Apply PR " Enforce baseline Pod Security Standard with namespace labels" 68/74468/1
authorCédric Ollivier <cedric.ollivier@orange.com>
Fri, 12 Jan 2024 21:19:36 +0000 (22:19 +0100)
committerCédric Ollivier <cedric.ollivier@orange.com>
Fri, 12 Jan 2024 21:21:28 +0000 (22:21 +0100)
It's needed for any Cluster where PodSecurityConfiguration enforces "restricted" [1].

[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/

Change-Id: I9df12654d09390353a898030314a3fda9074b0d5
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
docker/core/Dockerfile
docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch [new file with mode: 0644]

index 83aecb3..388892d 100644 (file)
@@ -6,6 +6,7 @@ ARG OPNFV_TAG=master
 
 COPY Try-a-quick-fix-vs-asynchronuous-issues.patch /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch
 COPY Switch-to-threading.Thread-for-Rally-tasks.patch /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch
+COPY Enforce-baseline-Pod-Security-Standard-with-namespac.patch /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
 RUN apk -U upgrade && \
     apk --no-cache add --update python3 py3-pip py3-wheel bash git grep libffi openssl mailcap \
         libxml2 libxslt gcompat && \
@@ -35,14 +36,16 @@ RUN apk -U upgrade && \
         /src/functest-kubernetes && \
     (cd /src/rally && patch -p1 < /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch) && \
     (cd /usr/lib/python3.10/site-packages/xrally_kubernetes/ && \
-        patch -p2 < /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch) && \
+        patch -p2 < /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch && \
+        patch -p2 < /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch) && \
     rm -rf /src/functest-kubernetes /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch && \
     bash -c "mkdir -p /var/lib/xtesting /home/opnfv" && \
     ln -s /var/lib/xtesting /home/opnfv/functest && \
     mkdir -p /etc/rally && \
     printf "[database]\nconnection = 'sqlite:////var/lib/rally/database/rally.sqlite'" > /etc/rally/rally.conf && \
     mkdir -p /var/lib/rally/database && rally db create && \
-    rm -r /src/requirements/.git /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch && \
+    rm -r /src/requirements/.git /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch \
+        /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch && \
     addgroup -g 1000 xtesting && adduser -u 1000 -G xtesting -D xtesting && \
     mkdir -p /etc/xtesting && chown -R xtesting: /etc/xtesting /etc/rally && \
     mkdir -p /var/lib/xtesting/results && chown -R xtesting: /var/lib/xtesting /var/lib/rally && \
diff --git a/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
new file mode 100644 (file)
index 0000000..1a4cc1d
--- /dev/null
@@ -0,0 +1,39 @@
+From cf7998dc92bd9d0bcc99ee2c9a21b6c41d1b2750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= <cedric.ollivier@orange.com>
+Date: Fri, 12 Jan 2024 21:16:54 +0100
+Subject: [PATCH] Enforce baseline Pod Security Standard with namespace labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It allows running the xrally_kubernetes testcases vs clusters where
+PodSecurityConfiguration enforces "restricted" [1].
+
+Please note that Kubernetes.create_and_delete_pod_with_hostpath_volume
+even requests for privileged [2].
+
+[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
+[2] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+
+Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
+---
+ xrally_kubernetes/service.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xrally_kubernetes/service.py b/xrally_kubernetes/service.py
+index d38f84b..4f97550 100644
+--- a/xrally_kubernetes/service.py
++++ b/xrally_kubernetes/service.py
+@@ -238,7 +238,8 @@ class Kubernetes(service.Service):
+             "metadata": {
+                 "name": name,
+                 "labels": {
+-                    "role": name
++                    "role": name,
++                    "pod-security.kubernetes.io/enforce": "baseline"
+                 }
+             }
+         }
+-- 
+2.43.0
+