Merge pull request #26938 from s-urbaniak/pod-security-levels

util/client.go: add method to specify pod security admission level

Author: openshift-merge-robot

go.mod

@@ -72,6 +72,7 @@ require (
 	k8s.io/kubelet v0.23.0
 	k8s.io/kubernetes v1.23.0
 	k8s.io/legacy-cloud-providers v0.23.0
+	k8s.io/pod-security-admission v0.23.0
 	k8s.io/utils v0.0.0-20211208161948-7d6a63dca704
 	sigs.k8s.io/kustomize/kyaml v0.13.0
 	sigs.k8s.io/yaml v1.2.0

test/extended/util/client.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"k8s.io/client-go/util/retry"
 	"net"
 	"net/http"
 	"os"
@@ -62,6 +63,7 @@ import (
 	watchtools "k8s.io/client-go/tools/watch"
 	"k8s.io/client-go/util/flowcontrol"
 	"k8s.io/kubernetes/test/e2e/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
 )
 
 // CLI provides function to call the OpenShift CLI and Kubernetes and OpenShift
@@ -105,8 +107,17 @@ func NewCLIWithFramework(kubeFramework *framework.Framework) *CLI {
 	return cli
 }
 
+// NewCLIWithPodSecurityLevel initializes the CLI the same way as `NewCLI()`
+// but the given pod security level is applied to the created e2e test namespace.
+func NewCLIWithPodSecurityLevel(project string, level admissionapi.Level) *CLI {
+	cli := NewCLI(project)
+	cli.kubeFramework.NamespacePodSecurityEnforceLevel = level
+	return cli
+}
+
 // NewCLI initializes the CLI and Kube framework helpers with the provided
 // namespace. Should be called outside of a Ginkgo .It() function.
+// This will apply the `restricted` pod security level to the given underlying namespace.
 func NewCLI(project string) *CLI {
 	cli := NewCLIWithoutNamespace(project)
 	cli.withoutNamespace = false
@@ -288,6 +299,31 @@ func (c *CLI) SetupProject() string {
 	})
 	o.Expect(err).NotTo(o.HaveOccurred())
 
+	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		// once permissions are settled the underlying namespace must have been created.
+		ns, err := c.AdminKubeClient().CoreV1().Namespaces().Get(context.Background(), newNamespace, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+
+		if c.kubeFramework.NamespacePodSecurityEnforceLevel != "" {
+			// TODO(sur): set to restricted in a separate PR and fix failing tests
+			c.kubeFramework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
+		}
+		if ns.Labels == nil {
+			ns.Labels = make(map[string]string)
+		}
+		ns.Labels[admissionapi.EnforceLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel)
+		// In contrast to upstream, OpenShift sets a global default on warn and audit pod security levels.
+		// Since this would cause unwanted audit log and warning entries, we are setting the same level as for enforcement.
+		ns.Labels[admissionapi.WarnLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel)
+		ns.Labels[admissionapi.AuditLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel)
+
+		_, err = c.AdminKubeClient().CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{})
+		return err
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+
 	// Wait for SAs and default dockercfg Secret to be injected
 	// TODO: it would be nice to have a shared list but it is defined in at least 3 place,
 	// TODO: some of them not even using the constants

vendor/modules.txt

@@ -3103,7 +3103,8 @@ k8s.io/metrics/pkg/client/custom_metrics/scheme
 k8s.io/metrics/pkg/client/external_metrics
 # k8s.io/mount-utils v0.0.0 => github.com/openshift/kubernetes/staging/src/k8s.io/mount-utils v0.0.0-20220405131139-37c5e75b4e1e
 k8s.io/mount-utils
-# k8s.io/pod-security-admission v0.0.0 => github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20220405131139-37c5e75b4e1e
+# k8s.io/pod-security-admission v0.23.0 => github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20220405131139-37c5e75b4e1e
+## explicit
 k8s.io/pod-security-admission/admission
 k8s.io/pod-security-admission/admission/api
 k8s.io/pod-security-admission/admission/api/load