Use Bash to assert on dropped caps in E2E tests

OpenShift appends to the list of dropped capabilities, and KUTTL is unable to assert a subset of that list. Do the assertion ourselves in a script rather than create a copy of the test specifically for OpenShift. Issue: [sc-15297] See: kudobuilder/kuttl#76
cbandy · Jul 30, 2022 · 55301b0 · 55301b0
1 parent 6ac98d1
commit 55301b0
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 17 deletions.
diff --git a/testing/kuttl/e2e/security-context/00-assert.yaml b/testing/kuttl/e2e/security-context/00-assert.yaml
@@ -32,7 +32,6 @@ spec:
   - name: pgbackrest
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
@@ -52,50 +51,43 @@ spec:
   - name: database
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: replication-cert-copy
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: pgbackrest
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: pgbackrest-config
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: exporter
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   initContainers:
   - name: postgres-startup
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: nss-wrapper-init
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
@@ -115,22 +107,19 @@ spec:
   - name: pgadmin
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   initContainers:
   - name: pgadmin-startup
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: nss-wrapper-init
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
@@ -147,14 +136,12 @@ spec:
   - name: pgbouncer
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: pgbouncer-config
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
@@ -175,29 +162,25 @@ spec:
   - name: pgbackrest
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: pgbackrest-config
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   initContainers:
   - name: pgbackrest-log-dir
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
   - name: nss-wrapper-init
     securityContext:
       allowPrivilegeEscalation: false
-      capabilities: { drop: [ALL] }
       privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
diff --git a/testing/kuttl/e2e/security-context/01--security-context.yaml b/testing/kuttl/e2e/security-context/01--security-context.yaml
@@ -0,0 +1,48 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      # Check that every container has the correct capabilities.
+
+      # Capture every container name alongside its list of dropped capabilities.
+      CONTAINERS_DROP_CAPS=$(
+        kubectl --namespace "${NAMESPACE}" get pods --output "jsonpath={\
+          range .items[*].spec.containers[*]\
+        }{ @.name }{'\t\t'}{ @.securityContext.capabilities.drop }{'\n'}{\
+          end\
+        }"
+      ) || exit
+
+      WRONG=$( ! echo "${CONTAINERS_DROP_CAPS}" | grep -Fv '"ALL"' ) || {
+        echo 'Not all containers have dropped "ALL" capabilities!'
+        echo "${WRONG}"
+        exit 1
+      }
+
+  - script: |
+      # Check that every Pod is assigned to the "restricted" SecurityContextConstraint
+      # in OpenShift.
+
+      SCC=$(
+        kubectl api-resources --cached |
+        grep -F 'security.openshift.io/v1' |
+        grep -F 'SecurityContextConstraint'
+      )
+
+      # Skip this check when the API has no notion of SecurityContextConstraint.
+      [ -z "${SCC}" ] && exit
+
+      PODS_SCC=$(
+        kubectl --namespace "${NAMESPACE}" get pods --no-headers \
+          --output "custom-columns=\
+            NAME:.metadata.name,\
+            SCC:.metadata.annotations['openshift\.io/scc']\
+          "
+      ) || exit
+
+      WRONG=$( ! echo "${PODS_SCC}" | grep -Ev '\<restricted$' ) || {
+        echo 'Found pods not assigned to the restricted security context constraint!'
+        echo "${PODS_SCC}"
+        exit 1
+      }