stackrox · mtesseract · Oct 4, 2022 · Oct 4, 2022 · Sep 28, 2022 · Sep 30, 2022
diff --git a/deploy/common/k8sbased.sh b/deploy/common/k8sbased.sh
@@ -194,8 +194,8 @@ function launch_central {
     	add_args "--with-config-file=${ROXDEPLOY_CONFIG_FILE_MAP}"
     fi
 
-    if [[ "$POD_SECURITY_POLICIES" == "true" ]]; then
-      add_args "--enable-pod-security-policies"
+    if [[ -n "$POD_SECURITY_POLICIES" ]]; then
+      add_args "--enable-pod-security-policies=${POD_SECURITY_POLICIES}"
     fi
 
     local unzip_dir="${k8s_dir}/central-deploy/"
@@ -296,9 +296,9 @@ function launch_central {
         )
       fi
 
-      if [[ "$POD_SECURITY_POLICIES" == "true" ]]; then
+      if [[ -n "$POD_SECURITY_POLICIES" ]]; then
         helm_args+=(
-          --set system.enablePodSecurityPolicies=true
+          --set system.enablePodSecurityPolicies="${POD_SECURITY_POLICIES}"
         )
       fi
 

@@ -39,6 +39,15 @@ tests:
     .rolebindings["stackrox-central-psp"] | assertThat(. != null)
     .clusterroles["stackrox-central-psp"] | assertThat(. != null)
 
+- name: "central with deprecated PodSecurityPolicies disabled"
+  values:
+    system:
+      enablePodSecurityPolicies: false
+  expect: |
+    .podsecuritypolicys["stackrox-central"] | assertThat(. == null)
+    .rolebindings["stackrox-central-psp"] | assertThat(. == null)
+    .clusterroles["stackrox-central-psp"] | assertThat(. == null)
+
 - name: "central with OpenShift 3 and enabled SCCs"
   server:
     visibleSchemas:

@@ -40,7 +40,17 @@ tests:
     - name: "with empty setting"
       set:
         scanner.mode: ""
+
 - name: "scanner with deprecated PodSecurityPolicies disabled"
+  values:
+    system:
+      enablePodSecurityPolicies: false
+  expect: |
+    .podsecuritypolicys["stackrox-scanner"] | assertThat(. == null)
+    .rolebindings["stackrox-scanner-psp"] | assertThat(. == null)
+    .clusterroles["stackrox-scanner-psp"] | assertThat(. == null)
+
+- name: "scanner with deprecated PodSecurityPolicies enabled"
   values:
     system:
       enablePodSecurityPolicies: true

@@ -0,0 +1,18 @@
+test:
+    - name: "sensor with deprecated PodSecurityPolicies enabled"
+      values:
+        system:
+          enablePodSecurityPolicies: true
+      expect: |
+        .podsecuritypolicys["stackrox-sensor"] | assertThat(. != null)
+        .rolebindings["stackrox-sensor-psp"] | assertThat(. != null)
+        .clusterroles["stackrox-sensor-psp"] | assertThat(. != null)
+
+    - name: "sensor with deprecated PodSecurityPolicies disabled"
+      values:
+        system:
+          enablePodSecurityPolicies: false
+      expect: |
+        .podsecuritypolicys["stackrox-sensor"] | assertThat(. == null)
+        .rolebindings["stackrox-sensor-psp"] | assertThat(. == null)
+        .clusterroles["stackrox-sensor-psp"] | assertThat(. == null)
diff --git a/pkg/renderer/render_new.go b/pkg/renderer/render_new.go
@@ -93,7 +93,9 @@ func renderNewBasicFiles(c Config, mode mode, imageFlavor defaults.ImageFlavor)
 	// Modify metaVals depending on deployment format:
 	metaVals.KubectlOutput = c.K8sConfig.DeploymentFormat == v1.DeploymentFormat_KUBECTL
 	metaVals.EnablePodSecurityPolicies = c.EnablePodSecurityPolicies
-
+	if metaVals.KubectlOutput {
+		metaVals.AutoSensePodSecurityPolicies = false
+	}
 	chartFiles, err := chTpl.InstantiateRaw(metaVals)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to instantiate central services chart template")

