defaults in the future, which may interfere with other charts by default; and it doesn't enable the admission controller broadly, because turning the AC on without providing a podsecuritypolicy will break k8s functionality. Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a
This commit is contained in:
parent
0f176e2455
commit
84333745e2
1
tools/deployment/podsecuritypolicy/000-install-packages.sh
Symbolic link
1
tools/deployment/podsecuritypolicy/000-install-packages.sh
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../common/000-install-packages.sh
|
1
tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
Symbolic link
1
tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../common/005-deploy-k8s.sh
|
39
tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
Executable file
39
tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
Executable file
@ -0,0 +1,39 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
# Copyright 2019, AT&T Intellectual Property
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
# This restarts minikube with podsecuritypolicy admission controller enabled
|
||||||
|
sudo -E minikube stop
|
||||||
|
sleep 10
|
||||||
|
sudo -E minikube start \
|
||||||
|
--docker-env HTTP_PROXY="${HTTP_PROXY}" \
|
||||||
|
--docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
|
||||||
|
--docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
|
||||||
|
--extra-config=kubelet.network-plugin=cni \
|
||||||
|
--extra-config=controller-manager.allocate-node-cidrs=true \
|
||||||
|
--extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
|
||||||
|
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
|
||||||
|
|
||||||
|
# NOTE: Wait for node to be ready.
|
||||||
|
kubectl wait --timeout=240s --for=condition=Ready nodes/minikube
|
||||||
|
|
||||||
|
kubectl --namespace=kube-system wait \
|
||||||
|
--timeout=240s \
|
||||||
|
--for=condition=Ready \
|
||||||
|
pod -l app=helm,name=tiller
|
||||||
|
|
71
tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
Executable file
71
tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
Executable file
@ -0,0 +1,71 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
#NOTE: Lint and package chart
|
||||||
|
make podsecuritypolicy
|
||||||
|
|
||||||
|
#NOTE: Create a privileged pod to test with
|
||||||
|
tee /tmp/psp-test-pod.yaml << EOF
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: psp-test
|
||||||
|
spec:
|
||||||
|
hostNetwork: true
|
||||||
|
containers:
|
||||||
|
- name: psp-test
|
||||||
|
image: na
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#NOTE: Deploy with host networking off, and test for failure
|
||||||
|
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
|
||||||
|
--namespace=kube-system \
|
||||||
|
--set data.psp-default.hostNetwork=false \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
|
||||||
|
|
||||||
|
#NOTE: Wait for deploy
|
||||||
|
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||||
|
|
||||||
|
#NOTE: Display info
|
||||||
|
helm status podsecuritypolicy
|
||||||
|
|
||||||
|
# Test that host networking is disallowed
|
||||||
|
if kubectl apply -f /tmp/psp-test-pod.yaml; then
|
||||||
|
echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
|
||||||
|
kubectl delete pod psp-test
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#NOTE: Deploy with host networking on, and test for success
|
||||||
|
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
|
||||||
|
--namespace=kube-system \
|
||||||
|
--set data.psp-default.hostNetwork=true \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||||
|
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
|
||||||
|
|
||||||
|
#NOTE: Wait for deploy
|
||||||
|
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||||
|
|
||||||
|
#NOTE: Display info
|
||||||
|
helm status podsecuritypolicy
|
||||||
|
|
||||||
|
# Test that host networking is allowed
|
||||||
|
kubectl apply -f /tmp/psp-test-pod.yaml
|
||||||
|
|
||||||
|
kubectl delete pod psp-test
|
@ -355,3 +355,20 @@
|
|||||||
run: playbooks/osh-infra-airship-divingbell-check.yaml
|
run: playbooks/osh-infra-airship-divingbell-check.yaml
|
||||||
required-projects:
|
required-projects:
|
||||||
- openstack/airship-divingbell
|
- openstack/airship-divingbell
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: openstack-helm-infra-aio-podsecuritypolicy
|
||||||
|
parent: openstack-helm-infra-functional
|
||||||
|
timeout: 7200
|
||||||
|
pre-run:
|
||||||
|
- playbooks/osh-infra-upgrade-host.yaml
|
||||||
|
run: playbooks/osh-infra-gate-runner.yaml
|
||||||
|
post-run: playbooks/osh-infra-collect-logs.yaml
|
||||||
|
nodeset: openstack-helm-single-node
|
||||||
|
vars:
|
||||||
|
gate_scripts:
|
||||||
|
- ./tools/deployment/podsecuritypolicy/000-install-packages.sh
|
||||||
|
- ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
|
||||||
|
- ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
|
||||||
|
- ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
|
||||||
|
|
||||||
|
@ -29,6 +29,7 @@
|
|||||||
# override functionality
|
# override functionality
|
||||||
- openstack-helm-infra-airship-divingbell:
|
- openstack-helm-infra-airship-divingbell:
|
||||||
voting: false
|
voting: false
|
||||||
|
- openstack-helm-infra-aio-podsecuritypolicy
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-helm-lint
|
- openstack-helm-lint
|
||||||
@ -36,6 +37,7 @@
|
|||||||
- openstack-helm-infra-aio-monitoring
|
- openstack-helm-infra-aio-monitoring
|
||||||
- openstack-helm-infra-openstack-support
|
- openstack-helm-infra-openstack-support
|
||||||
- openstack-helm-infra-kubernetes-keystone-auth
|
- openstack-helm-infra-kubernetes-keystone-auth
|
||||||
|
- openstack-helm-infra-aio-podsecuritypolicy
|
||||||
periodic:
|
periodic:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-helm-infra-tenant-ceph
|
- openstack-helm-infra-tenant-ceph
|
||||||
|
Loading…
Reference in New Issue
Block a user