Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Cover CNF Test Suite vs Clusters where Pod Security Standard restricted is enforced #1887

Open
collivier opened this issue Feb 13, 2024 · 1 comment · May be fixed by #2021
Open
Assignees
Labels
enhancement New feature or request v1.3.0 Issue included in v1.3.0 release

Comments

@collivier
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

CNF Test Suite cannot run today vs Clusters where Pod Security Standard restricted is enforced.
To work vs hardened clusters in production, Functest Kubernetes has to patch all 3 namespaces before running CNF Test Suite.
https://github.com/opnfv/functest-kubernetes/blob/master/functest_kubernetes/cnf_conformance/conformance.py#L67-L86

Describe the solution you'd like

I would like to see github actions verifying CNF TestSuite under the following configuration:
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces:
        - kube-system
        - local-path-storage

**How will this be tested? aka Acceptance Criteria (optional) **

The gate job would work and any new issue in CNF Test Suite would be detected premerge

@collivier
Copy link
Collaborator Author

A simple way to setup an hardened cluster as described in https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

$ cat kind.v1.29.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  image: kindest/node:v1.29.0
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          admission-control-config-file: /etc/config/cluster-level-pss.yaml
        extraVolumes:
          - name: accf
            hostPath: /etc/config
            mountPath: /etc/config
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /home/opnfv/K8S
    containerPath: /etc/config
    # optional: if set, the mount is read-only.
    # default false
    readOnly: false
    # optional: if set, the mount needs SELinux relabeling.
    # default false
    selinuxRelabel: false
    # optional: set propagation mode (None, HostToContainer or Bidirectional)
    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
    # default None
    propagation: None
- role: worker
  image: kindest/node:v1.29.0
- role: worker
  image: kindest/node:v1.29.0
$ cat /home/opnfv/K8S/cluster-level-pss.yaml 
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces:
        - kube-system
        - local-path-storage

@lixuna lixuna moved this to Todo in CNTI Test Catalog Mar 18, 2024
@collivier collivier linked a pull request May 10, 2024 that will close this issue
11 tasks
@lixuna lixuna moved this from Todo to Peer Review in CNTI Test Catalog May 10, 2024
@lixuna lixuna added the v1.3.0 Issue included in v1.3.0 release label May 10, 2024
@github-project-automation github-project-automation bot moved this to Needs Peer Review in CNF Test Suite Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request v1.3.0 Issue included in v1.3.0 release
Projects
Status: Needs Peer Review
Status: Peer Review
Development

Successfully merging a pull request may close this issue.

2 participants