Invert logic for generating PSPs: Mak them opt-in instead of opt-out and adjust CI

mtesseract · mtesseract · commit fb1d56f3db79 · 2022-05-18T10:21:55.000+02:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2519,7 +2519,7 @@ jobs:
       - LOCAL_PORT: 8000
       - COLLECTION_METHOD: ebpf
       - GCP_IMAGE_TYPE: "COS"
-      - POD_SECURITY_POLICIES: "true"
+      - POD_SECURITY_POLICIES: "false"
       - MONITORING_SUPPORT: false
       - SCANNER_SUPPORT: true
       - ROX_BASELINE_GENERATION_DURATION: 1m
@@ -2936,7 +2936,7 @@ jobs:
     resource_class: small
     environment:
       - GCP_IMAGE_TYPE: "COS"
-      - POD_SECURITY_POLICIES: "true"
+      - POD_SECURITY_POLICIES: "false"
     steps:
       - checkout
       - check-backend-changes
@@ -2946,27 +2946,27 @@ jobs:
       - provision-gke-cluster:
           cluster-id: api-e2e-tests
 
-  provision-gke-api-e2e-tests-no-psps:
+  provision-gke-api-e2e-tests-with-psps:
     executor: custom
     resource_class: small
     environment:
       - GCP_IMAGE_TYPE: "COS"
-      - POD_SECURITY_POLICIES: "false"
+      - POD_SECURITY_POLICIES: "true"
     steps:
       - checkout
       - check-backend-changes
       - check-label-to-skip-tests:
           label: ci-no-qa-tests
 
       - provision-gke-cluster:
-          cluster-id: api-e2e-tests-no-psps
+          cluster-id: api-e2e-tests-with-psps
 
   provision-gke-postgres-api-e2e-tests:
     executor: custom
     resource_class: small
     environment:
       - GCP_IMAGE_TYPE: "COS"
-      - POD_SECURITY_POLICIES: "true"
+      - POD_SECURITY_POLICIES: "false"
     steps:
       - checkout
       - check-backend-changes
@@ -3345,7 +3345,7 @@ jobs:
     resource_class: small
     environment:
       GCP_IMAGE_TYPE: "COS"
-      POD_SECURITY_POLICIES: "true"
+      POD_SECURITY_POLICIES: "false"
     steps:
       - checkout
       - check-backend-changes
@@ -3626,7 +3626,7 @@ jobs:
             - check-label-to-skip-tests:
                 label: ci-no-qa-tests
 
-  gke-api-e2e-tests-no-psps:
+  gke-api-e2e-tests-with-psps:
     executor: custom
     environment:
       - LOCAL_PORT: 443
@@ -3640,17 +3640,17 @@ jobs:
       - ADMISSION_CONTROLLER_UPDATES: true
       - ROX_NETWORK_BASELINE_OBSERVATION_PERIOD: 2m
       - ROX_NEW_POLICY_CATEGORIES: true
-      - POD_SECURITY_POLICIES: false
+      - POD_SECURITY_POLICIES: true
 
     steps:
       - run-qa-tests:
-          cluster-id: api-e2e-tests-no-psps
+          cluster-id: api-e2e-tests-with-psps
           sensor-deploy-flavor: helm
           determine-whether-to-run:
             - check-label-to-skip-tests:
                 label: ci-no-qa-tests
       - run-qa-tests:
-          cluster-id: api-e2e-tests-no-psps
+          cluster-id: api-e2e-tests-with-psps
           sensor-deploy-flavor: kubectl
           determine-whether-to-run:
             - check-label-to-skip-tests:
@@ -4889,15 +4889,15 @@ workflows:
             - build-rhacs
             - build-scale-monitoring-and-mock-server
             - provision-gke-api-e2e-tests
-      - provision-gke-api-e2e-tests-no-psps:
+      - provision-gke-api-e2e-tests-with-psps:
           <<: *runOnAllTagsWithQuayIOPullCtx
-      - gke-api-e2e-tests-no-psps:
+      - gke-api-e2e-tests-with-psps:
           <<: *runOnAllTagsWithQuayIOPullCtx
           requires:
             - build-stackrox
             - build-rhacs
             - build-scale-monitoring-and-mock-server
-            - provision-gke-api-e2e-tests-no-psps
+            - provision-gke-api-e2e-tests-with-psps
       - provision-gke-postgres-api-e2e-tests:
           <<: *runOnAllTagsWithQuayIOPullCtx
       - gke-postgres-api-e2e-tests:
diff --git a/central/clusters/deployer.go b/central/clusters/deployer.go
@@ -179,6 +179,6 @@ func getBaseMetaValues(c *storage.Cluster, versions version.Versions, opts *Rend
 		AdmissionControlEnforceOnUpdates: c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnforceOnUpdates(),
 		ReleaseBuild:                     buildinfo.ReleaseBuild,
 
