diff --git a/go.mod b/go.mod index aebe124b011d..9ab88cc420ff 100644 --- a/go.mod +++ b/go.mod @@ -72,6 +72,7 @@ require ( k8s.io/kubelet v0.23.0 k8s.io/kubernetes v1.23.0 k8s.io/legacy-cloud-providers v0.23.0 + k8s.io/pod-security-admission v0.23.0 k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 sigs.k8s.io/kustomize/kyaml v0.13.0 sigs.k8s.io/yaml v1.2.0 diff --git a/test/extended/util/client.go b/test/extended/util/client.go index 95c47dc49211..93b22100ed06 100644 --- a/test/extended/util/client.go +++ b/test/extended/util/client.go @@ -8,6 +8,7 @@ import ( "fmt" "io" "io/ioutil" + "k8s.io/client-go/util/retry" "net" "net/http" "os" @@ -62,6 +63,7 @@ import ( watchtools "k8s.io/client-go/tools/watch" "k8s.io/client-go/util/flowcontrol" "k8s.io/kubernetes/test/e2e/framework" + admissionapi "k8s.io/pod-security-admission/api" ) // CLI provides function to call the OpenShift CLI and Kubernetes and OpenShift @@ -105,8 +107,17 @@ func NewCLIWithFramework(kubeFramework *framework.Framework) *CLI { return cli } +// NewCLIWithPodSecurityLevel initializes the CLI the same way as `NewCLI()` +// but the given pod security level is applied to the created e2e test namespace. +func NewCLIWithPodSecurityLevel(project string, level admissionapi.Level) *CLI { + cli := NewCLI(project) + cli.kubeFramework.NamespacePodSecurityEnforceLevel = level + return cli +} + // NewCLI initializes the CLI and Kube framework helpers with the provided // namespace. Should be called outside of a Ginkgo .It() function. +// This will apply the `restricted` pod security level to the given underlying namespace. func NewCLI(project string) *CLI { cli := NewCLIWithoutNamespace(project) cli.withoutNamespace = false @@ -288,6 +299,31 @@ func (c *CLI) SetupProject() string { }) o.Expect(err).NotTo(o.HaveOccurred()) + err = retry.RetryOnConflict(retry.DefaultRetry, func() error { + // once permissions are settled the underlying namespace must have been created. + ns, err := c.AdminKubeClient().CoreV1().Namespaces().Get(context.Background(), newNamespace, metav1.GetOptions{}) + if err != nil { + return err + } + + if c.kubeFramework.NamespacePodSecurityEnforceLevel != "" { + // TODO(sur): set to restricted in a separate PR and fix failing tests + c.kubeFramework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged + } + if ns.Labels == nil { + ns.Labels = make(map[string]string) + } + ns.Labels[admissionapi.EnforceLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) + // In contrast to upstream, OpenShift sets a global default on warn and audit pod security levels. + // Since this would cause unwanted audit log and warning entries, we are setting the same level as for enforcement. + ns.Labels[admissionapi.WarnLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) + ns.Labels[admissionapi.AuditLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) + + _, err = c.AdminKubeClient().CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{}) + return err + }) + o.Expect(err).NotTo(o.HaveOccurred()) + // Wait for SAs and default dockercfg Secret to be injected // TODO: it would be nice to have a shared list but it is defined in at least 3 place, // TODO: some of them not even using the constants diff --git a/vendor/modules.txt b/vendor/modules.txt index cfb68e956c0e..c1027bc4c761 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -3103,7 +3103,8 @@ k8s.io/metrics/pkg/client/custom_metrics/scheme k8s.io/metrics/pkg/client/external_metrics # k8s.io/mount-utils v0.0.0 => github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils v0.0.0-20220405131139-37c5e75b4e1e k8s.io/mount-utils -# k8s.io/pod-security-admission v0.0.0 => github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20220405131139-37c5e75b4e1e +# k8s.io/pod-security-admission v0.23.0 => github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20220405131139-37c5e75b4e1e +## explicit k8s.io/pod-security-admission/admission k8s.io/pod-security-admission/admission/api k8s.io/pod-security-admission/admission/api/load