You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/10/04 10:13:47 UTC
[camel-k] branch main updated: fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new dc25083a4 fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation
dc25083a4 is described below
commit dc25083a4e1431074950d716bfff5e8bb16648ca
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Tue Oct 3 11:04:49 2023 +0200
fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation
---
e2e/install/cli/install_test.go | 15 ++++++---------
e2e/install/helm/setup_test.go | 8 ++++++++
e2e/install/kustomize/operator_test.go | 9 +++++++++
e2e/install/olm/olm_install_test.go | 8 ++++++++
e2e/support/test_support.go | 10 ++++++++++
5 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/e2e/install/cli/install_test.go b/e2e/install/cli/install_test.go
index 01a4d4636..5d58a6575 100644
--- a/e2e/install/cli/install_test.go
+++ b/e2e/install/cli/install_test.go
@@ -55,15 +55,12 @@ func TestBasicInstallation(t *testing.T) {
Eventually(PlatformConditionStatus(ns, v1.IntegrationPlatformConditionTypeCreated), TestTimeoutShort).
Should(Equal(corev1.ConditionTrue))
- // Check if default security context has been applyed
- Eventually(OperatorPodHas(ns, func(pod *corev1.Pod) bool {
- if pod.Spec.Containers == nil || len(pod.Spec.Containers) == 0 {
- return false
- }
- // exclude user for openshift
- pod.Spec.Containers[0].SecurityContext.RunAsUser = nil
- return reflect.DeepEqual(pod.Spec.Containers[0].SecurityContext, kubernetes.DefaultOperatorSecurityContext())
- }), TestTimeoutShort).Should(BeTrue())
+ // Check if restricted security context has been applyed
+ operatorPod := OperatorPod(ns)()
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
t.Run("run yaml", func(t *testing.T) {
Expect(KamelRunWithID(operatorID, ns, "files/yaml.yaml").Execute()).To(Succeed())
diff --git a/e2e/install/helm/setup_test.go b/e2e/install/helm/setup_test.go
index d4441578a..82de1395a 100644
--- a/e2e/install/helm/setup_test.go
+++ b/e2e/install/helm/setup_test.go
@@ -32,6 +32,7 @@ import (
. "github.com/apache/camel-k/v2/e2e/support"
"github.com/apache/camel-k/v2/pkg/util/defaults"
+ "github.com/apache/camel-k/v2/pkg/util/kubernetes"
. "github.com/onsi/gomega"
)
@@ -63,6 +64,13 @@ func TestHelmInstallRunUninstall(t *testing.T) {
Eventually(OperatorPod(ns)).ShouldNot(BeNil())
+ // Check if restricted security context has been applyed
+ operatorPod := OperatorPod(ns)()
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
//Test a simple route
t.Run("simple route", func(t *testing.T) {
name := "yaml"
diff --git a/e2e/install/kustomize/operator_test.go b/e2e/install/kustomize/operator_test.go
index 4002604b2..51cc782ea 100644
--- a/e2e/install/kustomize/operator_test.go
+++ b/e2e/install/kustomize/operator_test.go
@@ -31,6 +31,7 @@ import (
. "github.com/apache/camel-k/v2/e2e/support"
testutil "github.com/apache/camel-k/v2/e2e/support/util"
+ "github.com/apache/camel-k/v2/pkg/util/kubernetes"
. "github.com/onsi/gomega"
)
@@ -59,6 +60,14 @@ func TestOperatorBasic(t *testing.T) {
Eventually(OperatorPod(ns)).ShouldNot(BeNil())
Eventually(OperatorPodPhase(ns), TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+
+ // Check if restricted security context has been applyed
+ operatorPod := OperatorPod(ns)()
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
Eventually(Platform(ns)).ShouldNot(BeNil())
})
}
diff --git a/e2e/install/olm/olm_install_test.go b/e2e/install/olm/olm_install_test.go
index cdadbdded..ac8fe9e2f 100644
--- a/e2e/install/olm/olm_install_test.go
+++ b/e2e/install/olm/olm_install_test.go
@@ -36,6 +36,7 @@ import (
olm "github.com/operator-framework/api/pkg/operators/v1alpha1"
"github.com/apache/camel-k/v2/pkg/util/defaults"
+ "github.com/apache/camel-k/v2/pkg/util/kubernetes"
"github.com/apache/camel-k/v2/pkg/util/openshift"
)
@@ -96,6 +97,13 @@ func TestOLMInstallation(t *testing.T) {
// Check the IntegrationPlatform has been reconciled
Eventually(PlatformVersion(ns)).Should(ContainSubstring(ipVersionPrefix))
+ // Check if restricted security context has been applyed
+ operatorPod := OperatorPod(ns)()
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+ Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
// Clean up
Expect(Kamel("delete", "--all", "-n", ns).Execute()).To(Succeed())
Expect(Kamel("uninstall", "-n", ns).Execute()).To(Succeed())
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 9933e0d4f..171ba2014 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -1344,6 +1344,16 @@ func OperatorImage(ns string) func() string {
}
}
+func OperatorPodSecurityContext(ns string) func() *corev1.SecurityContext {
+ return func() *corev1.SecurityContext {
+ pod := OperatorPod(ns)()
+ if pod == nil || pod.Spec.Containers == nil || len(pod.Spec.Containers) == 0 {
+ return nil
+ }
+ return pod.Spec.Containers[0].SecurityContext
+ }
+}
+
func OperatorPodHas(ns string, predicate func(pod *corev1.Pod) bool) func() bool {
return func() bool {
pod := OperatorPod(ns)()