Merge "Add podsecuritypolicy test"

tools/deployment/podsecuritypolicy/000-install-packages.sh

@@ -0,0 +1 @@
+../common/000-install-packages.sh

tools/deployment/podsecuritypolicy/005-deploy-k8s.sh

@@ -0,0 +1 @@
+../common/005-deploy-k8s.sh

tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+# Copyright 2019, AT&T Intellectual Property
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+# This restarts minikube with podsecuritypolicy admission controller enabled
+sudo -E minikube stop
+sleep 10
+sudo -E minikube start \
+  --docker-env HTTP_PROXY="${HTTP_PROXY}" \
+  --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
+  --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
+  --extra-config=kubelet.network-plugin=cni \
+  --extra-config=controller-manager.allocate-node-cidrs=true \
+  --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
+  --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
+
+# NOTE: Wait for node to be ready.
+kubectl wait --timeout=240s --for=condition=Ready nodes/minikube
+
+kubectl --namespace=kube-system wait \
+  --timeout=240s \
+  --for=condition=Ready \
+  pod -l app=helm,name=tiller
+

tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make podsecuritypolicy
+
+#NOTE: Create a privileged pod to test with
+tee /tmp/psp-test-pod.yaml << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: psp-test
+spec:
+  hostNetwork: true
+  containers:
+  - name: psp-test
+    image: na
+EOF
+
+#NOTE: Deploy with host networking off, and test for failure
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=false \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is disallowed
+if kubectl apply -f /tmp/psp-test-pod.yaml; then
+  echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
+  kubectl delete pod psp-test
+  exit 1
+fi
+
+#NOTE: Deploy with host networking on, and test for success
+helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
+  --namespace=kube-system \
+  --set data.psp-default.hostNetwork=true \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh kube-system
+
+#NOTE: Display info
+helm status podsecuritypolicy
+
+# Test that host networking is allowed
+kubectl apply -f /tmp/psp-test-pod.yaml
+
+kubectl delete pod psp-test

zuul.d/jobs.yaml

@@ -355,3 +355,20 @@
     run: playbooks/osh-infra-airship-divingbell-check.yaml
     required-projects:
       - openstack/airship-divingbell
+
+- job:
+    name: openstack-helm-infra-aio-podsecuritypolicy
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run:
+      - playbooks/osh-infra-upgrade-host.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      gate_scripts:
+        - ./tools/deployment/podsecuritypolicy/000-install-packages.sh
+        - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
+        - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
+        - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
+

zuul.d/project.yaml

@@ -29,6 +29,7 @@
         # override functionality
         - openstack-helm-infra-airship-divingbell:
             voting: false
+        - openstack-helm-infra-aio-podsecuritypolicy
     gate:
       jobs:
         - openstack-helm-lint
@@ -36,6 +37,7 @@
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-openstack-support
         - openstack-helm-infra-kubernetes-keystone-auth
+        - openstack-helm-infra-aio-podsecuritypolicy
     periodic:
       jobs:
         - openstack-helm-infra-tenant-ceph