154f1700b1
Provide support to add annotations to the podsecuritypolicy. This will allow to add annotations related to seccomp and apparmor in psp. Change-Id: I78718ae1f60e8ebee8ac8ba86145bb9ae26491d5
74 lines
2.0 KiB
Bash
Executable File
74 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
set -xe
|
|
|
|
#NOTE: Lint and package chart
|
|
make podsecuritypolicy
|
|
|
|
#NOTE: Create a privileged pod to test with
|
|
tee /tmp/psp-test-pod.yaml << EOF
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: psp-test
|
|
spec:
|
|
hostNetwork: true
|
|
containers:
|
|
- name: psp-test
|
|
image: na
|
|
EOF
|
|
|
|
#NOTE: Deploy with host networking off, and test for failure
|
|
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
|
|
--namespace=kube-system \
|
|
--set data.psp-default.spec.hostNetwork=false \
|
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
|
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
|
|
|
|
#NOTE: Wait for deploy
|
|
./tools/deployment/common/wait-for-pods.sh kube-system
|
|
|
|
#NOTE: Display info
|
|
helm status podsecuritypolicy
|
|
|
|
# Test that host networking is disallowed
|
|
if kubectl apply -f /tmp/psp-test-pod.yaml; then
|
|
echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
|
|
kubectl delete pod psp-test
|
|
exit 1
|
|
else
|
|
echo "Failure above is expected. Continuing."
|
|
fi
|
|
|
|
#NOTE: Deploy with host networking on, and test for success
|
|
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
|
|
--namespace=kube-system \
|
|
--set data.psp-default.spec.hostNetwork=true \
|
|
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
|
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
|
|
|
|
#NOTE: Wait for deploy
|
|
./tools/deployment/common/wait-for-pods.sh kube-system
|
|
|
|
#NOTE: Display info
|
|
helm status podsecuritypolicy
|
|
|
|
# Test that host networking is allowed
|
|
kubectl apply -f /tmp/psp-test-pod.yaml
|
|
|
|
kubectl delete pod psp-test
|