-		EnableDeprecatedPodSecurityPolicies: true,
+		EnableDeprecatedPodSecurityPolicies: false,
 	}
 }
diff --git a/deploy/common/k8sbased.sh b/deploy/common/k8sbased.sh
@@ -188,8 +188,8 @@ function launch_central {
     	add_args "--with-config-file=${ROXDEPLOY_CONFIG_FILE_MAP}"
     fi
 
-    if [[ "$POD_SECURITY_POLICIES" == "false" ]]; then
-      add_args "--enable-deprecated-pod-security-policies=false"
+    if [[ "$POD_SECURITY_POLICIES" == "true" ]]; then
+      add_args "--enable-deprecated-pod-security-policies"
     fi
 
     local unzip_dir="${k8s_dir}/central-deploy/"
@@ -290,9 +290,9 @@ function launch_central {
         )
       fi
 
-      if [[ "$POD_SECURITY_POLICIES" == "false" ]]; then
+      if [[ "$POD_SECURITY_POLICIES" == "true" ]]; then
         helm_args+=(
-          --set system.enableDeprecatedPodSecurityPolicies=false
+          --set system.enableDeprecatedPodSecurityPolicies=true
         )
       fi
 
diff --git a/pkg/helm/charts/meta.go b/pkg/helm/charts/meta.go
@@ -83,7 +83,7 @@ func GetMetaValuesForFlavor(imageFlavor defaults.ImageFlavor) *MetaValues {
 		ReleaseBuild:             buildinfo.ReleaseBuild,
 		FeatureFlags:             getFeatureFlags(),
 
-		EnableDeprecatedPodSecurityPolicies: true,
+		EnableDeprecatedPodSecurityPolicies: false,
 	}
 
 	return &metaValues
diff --git a/pkg/helm/charts/tests/centralservices/base_suite_test.go b/pkg/helm/charts/tests/centralservices/base_suite_test.go
@@ -75,6 +75,8 @@ scanner:
     cert: "scanner-db tls cert pem"
     key: "scanner-db tls key pem"
 enableOpenShiftMonitoring: true
+system:
+    enableDeprecatedPodSecurityPolicies: true
 `
 	autogenerateAll = `
 licenseKey: "my license key"
@@ -98,6 +100,8 @@ central:
       enabled: true
   enableCentralDB: true
 enableOpenShiftMonitoring: true
+system:
+    enableDeprecatedPodSecurityPolicies: true
 `
 )
 
diff --git a/pkg/helm/charts/tests/centralservices/testdata/helmtest/central.test.yaml b/pkg/helm/charts/tests/centralservices/testdata/helmtest/central.test.yaml
@@ -12,9 +12,6 @@ values:
 tests:
 - name: "central with default settings"
   expect: |
-    .podsecuritypolicys["stackrox-central"] | assertThat(. != null)
-    .rolebindings["stackrox-central-psp"] | assertThat(. != null)
-    .clusterroles["stackrox-central-psp"] | assertThat(. != null)
     .serviceaccounts["central"] | assertThat(. != null)
     .secrets["central-htpasswd"].stringData.htpasswd | assertThat(length != 0)
     .configmaps["central-config"].data.["central-config.yaml"] | assertThat(length != 0)
@@ -26,11 +23,11 @@ tests:
 - name: "central with deprecated PodSecurityPolicies disabled"
   values:
     system:
-      enableDeprecatedPodSecurityPolicies: false
+      enableDeprecatedPodSecurityPolicies: true
   expect: |
-    .podsecuritypolicys["stackrox-central"] | assertThat(. == null)
-    .rolebindings["stackrox-central-psp"] | assertThat(. == null)
-    .clusterroles["stackrox-central-psp"] | assertThat(. == null)
+    .podsecuritypolicys["stackrox-central"] | assertThat(. != null)
+    .rolebindings["stackrox-central-psp"] | assertThat(. != null)
+    .clusterroles["stackrox-central-psp"] | assertThat(. != null)
 
