You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/10/04 10:13:47 UTC

[camel-k] branch main updated: fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation

This is an automated email from the ASF dual-hosted git repository.

pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git


The following commit(s) were added to refs/heads/main by this push:
     new dc25083a4 fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation
dc25083a4 is described below

commit dc25083a4e1431074950d716bfff5e8bb16648ca
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Tue Oct 3 11:04:49 2023 +0200

    fix(e2e): Add installation with helm,kustomize,olm securityContext restricted validation
---
 e2e/install/cli/install_test.go        | 15 ++++++---------
 e2e/install/helm/setup_test.go         |  8 ++++++++
 e2e/install/kustomize/operator_test.go |  9 +++++++++
 e2e/install/olm/olm_install_test.go    |  8 ++++++++
 e2e/support/test_support.go            | 10 ++++++++++
 5 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/e2e/install/cli/install_test.go b/e2e/install/cli/install_test.go
index 01a4d4636..5d58a6575 100644
--- a/e2e/install/cli/install_test.go
+++ b/e2e/install/cli/install_test.go
@@ -55,15 +55,12 @@ func TestBasicInstallation(t *testing.T) {
 		Eventually(PlatformConditionStatus(ns, v1.IntegrationPlatformConditionTypeCreated), TestTimeoutShort).
 			Should(Equal(corev1.ConditionTrue))
 
-			// Check if default security context has been applyed
-		Eventually(OperatorPodHas(ns, func(pod *corev1.Pod) bool {
-			if pod.Spec.Containers == nil || len(pod.Spec.Containers) == 0 {
-				return false
-			}
-			// exclude user for openshift
-			pod.Spec.Containers[0].SecurityContext.RunAsUser = nil
-			return reflect.DeepEqual(pod.Spec.Containers[0].SecurityContext, kubernetes.DefaultOperatorSecurityContext())
-		}), TestTimeoutShort).Should(BeTrue())
+		// Check if restricted security context has been applyed
+		operatorPod := OperatorPod(ns)()
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
 
 		t.Run("run yaml", func(t *testing.T) {
 			Expect(KamelRunWithID(operatorID, ns, "files/yaml.yaml").Execute()).To(Succeed())
diff --git a/e2e/install/helm/setup_test.go b/e2e/install/helm/setup_test.go
index d4441578a..82de1395a 100644
--- a/e2e/install/helm/setup_test.go
+++ b/e2e/install/helm/setup_test.go
@@ -32,6 +32,7 @@ import (
 
 	. "github.com/apache/camel-k/v2/e2e/support"
 	"github.com/apache/camel-k/v2/pkg/util/defaults"
+	"github.com/apache/camel-k/v2/pkg/util/kubernetes"
 	. "github.com/onsi/gomega"
 )
 
@@ -63,6 +64,13 @@ func TestHelmInstallRunUninstall(t *testing.T) {
 
 		Eventually(OperatorPod(ns)).ShouldNot(BeNil())
 
+		// Check if restricted security context has been applyed
+		operatorPod := OperatorPod(ns)()
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
 		//Test a simple route
 		t.Run("simple route", func(t *testing.T) {
 			name := "yaml"
diff --git a/e2e/install/kustomize/operator_test.go b/e2e/install/kustomize/operator_test.go
index 4002604b2..51cc782ea 100644
--- a/e2e/install/kustomize/operator_test.go
+++ b/e2e/install/kustomize/operator_test.go
@@ -31,6 +31,7 @@ import (
 
 	. "github.com/apache/camel-k/v2/e2e/support"
 	testutil "github.com/apache/camel-k/v2/e2e/support/util"
+	"github.com/apache/camel-k/v2/pkg/util/kubernetes"
 
 	. "github.com/onsi/gomega"
 )
@@ -59,6 +60,14 @@ func TestOperatorBasic(t *testing.T) {
 
 		Eventually(OperatorPod(ns)).ShouldNot(BeNil())
 		Eventually(OperatorPodPhase(ns), TestTimeoutMedium).Should(Equal(corev1.PodRunning))
+
+		// Check if restricted security context has been applyed
+		operatorPod := OperatorPod(ns)()
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
 		Eventually(Platform(ns)).ShouldNot(BeNil())
 	})
 }
diff --git a/e2e/install/olm/olm_install_test.go b/e2e/install/olm/olm_install_test.go
index cdadbdded..ac8fe9e2f 100644
--- a/e2e/install/olm/olm_install_test.go
+++ b/e2e/install/olm/olm_install_test.go
@@ -36,6 +36,7 @@ import (
 	olm "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
 	"github.com/apache/camel-k/v2/pkg/util/defaults"
+	"github.com/apache/camel-k/v2/pkg/util/kubernetes"
 	"github.com/apache/camel-k/v2/pkg/util/openshift"
 )
 
@@ -96,6 +97,13 @@ func TestOLMInstallation(t *testing.T) {
 		// Check the IntegrationPlatform has been reconciled
 		Eventually(PlatformVersion(ns)).Should(ContainSubstring(ipVersionPrefix))
 
+		// Check if restricted security context has been applyed
+		operatorPod := OperatorPod(ns)()
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.RunAsNonRoot).To(Equal(kubernetes.DefaultOperatorSecurityContext().RunAsNonRoot))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.Capabilities).To(Equal(kubernetes.DefaultOperatorSecurityContext().Capabilities))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(kubernetes.DefaultOperatorSecurityContext().SeccompProfile))
+		Expect(operatorPod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(Equal(kubernetes.DefaultOperatorSecurityContext().AllowPrivilegeEscalation))
+
 		// Clean up
 		Expect(Kamel("delete", "--all", "-n", ns).Execute()).To(Succeed())
 		Expect(Kamel("uninstall", "-n", ns).Execute()).To(Succeed())
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 9933e0d4f..171ba2014 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -1344,6 +1344,16 @@ func OperatorImage(ns string) func() string {
 	}
 }
 
+func OperatorPodSecurityContext(ns string) func() *corev1.SecurityContext {
+	return func() *corev1.SecurityContext {
+		pod := OperatorPod(ns)()
+		if pod == nil || pod.Spec.Containers == nil || len(pod.Spec.Containers) == 0 {
+			return nil
+		}
+		return pod.Spec.Containers[0].SecurityContext
+	}
+}
+
 func OperatorPodHas(ns string, predicate func(pod *corev1.Pod) bool) func() bool {
 	return func() bool {
 		pod := OperatorPod(ns)()