Skip to content

ROX-14427: set PSPs for CI to false for k8s version 1.25 and higher #4488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johannes94 merged 13 commits into from
Jan 25, 2023
Merged

ROX-14427: set PSPs for CI to false for k8s version 1.25 and higher #4488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5892604
set default for k8sbased.sh POD_SECURITY_POLICIES to false
johannes94 Jan 20, 2023
e74547a
set POD_SECURITY_POLICIES based on kubernetes version
johannes94 Jan 20, 2023
f31d53b
fixed usage of ci_export
johannes94 Jan 20, 2023
97c49e7
set psp before deploy_central
johannes94 Jan 20, 2023
3989964
only apply stackrox_default psp if POD_SECURITY_POLICIES is true
johannes94 Jan 21, 2023
c113820
use POD_SECURITY_POLICIES config in other scripts
johannes94 Jan 23, 2023
a363449
disable default psp in run-part-1.sh
johannes94 Jan 23, 2023
1157360
only disable PSP if POD_SECURITY_POLICIES set to false
johannes94 Jan 23, 2023
9cd1728
disable PSP in groovy tests
johannes94 Jan 24, 2023
9ce39a8
fix groovy syntax
johannes94 Jan 24, 2023
a427a31
fix groovy style
johannes94 Jan 24, 2023
0513f0c
remove unnecessary blank line changes
johannes94 Jan 24, 2023
2483ea2
set POD_SECURITY_POLICIES when true aswell
johannes94 Jan 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion qa-tests-backend/scripts/lib.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@ set -euo pipefail

deploy_default_psp() {
info "Deploy Default PSP for stackrox namespace"
"${ROOT}/scripts/ci/create-default-psp.sh"
if [[ "$POD_SECURITY_POLICIES" != "false" ]]; then
"${ROOT}/scripts/ci/create-default-psp.sh"
else
info "POD_SECURITY_POLICIES is false, skip Deploy Default PSP for stackrox namespace"
fi
}

get_ECR_docker_pull_password() {
Expand Down
1 change: 1 addition & 0 deletions qa-tests-backend/scripts/run-compatibility.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ compatibility_test() {
fi

setup_deployment_env false false
setup_podsecuritypolicies_config
remove_existing_stackrox_resources
setup_default_TLS_certs

Expand Down
1 change: 1 addition & 0 deletions qa-tests-backend/scripts/run-part-1.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ config_part_1() {

setup_gcp
setup_deployment_env false false
setup_podsecuritypolicies_config
remove_existing_stackrox_resources
setup_default_TLS_certs "$ROOT/$DEPLOY_DIR/default_TLS_certs"

Expand Down
11 changes: 7 additions & 4 deletions qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ import objects.Secret
import objects.SecretKeyRef
import util.Helpers
import util.Timer
import util.Env

@Slf4j
class Kubernetes implements OrchestratorMain {
Expand Down Expand Up @@ -1654,7 +1655,8 @@ class Kubernetes implements OrchestratorMain {
}

protected defaultPspForNamespace(String namespace) {
PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
if (Env.get("POD_SECURITY_POLICIES") != "false") {
PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
.withName("allow-all-for-test")
.endMetadata()
.withNewSpec()
Expand All @@ -1672,9 +1674,10 @@ class Kubernetes implements OrchestratorMain {
.withNewFsGroup().withRule("RunAsAny").endFsGroup()
.endSpec()
.build()
client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
createClusterRole(generatePspRole())
createClusterRoleBinding(generatePspRoleBinding(namespace))
client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
createClusterRole(generatePspRole())
createClusterRoleBinding(generatePspRoleBinding(namespace))
}
}

/*
Expand Down
4 changes: 3 additions & 1 deletion scripts/ci/clair/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,9 @@ if kubectl get ns "${namespace}"; then
kubectl delete ns "${namespace}" # handle CI re-runs
fi
kubectl create ns "${namespace}"
kubectl -n "${namespace}" apply -f "${DIR}/psp.yaml"
if [[ "$POD_SECURITY_POLICIES" != "false" ]]; then
kubectl -n "${namespace}" apply -f "${DIR}/psp.yaml"
fi

export POSTGRES_PASSWORD="${CLAIR_DB_PASSWORD}"
kubectl -n "${namespace}" create secret generic clairsecret --from-file="${DIR}/config.yaml"
Expand Down
22 changes: 22 additions & 0 deletions tests/e2e/lib.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ export PORT_FORWARD_LOGS="/tmp/port-forward-logs"

# shellcheck disable=SC2120
deploy_stackrox() {
setup_podsecuritypolicies_config

deploy_central

get_central_basic_auth_creds
Expand All @@ -39,6 +41,7 @@ deploy_stackrox_with_custom_sensor() {
die "expected sensor chart version as parameter in deploy_stackrox_with_custom_sensor"
fi
target_version="$1"
setup_podsecuritypolicies_config

deploy_central

Expand Down Expand Up @@ -211,6 +214,25 @@ setup_generated_certs_for_test() {
done
}

setup_podsecuritypolicies_config() {
info "Set POD_SECURITY_POLICIES variable based on kubernetes version"
local version
version=$(kubectl version --output json)
local majorVersion
majorVersion=$(echo "$version" | jq -r .serverVersion.major)
local minorVersion
minorVersion=$(echo "$version" | jq -r .serverVersion.minor)

# PodSecurityPolicy was removed in version 1.25
if (( "$majorVersion" >= 1 && "$minorVersion" >= 25 )); then
ci_export "POD_SECURITY_POLICIES" "false"
info "POD_SECURITY_POLICIES set to false"
else
ci_export "POD_SECURITY_POLICIES" "true"
info "POD_SECURITY_POLICIES set to true"
fi
}

patch_resources_for_test() {
info "Patch the loadbalancer and netpol resources for endpoints test"

Expand Down