 - name: "central with OpenShift 3 and enabled SCCs"
   server:
diff --git a/pkg/helm/charts/tests/centralservices/testdata/helmtest/scanner.test.yaml b/pkg/helm/charts/tests/centralservices/testdata/helmtest/scanner.test.yaml
@@ -12,9 +12,6 @@ values:
 tests:
 - name: "scanner with default settings"
   expect: |
-    .podsecuritypolicys["stackrox-scanner"] | assertThat(. != null)
-    .rolebindings["stackrox-scanner-psp"] | assertThat(. != null)
-    .clusterroles["stackrox-scanner-psp"] | assertThat(. != null)
     .serviceaccounts["scanner"] | assertThat(. != null)
     .secrets["scanner-db-password"].stringData.password | assertThat(length != 0)
     .configmaps["scanner-config"].data.["config.yaml"] | assertThat(length != 0)
@@ -42,11 +39,11 @@ tests:
 - name: "scanner with deprecated PodSecurityPolicies disabled"
   values:
     system:
-      enableDeprecatedPodSecurityPolicies: false
+      enableDeprecatedPodSecurityPolicies: true
   expect: |
-    .podsecuritypolicys["stackrox-scanner"] | assertThat(. == null)
-    .rolebindings["stackrox-scanner-psp"] | assertThat(. == null)
-    .clusterroles["stackrox-scanner-psp"] | assertThat(. == null)
+    .podsecuritypolicys["stackrox-scanner"] | assertThat(. != null)
+    .rolebindings["stackrox-scanner-psp"] | assertThat(. != null)
+    .clusterroles["stackrox-scanner-psp"] | assertThat(. != null)
 
 #TODO: Add istio tests
 - name: "configured scanner"
diff --git a/pkg/helm/charts/tests/securedclusterservices/base_suite_test.go b/pkg/helm/charts/tests/securedclusterservices/base_suite_test.go
@@ -94,6 +94,9 @@ config:
 enableOpenShiftMonitoring: true
 scanner:
   disable: false
+
+system:
+    enableDeprecatedPodSecurityPolicies: true
 `
 )
 
diff --git a/roxctl/central/generate/generate.go b/roxctl/central/generate/generate.go
@@ -308,7 +308,7 @@ func Command(cliEnvironment environment.Environment) *cobra.Command {
 	if !buildinfo.ReleaseBuild {
 		flags.AddHelmChartDebugSetting(c)
 	}
-	c.PersistentFlags().BoolVar(&centralGenerateCmd.rendererConfig.EnableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", true, "Generate deprecated PodSecurityPolicy resources")
+	c.PersistentFlags().BoolVar(&centralGenerateCmd.rendererConfig.EnableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", false, "Generate deprecated PodSecurityPolicy resources")
 
 	c.AddCommand(centralGenerateCmd.interactive())
 	c.AddCommand(k8s(cliEnvironment))
diff --git a/roxctl/scanner/generate/generate.go b/roxctl/scanner/generate/generate.go
@@ -109,7 +109,7 @@ func Command(cliEnvironment environment.Environment) *cobra.Command {
 		fmt.Sprintf(
 			"Generate deployment files supporting the given Istio version. Valid versions: %s",
 			strings.Join(istioutils.ListKnownIstioVersions(), ", ")))
-	c.PersistentFlags().BoolVar(&scannerGenerateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", true, "Generate deprecated PodSecurityPolicy resources")
+	c.PersistentFlags().BoolVar(&scannerGenerateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", false, "Generate deprecated PodSecurityPolicy resources")
 
