Enforce baseline Pod Security Standard

It allows running both security and ims testcases vs clusters
where PodSecurityConfiguration enforces "restricted" [1].

[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/

Change-Id: I9eb420cbb695ec8fb002f25cfd3c96ab50118fcc
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>

diff --git a/functest_kubernetes/ims/ims.py b/functest_kubernetes/ims/ims.py
index 9a7c648..85b412f 100644 (file)
--- a/functest_kubernetes/ims/ims.py
+++ b/functest_kubernetes/ims/ims.py
@@ -68,7 +68,8 @@ class Vims(testcase.TestCase):  # pylint: disable=too-many-instance-attributes
         """
         api_response = self.corev1.create_namespace(
             client.V1Namespace(metadata=client.V1ObjectMeta(
-                generate_name=self.ns_generate_name)))
+                generate_name=self.ns_generate_name,
+                labels={"pod-security.kubernetes.io/enforce": "baseline"})))
         self.namespace = api_response.metadata.name
         self.__logger.debug("create_namespace: %s", api_response)
         self.zone = f'{self.namespace}.svc.cluster.local'

diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index f03845a..997a0b7 100644 (file)
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -61,7 +61,8 @@ class SecurityTesting(testcase.TestCase):
         assert self.job_name
         api_response = self.corev1.create_namespace(
             client.V1Namespace(metadata=client.V1ObjectMeta(
-                generate_name=self.ns_generate_name)))
+                generate_name=self.ns_generate_name,
+                labels={"pod-security.kubernetes.io/enforce": "baseline"})))
         self.namespace = api_response.metadata.name
         self.__logger.debug("create_namespace: %s", api_response)
         with open(pkg_resources.resource_filename(