Add podsecuritypolicy test

This adds a test for the podsecuritypolicy chart, as well as a script
to reconfigure minikube with PodSecurityPolity enabled when appropriate.

This change doesn't add the PSP chart to the existing tests, because
the psp chart will have secure defaults in the future, which may
interfere with other charts by default; and it doesn't enable the
admission controller broadly, because turning the AC on without
providing a podsecuritypolicy will break k8s functionality.

Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a
This commit is contained in:
Matt McEuen 2019-02-19 20:10:00 -06:00
parent 0f176e2455
commit 84333745e2
6 changed files with 131 additions and 0 deletions

View File

@ -0,0 +1 @@
../common/000-install-packages.sh

View File

@ -0,0 +1 @@
../common/005-deploy-k8s.sh

View File

@ -0,0 +1,39 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
# Copyright 2019, AT&T Intellectual Property
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# This restarts minikube with podsecuritypolicy admission controller enabled
sudo -E minikube stop
sleep 10
sudo -E minikube start \
--docker-env HTTP_PROXY="${HTTP_PROXY}" \
--docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
--docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
--extra-config=kubelet.network-plugin=cni \
--extra-config=controller-manager.allocate-node-cidrs=true \
--extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
# NOTE: Wait for node to be ready.
kubectl wait --timeout=240s --for=condition=Ready nodes/minikube
kubectl --namespace=kube-system wait \
--timeout=240s \
--for=condition=Ready \
pod -l app=helm,name=tiller

View File

@ -0,0 +1,71 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make podsecuritypolicy
#NOTE: Create a privileged pod to test with
tee /tmp/psp-test-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: psp-test
spec:
hostNetwork: true
containers:
- name: psp-test
image: na
EOF
#NOTE: Deploy with host networking off, and test for failure
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \
--set data.psp-default.hostNetwork=false \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Display info
helm status podsecuritypolicy
# Test that host networking is disallowed
if kubectl apply -f /tmp/psp-test-pod.yaml; then
echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
kubectl delete pod psp-test
exit 1
fi
#NOTE: Deploy with host networking on, and test for success
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \
--set data.psp-default.hostNetwork=true \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Display info
helm status podsecuritypolicy
# Test that host networking is allowed
kubectl apply -f /tmp/psp-test-pod.yaml
kubectl delete pod psp-test

View File

@ -355,3 +355,20 @@
run: playbooks/osh-infra-airship-divingbell-check.yaml run: playbooks/osh-infra-airship-divingbell-check.yaml
required-projects: required-projects:
- openstack/airship-divingbell - openstack/airship-divingbell
- job:
name: openstack-helm-infra-aio-podsecuritypolicy
parent: openstack-helm-infra-functional
timeout: 7200
pre-run:
- playbooks/osh-infra-upgrade-host.yaml
run: playbooks/osh-infra-gate-runner.yaml
post-run: playbooks/osh-infra-collect-logs.yaml
nodeset: openstack-helm-single-node
vars:
gate_scripts:
- ./tools/deployment/podsecuritypolicy/000-install-packages.sh
- ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
- ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
- ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh

View File

@ -29,6 +29,7 @@
# override functionality # override functionality
- openstack-helm-infra-airship-divingbell: - openstack-helm-infra-airship-divingbell:
voting: false voting: false
- openstack-helm-infra-aio-podsecuritypolicy
gate: gate:
jobs: jobs:
- openstack-helm-lint - openstack-helm-lint
@ -36,6 +37,7 @@
- openstack-helm-infra-aio-monitoring - openstack-helm-infra-aio-monitoring
- openstack-helm-infra-openstack-support - openstack-helm-infra-openstack-support
- openstack-helm-infra-kubernetes-keystone-auth - openstack-helm-infra-kubernetes-keystone-auth
- openstack-helm-infra-aio-podsecuritypolicy
periodic: periodic:
jobs: jobs:
- openstack-helm-infra-tenant-ceph - openstack-helm-infra-tenant-ceph