diff --git a/tools/deployment/podsecuritypolicy/000-install-packages.sh b/tools/deployment/podsecuritypolicy/000-install-packages.sh new file mode 120000 index 000000000..d702c4899 --- /dev/null +++ b/tools/deployment/podsecuritypolicy/000-install-packages.sh @@ -0,0 +1 @@ +../common/000-install-packages.sh \ No newline at end of file diff --git a/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh b/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh new file mode 120000 index 000000000..257a39f7a --- /dev/null +++ b/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh @@ -0,0 +1 @@ +../common/005-deploy-k8s.sh \ No newline at end of file diff --git a/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh b/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh new file mode 100755 index 000000000..ed2ea7f59 --- /dev/null +++ b/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# Copyright 2019, AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +# This restarts minikube with podsecuritypolicy admission controller enabled +sudo -E minikube stop +sleep 10 +sudo -E minikube start \ + --docker-env HTTP_PROXY="${HTTP_PROXY}" \ + --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \ + --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \ + --extra-config=kubelet.network-plugin=cni \ + --extra-config=controller-manager.allocate-node-cidrs=true \ + --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \ + --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy + +# NOTE: Wait for node to be ready. +kubectl wait --timeout=240s --for=condition=Ready nodes/minikube + +kubectl --namespace=kube-system wait \ + --timeout=240s \ + --for=condition=Ready \ + pod -l app=helm,name=tiller + diff --git a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh new file mode 100755 index 000000000..1aed98a62 --- /dev/null +++ b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make podsecuritypolicy + +#NOTE: Create a privileged pod to test with +tee /tmp/psp-test-pod.yaml << EOF +apiVersion: v1 +kind: Pod +metadata: + name: psp-test +spec: + hostNetwork: true + containers: + - name: psp-test + image: na +EOF + +#NOTE: Deploy with host networking off, and test for failure +helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ + --namespace=kube-system \ + --set data.psp-default.hostNetwork=false \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh kube-system + +#NOTE: Display info +helm status podsecuritypolicy + +# Test that host networking is disallowed +if kubectl apply -f /tmp/psp-test-pod.yaml; then + echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod" + kubectl delete pod psp-test + exit 1 +fi + +#NOTE: Deploy with host networking on, and test for success +helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ + --namespace=kube-system \ + --set data.psp-default.hostNetwork=true \ + ${OSH_INFRA_EXTRA_HELM_ARGS} \ + ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh kube-system + +#NOTE: Display info +helm status podsecuritypolicy + +# Test that host networking is allowed +kubectl apply -f /tmp/psp-test-pod.yaml + +kubectl delete pod psp-test diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index efb958d8e..e74c8542b 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -355,3 +355,20 @@ run: playbooks/osh-infra-airship-divingbell-check.yaml required-projects: - openstack/airship-divingbell + +- job: + name: openstack-helm-infra-aio-podsecuritypolicy + parent: openstack-helm-infra-functional + timeout: 7200 + pre-run: + - playbooks/osh-infra-upgrade-host.yaml + run: playbooks/osh-infra-gate-runner.yaml + post-run: playbooks/osh-infra-collect-logs.yaml + nodeset: openstack-helm-single-node + vars: + gate_scripts: + - ./tools/deployment/podsecuritypolicy/000-install-packages.sh + - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh + - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh + - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh + diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 669fb3cb6..576bd142d 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -29,6 +29,7 @@ # override functionality - openstack-helm-infra-airship-divingbell: voting: false + - openstack-helm-infra-aio-podsecuritypolicy gate: jobs: - openstack-helm-lint @@ -36,6 +37,7 @@ - openstack-helm-infra-aio-monitoring - openstack-helm-infra-openstack-support - openstack-helm-infra-kubernetes-keystone-auth + - openstack-helm-infra-aio-podsecuritypolicy periodic: jobs: - openstack-helm-infra-tenant-ceph