Update tests to use SecurityContextto account for enabling secure-pod…

…-defaults
knative · Jul 12, 2023 · 18474ca · 18474ca
1 parent 7f51c74
commit 18474ca
Show file tree

Hide file tree

Showing 7 changed files with 951 additions and 7 deletions.
diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml
@@ -22,7 +22,7 @@ metadata:
     app.kubernetes.io/component: controller
     app.kubernetes.io/version: devel
   annotations:
-    knative.dev/example-checksum: "b08d16b1"
+    knative.dev/example-checksum: "43e1a61b"
 data:
   _example: |-
     ################################
@@ -40,10 +40,10 @@ data:
     # this example block and unindented to be in the data block
     # to actually change the configuration.
 
-    # Default SecurityContext settings to secure-by-default values
-    # if unset.
-    #
     # Indicates whether secure-pod-defaults support is enabled
+
+    # WARNING: Cannot safely be disabled once enabled.
+    # See: TBD
     secure-pod-defaults: "enabled"
 
     # Indicates whether multi container support is enabled

diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go
@@ -71,7 +71,7 @@ func defaultFeaturesConfig() *Features {
 		PodSpecInitContainers:            Disabled,
 		PodSpecDNSPolicy:                 Disabled,
 		PodSpecDNSConfig:                 Disabled,
-		SecurePodDefaults:                Disabled,
+		SecurePodDefaults:                Enabled,
 		TagHeaderBasedRouting:            Disabled,
 		AutoDetectHTTP2:                  Disabled,
 	}

diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go
@@ -719,7 +719,11 @@ func TestPodSecurityContextMask(t *testing.T) {
 		},
 	}
 
-	want := &corev1.PodSecurityContext{}
+	want := &corev1.PodSecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
 	ctx := context.Background()
 
 	got := PodSecurityContextMask(ctx, in)

diff --git a/pkg/apis/serving/v1/configuration_defaults_test.go b/pkg/apis/serving/v1/configuration_defaults_test.go
@@ -76,6 +76,24 @@ func TestConfigurationDefaulting(t *testing.T) {
 								Image:          "busybox",
 								Resources:      defaultResources,
 								ReadinessProbe: defaultProbe,
+								SecurityContext: &corev1.SecurityContext{
+									Capabilities: &corev1.Capabilities{
+										Drop: []corev1.Capability{"ALL"},
+									},
+									Privileged:               nil,
+									SELinuxOptions:           nil,
+									RunAsUser:                nil,
+									RunAsNonRoot:             nil,
+									ReadOnlyRootFilesystem:   nil,
+									AllowPrivilegeEscalation: ptr.Bool(false),
+									RunAsGroup:               nil,
+									ProcMount:                nil,
+									WindowsOptions:           nil,
+									SeccompProfile: &corev1.SeccompProfile{
+										Type:             corev1.SeccompProfileTypeRuntimeDefault,
+										LocalhostProfile: nil,
+									},
+								},
 							}},
 						},
 						TimeoutSeconds:       ptr.Int64(config.DefaultRevisionTimeoutSeconds),
@@ -111,6 +129,24 @@ func TestConfigurationDefaulting(t *testing.T) {
 								Image:          "busybox",
 								Resources:      defaultResources,
 								ReadinessProbe: defaultProbe,
+								SecurityContext: &corev1.SecurityContext{
+									Capabilities: &corev1.Capabilities{
+										Drop: []corev1.Capability{"ALL"},
+									},
+									Privileged:               nil,
+									SELinuxOptions:           nil,
+									RunAsUser:                nil,
+									RunAsNonRoot:             nil,
+									ReadOnlyRootFilesystem:   nil,
+									AllowPrivilegeEscalation: ptr.Bool(false),
+									RunAsGroup:               nil,
+									ProcMount:                nil,
+									WindowsOptions:           nil,
+									SeccompProfile: &corev1.SeccompProfile{
+										Type:             corev1.SeccompProfileTypeRuntimeDefault,
+										LocalhostProfile: nil,
+									},
+								},
 							}},
 						},
 						TimeoutSeconds:       ptr.Int64(config.DefaultRevisionTimeoutSeconds),
@@ -148,6 +184,24 @@ func TestConfigurationDefaulting(t *testing.T) {
 								Image:          "busybox",
 								Resources:      defaultResources,
 								ReadinessProbe: defaultProbe,
+								SecurityContext: &corev1.SecurityContext{
+									Capabilities: &corev1.Capabilities{
+										Drop: []corev1.Capability{"ALL"},
+									},
+									Privileged:               nil,
+									SELinuxOptions:           nil,
+									RunAsUser:                nil,
+									RunAsNonRoot:             nil,
+									ReadOnlyRootFilesystem:   nil,
+									AllowPrivilegeEscalation: ptr.Bool(false),
+									RunAsGroup:               nil,
+									ProcMount:                nil,
+									WindowsOptions:           nil,
+									SeccompProfile: &corev1.SeccompProfile{
+										Type:             corev1.SeccompProfileTypeRuntimeDefault,
+										LocalhostProfile: nil,
+									},
+								},
 							}},
 						},
 						TimeoutSeconds:       ptr.Int64(60),