Skip to content

Commit

Permalink
Merge pull request #256 from lpiwowar/readOnlyRootFilesystem
Browse files Browse the repository at this point in the history
Run test pods with readOnlyRootFileSystem: true
  • Loading branch information
openshift-merge-bot[bot] authored Dec 17, 2024
2 parents 93395c4 + 046eae0 commit 7797cdf
Show file tree
Hide file tree
Showing 16 changed files with 153 additions and 52 deletions.
10 changes: 5 additions & 5 deletions api/bases/test.openstack.org_ansibletests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -146,11 +146,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
storageClass:
default: local-storage
Expand Down
10 changes: 5 additions & 5 deletions api/bases/test.openstack.org_horizontests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,11 +159,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
projectName:
default: horizontest
Expand Down
10 changes: 5 additions & 5 deletions api/bases/test.openstack.org_tempests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -153,11 +153,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
storageClass:
default: local-storage
Expand Down
10 changes: 5 additions & 5 deletions api/bases/test.openstack.org_tobikoes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
publicKey:
default: ""
Expand Down
10 changes: 5 additions & 5 deletions api/v1beta1/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ type CommonOptions struct {
// +kubebuilder:default=false
// +optional
// Use with caution! This parameter specifies whether test-operator should spawn test
// pods with allowedPrivilegedEscalation: true and the default capabilities on
// top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
// This parameter is deemed insecure but it is needed for certain test-operator
// functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
// of tobiko tests).
// pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
// default capabilities on top of capabilities that are usually needed by the test
// pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
// certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
// CR, or certain set of tobiko tests).
Privileged bool `json:"privileged"`

// +operator-sdk:csv:customresourcedefinitions:type=spec
Expand Down
4 changes: 2 additions & 2 deletions api/v1beta1/common_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ const (
const (
// WarnPrivilegedModeOn
WarnPrivilegedModeOn = "%s.Spec.Privileged is set to true. This means that test pods " +
"are spawned with allowPrivilegedEscalation: true and default " +
"capabilities on top of those required by the test operator " +
"are spawned with allowPrivilegedEscalation: true, readOnlyRootFilesystem: false " +
"and default capabilities on top of those required by the test operator " +
"(NET_ADMIN, NET_RAW)."

// WarnPrivilegedModeOff
Expand Down
10 changes: 5 additions & 5 deletions config/crd/bases/test.openstack.org_ansibletests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -146,11 +146,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
storageClass:
default: local-storage
Expand Down
10 changes: 5 additions & 5 deletions config/crd/bases/test.openstack.org_horizontests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -159,11 +159,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
projectName:
default: horizontest
Expand Down
10 changes: 5 additions & 5 deletions config/crd/bases/test.openstack.org_tempests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -153,11 +153,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
storageClass:
default: local-storage
Expand Down
10 changes: 5 additions & 5 deletions config/crd/bases/test.openstack.org_tobikoes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,11 @@ spec:
default: false
description: |-
Use with caution! This parameter specifies whether test-operator should spawn test
pods with allowedPrivilegedEscalation: true and the default capabilities on
top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
This parameter is deemed insecure but it is needed for certain test-operator
functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
of tobiko tests).
pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
default capabilities on top of capabilities that are usually needed by the test
pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
CR, or certain set of tobiko tests).
type: boolean
publicKey:
default: ""
Expand Down
10 changes: 5 additions & 5 deletions config/samples/test_v1beta1_tempest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,11 @@ spec:
# Privileged
# ----------
# Use with caution! This parameter specifies whether test-operator should spawn test
# pods with allowedPrivilegedEscalation: true and the default capabilities on
# top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
# This parameter is deemed insecure but it is needed for certain test-operator
# functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
# tobiko tests).
# pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
# default capabilities on top of capabilities that are usually needed by the test
# pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
# certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest CR,
# or certain set tobiko tests).
#
# privileged: false
tempestRun:
Expand Down
23 changes: 23 additions & 0 deletions pkg/ansibletest/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package ansibletest

import (
testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
util "github.com/openstack-k8s-operators/test-operator/pkg/util"
corev1 "k8s.io/api/core/v1"
)

