From 84333745e2de4b946d6c33361ad6ac4bae5cbfdc Mon Sep 17 00:00:00 2001
From: Matt McEuen <madgin@madgin.net>
Date: Tue, 19 Feb 2019 20:10:00 -0600
Subject: [PATCH] Add podsecuritypolicy test

This adds a test for the podsecuritypolicy chart, as well as a script
to reconfigure minikube with PodSecurityPolity enabled when appropriate.

This change doesn't add the PSP chart to the existing tests, because
the psp chart will have secure defaults in the future, which may
interfere with other charts by default; and it doesn't enable the
admission controller broadly, because turning the AC on without
providing a podsecuritypolicy will break k8s functionality.

Change-Id: I9fd14bb118189cd4ead177b79e39aadbc2096b4a
---
 .../podsecuritypolicy/000-install-packages.sh |  1 +
 .../podsecuritypolicy/005-deploy-k8s.sh       |  1 +
 .../podsecuritypolicy/006-config-k8s-psp.sh   | 39 ++++++++++
 .../007-podsecuritypolicy.sh                  | 71 +++++++++++++++++++
 zuul.d/jobs.yaml                              | 17 +++++
 zuul.d/project.yaml                           |  2 +
 6 files changed, 131 insertions(+)
 create mode 120000 tools/deployment/podsecuritypolicy/000-install-packages.sh
 create mode 120000 tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
 create mode 100755 tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
 create mode 100755 tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh

diff --git a/tools/deployment/podsecuritypolicy/000-install-packages.sh b/tools/deployment/podsecuritypolicy/000-install-packages.sh
new file mode 120000
index 000000000..d702c4899
--- /dev/null
+++ b/tools/deployment/podsecuritypolicy/000-install-packages.sh
@@ -0,0 +1 @@
+../common/000-install-packages.sh
\ No newline at end of file
diff --git a/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh b/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
new file mode 120000
index 000000000..257a39f7a
--- /dev/null
+++ b/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
@@ -0,0 +1 @@
+../common/005-deploy-k8s.sh
\ No newline at end of file
diff --git a/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh b/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
new file mode 100755
index 000000000..ed2ea7f59
--- /dev/null
+++ b/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+# Copyright 2019, AT&T Intellectual Property
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+# This restarts minikube with podsecuritypolicy admission controller enabled
+sudo -E minikube stop
+sleep 10
+sudo -E minikube start \
+  --docker-env HTTP_PROXY="${HTTP_PROXY}" \
+  --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
+  --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
+  --extra-config=kubelet.network-plugin=cni \
+  --extra-config=controller-manager.allocate-node-cidrs=true \
+  --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
+  --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
+
+# NOTE: Wait for node to be ready.
+kubectl wait --timeout=240s --for=condition=Ready nodes/minikube
+
+kubectl --namespace=kube-system wait \
+  --timeout=240s \
+  --for=condition=Ready \
+  pod -l app=helm,name=tiller
+
diff --git a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
new file mode 100755
index 000000000..1aed98a62
--- /dev/null
+++ b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make podsecuritypolicy
+
+#NOTE: Create a privileged pod to test with
+tee /tmp/psp-test-pod.yaml << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: psp-test
+spec:
+  hostNetwork: true
+  containers:
+  - name: psp-test
+    image: na
+EOF
+
+#NOTE: Deploy with host networking off, and test for failure
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=false \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is disallowed
+if kubectl apply -f /tmp/psp-test-pod.yaml; then
+  echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
+  kubectl delete pod psp-test
+  exit 1
+fi
+
+#NOTE: Deploy with host networking on, and test for success
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=true \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is allowed
+kubectl apply -f /tmp/psp-test-pod.yaml
+
+kubectl delete pod psp-test
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index efb958d8e..e74c8542b 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -355,3 +355,20 @@
     run: playbooks/osh-infra-airship-divingbell-check.yaml
     required-projects:
       - openstack/airship-divingbell
+
+- job:
+    name: openstack-helm-infra-aio-podsecuritypolicy
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run:
+      - playbooks/osh-infra-upgrade-host.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      gate_scripts:
+        - ./tools/deployment/podsecuritypolicy/000-install-packages.sh
+        - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
+        - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
+        - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
+
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 669fb3cb6..576bd142d 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -29,6 +29,7 @@
         # override functionality
         - openstack-helm-infra-airship-divingbell:
             voting: false
+        - openstack-helm-infra-aio-podsecuritypolicy
     gate:
       jobs:
         - openstack-helm-lint
@@ -36,6 +37,7 @@
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-openstack-support
         - openstack-helm-infra-kubernetes-keystone-auth
+        - openstack-helm-infra-aio-podsecuritypolicy
     periodic:
       jobs:
         - openstack-helm-infra-tenant-ceph