 	return c
 }
diff --git a/roxctl/sensor/generate/generate.go b/roxctl/sensor/generate/generate.go
@@ -228,7 +228,7 @@ func Command(cliEnvironment environment.Environment) *cobra.Command {
 
 	c.PersistentFlags().BoolVar(&generateCmd.cluster.AdmissionController, "admission-controller-listen-on-creates", false, "whether or not to configure the admission controller webhook to listen on deployment creates")
 	c.PersistentFlags().BoolVar(&generateCmd.cluster.AdmissionControllerUpdates, "admission-controller-listen-on-updates", false, "whether or not to configure the admission controller webhook to listen on deployment updates")
-	c.PersistentFlags().BoolVar(&generateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", true, "Generate deprecated PodSecurityPolicy resources")
+	c.PersistentFlags().BoolVar(&generateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", false, "Generate deprecated PodSecurityPolicy resources")
 
 	// Admission controller config
 	ac := generateCmd.cluster.DynamicConfig.AdmissionControllerConfig
diff --git a/tests/roxctl/bats-tests/cluster/scanner-generate.bats b/tests/roxctl/bats-tests/cluster/scanner-generate.bats
@@ -30,16 +30,17 @@ scanner_generate() {
 }
 
 run_scanner_generate_and_check() {
-  local -r cluster_type="$1";shift
+  local -r cluster_type="$1"
+  shift
 
   scanner_generate --cluster-type "${cluster_type}" "$@"
   assert_success
 }
 
 assert_number_of_k8s_resources() {
-    local -r k8s_resources_count=$(cat "${output_dir}/scanner/"*.yaml | grep -c "^apiVersion") || true
+  local -r k8s_resources_count=$(cat "${output_dir}/scanner/"*.yaml | grep -c "^apiVersion") || true
 
-    [[ "${k8s_resources_count}" = "${1}" ]] || fail "Unexpected number of k8s resources"
+  [[ "${k8s_resources_count}" = "${1}" ]] || fail "Unexpected number of k8s resources"
 }
 
 @test "[openshift4] roxctl scanner generate" {
@@ -51,7 +52,7 @@ assert_number_of_k8s_resources() {
   # additional mounted volume. It's called "trusted-ca-volume" and we use it to identify OpenShift 4 configuration.
   run -0 grep -q 'trusted-ca-volume' "${output_dir}/scanner/02-scanner-06-deployment.yaml"
   run -0 grep -q 'ROX_OPENSHIFT_API' "${output_dir}/scanner/02-scanner-06-deployment.yaml"
-  assert_number_of_k8s_resources 16
+  assert_number_of_k8s_resources 13
 }
 
 @test "[openshift] roxctl scanner generate" {
@@ -60,7 +61,7 @@ assert_number_of_k8s_resources() {
   assert_file_exist "${output_dir}/scanner/02-scanner-06-deployment.yaml"
   run -0 grep -q 'ROX_OPENSHIFT_API' "${output_dir}/scanner/02-scanner-06-deployment.yaml"
   run -1 grep -q 'trusted-ca-volume' "${output_dir}/scanner/02-scanner-06-deployment.yaml"
-  assert_number_of_k8s_resources 16
+  assert_number_of_k8s_resources 13
 }
 
 @test "[k8s] roxctl scanner generate" {
@@ -72,15 +73,15 @@ assert_number_of_k8s_resources() {
   assert_file_exist "${output_dir}/scanner/02-scanner-06-deployment.yaml"
   run -1 grep -q 'ROX_OPENSHIFT_API' "${output_dir}/scanner/02-scanner-06-deployment.yaml"
 
-  assert_number_of_k8s_resources 15
+  assert_number_of_k8s_resources 12
 }
 
 @test "[k8s istio-support] roxctl scanner generate" {
   run_scanner_generate_and_check k8s --istio-support 1.7
 
   assert_file_exist "${output_dir}/scanner/02-scanner-07-service.yaml"
   run -0 grep -q "^apiVersion: networking.istio.io/v1alpha3" "${output_dir}/scanner/02-scanner-07-service.yaml"
-  assert_number_of_k8s_resources 17
+  assert_number_of_k8s_resources 14
 }
 
