Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Cover CNF Test Suite vs Clusters where Pod Security Standard restricted is enforced #1887

Open
collivier opened this issue Feb 13, 2024 · 1 comment · May be fixed by #2021
Open

[Feature] Cover CNF Test Suite vs Clusters where Pod Security Standard restricted is enforced #1887

collivier opened this issue Feb 13, 2024 · 1 comment · May be fixed by #2021
Assignees
@collivier
Labels
enhancement New feature or request v1.3.0 Issue included in v1.3.0 release

Comments

@collivier
Copy link
Collaborator

Is your feature request related to a problem? Please describe.

CNF Test Suite cannot run today vs Clusters where Pod Security Standard restricted is enforced.
To work vs hardened clusters in production, Functest Kubernetes has to patch all 3 namespaces before running CNF Test Suite.
https://github.com/opnfv/functest-kubernetes/blob/master/functest_kubernetes/cnf_conformance/conformance.py#L67-L86

Describe the solution you'd like

I would like to see github actions verifying CNF TestSuite under the following configuration:
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces:
        - kube-system
        - local-path-storage

**How will this be tested? aka Acceptance Criteria (optional) **

The gate job would work and any new issue in CNF Test Suite would be detected premerge
@collivier collivier added the enhancement New feature or request label Feb 13, 2024
@collivier collivier mentioned this issue Feb 13, 2024
Open
@collivier
Copy link
Collaborator Author

A simple way to setup an hardened cluster as described in https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

$ cat kind.v1.29.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  image: kindest/node:v1.29.0
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
        extraArgs:
          admission-control-config-file: /etc/config/cluster-level-pss.yaml
        extraVolumes:
          - name: accf
            hostPath: /etc/config
            mountPath: /etc/config
            readOnly: false
            pathType: "DirectoryOrCreate"
  extraMounts:
  - hostPath: /home/opnfv/K8S
    containerPath: /etc/config
    # optional: if set, the mount is read-only.
    # default false
    readOnly: false
    # optional: if set, the mount needs SELinux relabeling.
    # default false
    selinuxRelabel: false
    # optional: set propagation mode (None, HostToContainer or Bidirectional)
    # see https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
    # default None
    propagation: None
- role: worker
  image: kindest/node:v1.29.0
- role: worker
  image: kindest/node:v1.29.0

$ cat /home/opnfv/K8S/cluster-level-pss.yaml 
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces:
        - kube-system
        - local-path-storage

@lixuna lixuna moved this to Todo in CNTI Test Catalog Mar 18, 2024
collivier added a commit to collivier/testsuite that referenced this issue May 10, 2024
@collivier
Enforce Pod Security Standard restricted
76cf1ff 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
@collivier collivier linked a pull request May 10, 2024 that will close this issue
Open
11 tasks
@lixuna lixuna moved this from Todo to Peer Review in CNTI Test Catalog May 10, 2024
@lixuna lixuna added the v1.3.0 Issue included in v1.3.0 release label May 10, 2024
collivier added a commit to collivier/testsuite that referenced this issue Aug 27, 2024
@collivier
Enforce Pod Security Standard restricted
35a7606 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Aug 27, 2024
@collivier
Enforce Pod Security Standard restricted
08c726b 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
@github-project-automation github-project-automation bot moved this to Needs Peer Review in CNF Test Suite Aug 30, 2024
collivier added a commit to collivier/testsuite that referenced this issue Oct 15, 2024
@collivier
Enforce Pod Security Standard restricted
58769a8 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Oct 28, 2024
@collivier
Enforce Pod Security Standard restricted
d5d6cb6 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Oct 29, 2024
@collivier
Enforce Pod Security Standard restricted
f313042 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Nov 13, 2024
@collivier
Enforce Pod Security Standard restricted
56e3215 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Nov 13, 2024
@collivier
Enforce Pod Security Standard restricted
694adbf 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Nov 30, 2024
@collivier
Enforce Pod Security Standard restricted
7658e64 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
collivier added a commit to collivier/testsuite that referenced this issue Dec 2, 2024
@collivier
Enforce Pod Security Standard restricted
c425e61 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: cnti-testcatalog#1887

Signed-off-by: Cédric Ollivier <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@collivier collivier

Labels
enhancement New feature or request v1.3.0 Issue included in v1.3.0 release
Projects
CNF Test Suite
Status: Needs Peer Review
CNTI Test Catalog
Status: Peer Review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enforce Pod Security Standard restricted collivier/testsuite
2 participants
@collivier @lixuna