Expand Down Expand Up @@ -50,6 +51,18 @@ func GetVolumes(
},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
}

if mountCerts {
Expand Down Expand Up @@ -129,6 +142,16 @@ func GetVolumes(
// GetVolumeMounts -
func GetVolumeMounts(mountCerts bool, instance *testv1beta1.AnsibleTest, externalWorkflowCounter int) []corev1.VolumeMount {
volumeMounts := []corev1.VolumeMount{
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
MountPath: "/var/lib/ansible",
ReadOnly: false,
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
MountPath: "/tmp",
ReadOnly: false,
},
{
Name: "test-operator-logs",
MountPath: "/var/lib/AnsibleTests/external_files",
Expand Down
22 changes: 22 additions & 0 deletions pkg/horizontest/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,18 @@ func GetVolumes(
},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
}

if mountCerts {
Expand Down Expand Up @@ -117,6 +129,16 @@ func GetVolumes(
// GetVolumeMounts -
func GetVolumeMounts(mountCerts bool, mountKeys bool, mountKubeconfig bool, instance *testv1beta1.HorizonTest) []corev1.VolumeMount {
volumeMounts := []corev1.VolumeMount{
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
MountPath: "/var/lib/horizontest",
ReadOnly: false,
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
MountPath: "/tmp",
ReadOnly: false,
},
{
Name: "test-operator-logs",
MountPath: "/var/lib/horizontest/external_files",
Expand Down
23 changes: 23 additions & 0 deletions pkg/tempest/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package tempest

import (
testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
util "github.com/openstack-k8s-operators/test-operator/pkg/util"
corev1 "k8s.io/api/core/v1"
)

Expand Down Expand Up @@ -61,6 +62,18 @@ func GetVolumes(
},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
}

if mountCerts {
Expand Down Expand Up @@ -119,6 +132,16 @@ func GetVolumes(
// GetVolumeMounts -
func GetVolumeMounts(mountCerts bool, mountSSHKey bool, instance *testv1beta1.Tempest) []corev1.VolumeMount {
volumeMounts := []corev1.VolumeMount{
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
MountPath: "/var/lib/tempest",
ReadOnly: false,
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
MountPath: "/tmp",
ReadOnly: false,
},
{
Name: "config-data",
MountPath: "/etc/test_operator",
Expand Down
22 changes: 22 additions & 0 deletions pkg/tobiko/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,18 @@ func GetVolumes(
},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
}

if mountCerts {
Expand Down Expand Up @@ -150,6 +162,16 @@ func GetVolumes(
// GetVolumeMounts -
func GetVolumeMounts(mountCerts bool, mountKeys bool, mountKubeconfig bool, instance *testv1beta1.Tobiko) []corev1.VolumeMount {
volumeMounts := []corev1.VolumeMount{
{
Name: util.TestOperatorEphemeralVolumeNameWorkdir,
MountPath: "/var/lib/tobiko",
ReadOnly: false,
},
{
Name: util.TestOperatorEphemeralVolumeNameTmp,
MountPath: "/tmp",
ReadOnly: false,
},
{
Name: "test-operator-logs",
MountPath: "/var/lib/tobiko/external_files",
Expand Down
11 changes: 11 additions & 0 deletions pkg/util/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ const (
// modified clouds.yaml obtained from openstack-config ConfigMap. The modified
// CM is needed by some test frameworks (e.g., HorizonTest and Tobiko)
TestOperatorCloudsConfigMapName = "test-operator-clouds-config"

// TestOperatorEphemeralVolumeNameWorkdir
TestOperatorEphemeralVolumeNameWorkdir = "test-operator-ephemeral-workdir"

// TestOperatorEphemeralVolumeNameTmp
TestOperatorEphemeralVolumeNameTmp = "test-operator-ephemeral-temporary"
)

func GetSecurityContext(
Expand All @@ -22,6 +28,7 @@ func GetSecurityContext(
securityContext := corev1.SecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &runAsUser,
ReadOnlyRootFilesystem: &trueVar,
AllowPrivilegeEscalation: &falseVar,
Capabilities: &corev1.Capabilities{},
SeccompProfile: &corev1.SeccompProfile{
Expand All @@ -33,6 +40,10 @@ func GetSecurityContext(
// We need to run pods with AllowPrivilegedEscalation: true to remove
// nosuid from the pod (in order to be able to run sudo)
securityContext.AllowPrivilegeEscalation = &trueVar

// We need to run pods with ReadOnlyRootFileSystem: false when installing
// additional tests using extraRPMs parameter in Tempest CR
securityContext.ReadOnlyRootFilesystem = &falseVar
securityContext.Capabilities.Add = addCapabilities
}

Expand Down

0 comments on commit 7797cdf

Please sign in to comment.