 @test "[k8s scanner-image] roxctl scanner generate" {

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,6 @@ func getBaseMetaValues(c storage.Cluster, versions version.Versions, opts Rend`
`179`	`179`	`AdmissionControlEnforceOnUpdates: c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnforceOnUpdates(),`
`180`	`180`	`ReleaseBuild: buildinfo.ReleaseBuild,`
`181`	`181`
`182`		`- EnableDeprecatedPodSecurityPolicies: true,`
	`182`	`+ EnableDeprecatedPodSecurityPolicies: false,`
`183`	`183`	`}`
`184`	`184`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func GetMetaValuesForFlavor(imageFlavor defaults.ImageFlavor) *MetaValues {`
`83`	`83`	`ReleaseBuild: buildinfo.ReleaseBuild,`
`84`	`84`	`FeatureFlags: getFeatureFlags(),`
`85`	`85`
`86`		`- EnableDeprecatedPodSecurityPolicies: true,`
	`86`	`+ EnableDeprecatedPodSecurityPolicies: false,`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`return &metaValues`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,8 @@ scanner:`
`75`	`75`	`cert: "scanner-db tls cert pem"`
`76`	`76`	`key: "scanner-db tls key pem"`
`77`	`77`	`enableOpenShiftMonitoring: true`
	`78`	`+system:`
	`79`	`+ enableDeprecatedPodSecurityPolicies: true`
`78`	`80`	`
`79`	`81`	autogenerateAll = `
`80`	`82`	`licenseKey: "my license key"`
`@@ -98,6 +100,8 @@ central:`
`98`	`100`	`enabled: true`
`99`	`101`	`enableCentralDB: true`
`100`	`102`	`enableOpenShiftMonitoring: true`
	`103`	`+system:`
	`104`	`+ enableDeprecatedPodSecurityPolicies: true`
`101`	`105`	`
`102`	`106`	`)`
`103`	`107`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,9 @@ config:`
`94`	`94`	`enableOpenShiftMonitoring: true`
`95`	`95`	`scanner:`
`96`	`96`	`disable: false`
	`97`	`+`
	`98`	`+system:`
	`99`	`+ enableDeprecatedPodSecurityPolicies: true`
`97`	`100`	`
`98`	`101`	`)`
`99`	`102`
Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,7 @@ func Command(cliEnvironment environment.Environment) *cobra.Command {`
`308`	`308`	`if !buildinfo.ReleaseBuild {`
`309`	`309`	`flags.AddHelmChartDebugSetting(c)`
`310`	`310`	`}`
`311`		`- c.PersistentFlags().BoolVar(&centralGenerateCmd.rendererConfig.EnableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", true, "Generate deprecated PodSecurityPolicy resources")`
	`311`	`+ c.PersistentFlags().BoolVar(&centralGenerateCmd.rendererConfig.EnableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", false, "Generate deprecated PodSecurityPolicy resources")`
`312`	`312`
`313`	`313`	`c.AddCommand(centralGenerateCmd.interactive())`
`314`	`314`	`c.AddCommand(k8s(cliEnvironment))`
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ func Command(cliEnvironment environment.Environment) *cobra.Command {`
`109`	`109`	`fmt.Sprintf(`
`110`	`110`	`"Generate deployment files supporting the given Istio version. Valid versions: %s",`
`111`	`111`	`strings.Join(istioutils.ListKnownIstioVersions(), ", ")))`
`112`		`- c.PersistentFlags().BoolVar(&scannerGenerateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", true, "Generate deprecated PodSecurityPolicy resources")`
	`112`	`+ c.PersistentFlags().BoolVar(&scannerGenerateCmd.enableDeprecatedPodSecurityPolicies, "enable-deprecated-pod-security-policies", false, "Generate deprecated PodSecurityPolicy resources")`
`113`	`113`
`114`	`114`	`return c`
`115`	`115`	`}`