@@ -0,0 +1,68 @@
+#!/usr/bin/env bats
+
+load "../helpers.bash"
+
+out_dir=""
+
+setup_file() {
+    # remove binaries from the previous runs
+    [[ -n "$NO_BATS_ROXCTL_REBUILD" ]] || rm -f "${tmp_roxctl}"/roxctl*
+    echo "Testing roxctl version: '$(roxctl-release version)'" >&3
+
+    [[ -n "${API_ENDPOINT}" ]] || fail "Environment variable 'API_ENDPOINT' required"
+    [[ -n "${ROX_PASSWORD}" ]] || fail "Environment variable 'ROX_PASSWORD' required"
+}
+
+setup() {
+    out_dir="$(mktemp -d -u)"
+}
+
+teardown() {
+    rm -rf "$out_dir"
+}
+
+sensor_bundle_psp_enabled() {
+    local cluster_type="$1"
+    shift
+    local sensor_name="sensor-test-${RANDOM}"
+    local bundle_dir="${out_dir}/bundle-${sensor_name}"
+    roxctl-release -e "$API_ENDPOINT" -p "$ROX_PASSWORD" sensor generate "${cluster_type}" --name="${sensor_name}" "$@" --output-dir="${bundle_dir}"
+    run grep -rq "kind: PodSecurityPolicy" "${bundle_dir}"
+    assert_success
+}
+
+sensor_bundle_psp_disabled() {
+    local cluster_type="$1"
+    shift
+    local sensor_name="sensor-test-${RANDOM}"
+    local bundle_dir="${out_dir}/bundle-${sensor_name}"
+    roxctl-release -e "$API_ENDPOINT" -p "$ROX_PASSWORD" sensor generate "${cluster_type}" --name="${sensor_name}" "$@" --output-dir="${bundle_dir}"
+    run grep -rq "kind: PodSecurityPolicy" "${bundle_dir}"
+    assert_failure
+}
+
+# Testing: sensor generate k8s
+@test "PodSecurityPolicies can be disabled for sensor deployment bundle (k8s)" {
+    sensor_bundle_psp_disabled k8s --enable-pod-security-policies=false
+}
+
+@test "PodSecurityPolicies can be enabled for sensor deployment bundle (k8s)" {
+    sensor_bundle_psp_enabled k8s --enable-pod-security-policies=true
+}
+
+@test "PodSecurityPolicies enabled by default for sensor deployment bundle (k8s)" {
+    sensor_bundle_psp_enabled k8s
+}
+
+# Testing: sensor generate openshift
+@test "PodSecurityPolicies can be disabled for sensor deployment bundle (openshift)" {
+    sensor_bundle_psp_disabled openshift --enable-pod-security-policies=false
+}
+
+@test "PodSecurityPolicies can be enabled for sensor deployment bundle (openshift)" {
+    sensor_bundle_psp_enabled openshift --enable-pod-security-policies=true
+}
+
+@test "PodSecurityPolicies enabled by default for sensor deployment bundle (openshift)" {
+    sensor_bundle_psp_enabled openshift
+}
@@ -0,0 +1,63 @@
+#!/usr/bin/env bats
+
+load "../helpers.bash"
+
+out_dir=""
+
+setup_file() {
+    # remove binaries from the previous runs
+    [[ -n "$NO_BATS_ROXCTL_REBUILD" ]] || rm -f "${tmp_roxctl}"/roxctl*
+    echo "Testing roxctl version: '$(roxctl-release version)'" >&3
+}
+
+setup() {
+    out_dir="$(mktemp -d -u)"
+}
+
+teardown() {
+    rm -rf "$out_dir"
+}
+
+central_bundle_psp_enabled() {
+    local cluster_type="$1"
+    shift
+    local bundle_dir="${out_dir}/bundle-central-$RANDOM"
+    roxctl-release central generate "${cluster_type}" pvc "$@" --output-dir="${bundle_dir}"
+    run grep -rq "kind: PodSecurityPolicy" "${bundle_dir}"
+    assert_success
+}
+
+central_bundle_psp_disabled() {
+    local cluster_type="$1"
+    shift
+    local bundle_dir="${out_dir}/bundle-central-$RANDOM"
+    roxctl-release central generate "${cluster_type}" pvc "$@" --output-dir="${bundle_dir}"
+    run grep -rq "kind: PodSecurityPolicy" "${bundle_dir}"
+    assert_failure
+}
+
+# Testing: central generate k8s
+@test "PodSecurityPolicies can be disabled for central deployment bundle (k8s)" {
+    central_bundle_psp_enabled k8s --enable-pod-security-policies=false
+}
+
+@test "PodSecurityPolicies can be enabled for central deployment bundle (k8s)" {
+    central_bundle_psp_enabled k8s --enable-pod-security-policies=true
+}
+
+@test "PodSecurityPolicies are enabled by default for central deployment bundle (k8s)" {
+    central_bundle_psp_enabled k8s
+}
+
+# Testing: central generate openshift
+@test "PodSecurityPolicies can be disabled for central deployment bundle (openshift)" {
+    central_bundle_psp_enabled openshift --enable-pod-security-policies=false
+}
+
+@test "PodSecurityPolicies can be enabled for central deployment bundle (openshift)" {
+    central_bundle_psp_enabled openshift --enable-pod-security-policies=true
+}
+
+@test "PodSecurityPolicies are enabled by default for central deployment bundle (openshift)" {
+    central_bundle_psp_enabled openshift
+}