|
8 | 8 | "fmt" |
9 | 9 | "io" |
10 | 10 | "io/ioutil" |
| 11 | + "k8s.io/client-go/util/retry" |
11 | 12 | "net" |
12 | 13 | "net/http" |
13 | 14 | "os" |
@@ -62,6 +63,7 @@ import ( |
62 | 63 | watchtools "k8s.io/client-go/tools/watch" |
63 | 64 | "k8s.io/client-go/util/flowcontrol" |
64 | 65 | "k8s.io/kubernetes/test/e2e/framework" |
| 66 | + admissionapi "k8s.io/pod-security-admission/api" |
65 | 67 | ) |
66 | 68 |
|
67 | 69 | // CLI provides function to call the OpenShift CLI and Kubernetes and OpenShift |
@@ -105,8 +107,17 @@ func NewCLIWithFramework(kubeFramework *framework.Framework) *CLI { |
105 | 107 | return cli |
106 | 108 | } |
107 | 109 |
|
| 110 | +// NewCLIWithPodSecurityLevel initializes the CLI the same way as `NewCLI()` |
| 111 | +// but the given pod security level is applied to the created e2e test namespace. |
| 112 | +func NewCLIWithPodSecurityLevel(project string, level admissionapi.Level) *CLI { |
| 113 | + cli := NewCLI(project) |
| 114 | + cli.kubeFramework.NamespacePodSecurityEnforceLevel = level |
| 115 | + return cli |
| 116 | +} |
| 117 | + |
108 | 118 | // NewCLI initializes the CLI and Kube framework helpers with the provided |
109 | 119 | // namespace. Should be called outside of a Ginkgo .It() function. |
| 120 | +// This will apply the `restricted` pod security level to the given underlying namespace. |
110 | 121 | func NewCLI(project string) *CLI { |
111 | 122 | cli := NewCLIWithoutNamespace(project) |
112 | 123 | cli.withoutNamespace = false |
@@ -288,6 +299,31 @@ func (c *CLI) SetupProject() string { |
288 | 299 | }) |
289 | 300 | o.Expect(err).NotTo(o.HaveOccurred()) |
290 | 301 |
|
| 302 | + err = retry.RetryOnConflict(retry.DefaultRetry, func() error { |
| 303 | + // once permissions are settled the underlying namespace must have been created. |
| 304 | + ns, err := c.AdminKubeClient().CoreV1().Namespaces().Get(context.Background(), newNamespace, metav1.GetOptions{}) |
| 305 | + if err != nil { |
| 306 | + return err |
| 307 | + } |
| 308 | + |
| 309 | + if c.kubeFramework.NamespacePodSecurityEnforceLevel != "" { |
| 310 | + // TODO(sur): set to restricted in a separate PR and fix failing tests |
| 311 | + c.kubeFramework.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged |
| 312 | + } |
| 313 | + if ns.Labels == nil { |
| 314 | + ns.Labels = make(map[string]string) |
| 315 | + } |
| 316 | + ns.Labels[admissionapi.EnforceLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) |
| 317 | + // In contrast to upstream, OpenShift sets a global default on warn and audit pod security levels. |
| 318 | + // Since this would cause unwanted audit log and warning entries, we are setting the same level as for enforcement. |
| 319 | + ns.Labels[admissionapi.WarnLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) |
| 320 | + ns.Labels[admissionapi.AuditLevelLabel] = string(c.kubeFramework.NamespacePodSecurityEnforceLevel) |
| 321 | + |
| 322 | + _, err = c.AdminKubeClient().CoreV1().Namespaces().Update(context.Background(), ns, metav1.UpdateOptions{}) |
| 323 | + return err |
| 324 | + }) |
| 325 | + o.Expect(err).NotTo(o.HaveOccurred()) |
| 326 | + |
291 | 327 | // Wait for SAs and default dockercfg Secret to be injected |
292 | 328 | // TODO: it would be nice to have a shared list but it is defined in at least 3 place, |
293 | 329 | // TODO: some of them not even using the constants |
|
0 commit comments