Skip to content

Commit

Permalink
Add tests to check for psa privileged label on system namespaces
Browse files Browse the repository at this point in the history
  • Loading branch information
@poornima-krishnasamy
poornima-krishnasamy committed Nov 16, 2023
1 parent 9ca8864 commit 44def7a
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
2 changes: 1 addition & 1 deletion test/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ func (c *Config) ExpectedPromRules() {
// ExpectedNamespaces returns a slice of all the namespaces
// that are expected to be in the cluster.
func (c *Config) ExpectedNamespaces() {
c.Namespaces = append(c.Namespaces, "cert-manager", "ingress-controllers", "logging", "monitoring", "gatekeeper-system", "velero")
c.Namespaces = append(c.Namespaces, "calico-apiserver", "calico-system", "cert-manager", "gatekeeper-system", "kube-system", "kuberos", "ingress-controllers", "logging", "monitoring", "tigera-operator", "trivy-system", "velero")
}

// ExpectedServices returns a slice of all the Services
Expand Down
25 changes: 25 additions & 0 deletions test/namespaces_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package integration_tests

import (
"context"
"fmt"
"html/template"
"strings"

Expand Down Expand Up @@ -174,6 +175,30 @@ var _ = Describe("Namespaces", func() {
}
})
})
Context("when checking current system namespaces", func() {
GinkgoWriter.Printf("Getting list of namespaces\n")
namespaces, err := c.Client.Clientset.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
Expect(err).To(BeNil())

// All system namespaces must have the appropriate psa labels for things like
// monitoring. This test checks all system namespaces for label "pod-security.kubernetes.io/enforce=privileged".
// If the label is missing or wrong, it will fail.
It("must have the psa privileged label", func() {
for _, namespace := range namespaces.Items {
// Get the labels
labels := namespace.GetLabels()
// Check if the label is present
if _, ok := labels["pod-security.kubernetes.io/enforce"]; ok {
// Check if the label value is correct
Expect(labels["pod-security.kubernetes.io/enforce"]).To(Equal("privileged"))
} else {
// If the label is missing, fail the test
Fail(fmt.Sprintf("Namespace %s missing pod-security.kubernetes.io/enforce label", namespace.GetName()))
}

}
})
})
})

// canIPerformAction is a wrapper for the Terratest kubectl command. It should return a bool dependant on the
Expand Down

0 comments on commit 44def7a

Please sign in to comment.