Add security context and resource block to test (#4712)

* Add security context and resource block to test Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com> Signed-off-by: AddilAfzal <> * Add comment to test security context Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com> Signed-off-by: AddilAfzal <> * Add security context and resource block to other test container Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com> Signed-off-by: AddilAfzal <> * fix: shutdown controllers workers gracefully (#4681) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: AddilAfzal <> * fix: split webhook handlers per failure policy (#4650) * fix: split webhook handlers per failure policy Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix handlers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * rolling update Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * better error message Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: AddilAfzal <> * refactor: use pod name as leader id (#4680) * refactor: use pod name as leader id Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix manifests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * makefile Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * leader client Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: AddilAfzal <> * fix: missing client wrapper (#4703) * fix: missing client wrapper Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * v1beta1 Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * v1alpha2 Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * policy report Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: AddilAfzal <> * chore: refactor manifests related makefile targets (#4706) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: AddilAfzal <> * fix: change key used in test (#4718) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: AddilAfzal <> * Add changelog entry Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com> * Set user and group on test pod Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com> * fix docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * Move securityContext back to container level Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com> Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com> Signed-off-by: AddilAfzal <> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: AddilAfzal <>
2024-12-14 11:57:48 +00:00 · 2022-10-03 15:16:14 +01:00 · 2022-10-03 15:16:14 +01:00 · 5f3411e588
commit 5f3411e588
parent 278dbba316
6 changed files with 49 additions and 1 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -40,3 +40,5 @@ annotations:
      description: Self signed certificates not using SANs.
    - kind: added
      description: Extra args support for init container.
+    - kind: added
+      description: Allow overriding of test security context and resource block.
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | podSecurityContext | object | `{}` | Security context for the pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
 | priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
 | antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
 | podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
@ -105,6 +106,8 @@ The command removes all the Kubernetes components associated with the chart and
 | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
 | initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
 | initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
 | livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
 | readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
 | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -113,6 +113,14 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{- end }}
 {{- end }}

+{{- define "kyverno.testSecurityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.testSecurityContext }}
+{{- end }}
+{{- end }}
+
 {{- define "kyverno.imagePullSecret" }}
 {{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
 {{- end }}
--- a/charts/kyverno/templates/tests/test.yaml
+++ b/charts/kyverno/templates/tests/test.yaml
@ -12,6 +12,12 @@ spec:
    - name: wget
      image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      {{- with .Values.testResources }}
+      resources: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if .Values.testSecurityContext }}
+      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
+      {{- end }}
      command:
        - /bin/sh
        - -c
@ -20,6 +26,12 @@ spec:
    - name: wget-metrics
      image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      {{- with .Values.testResources }}
+      resources: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if .Values.testSecurityContext }}
+      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
+      {{- end }}
      command:
        - /bin/sh
        - -c
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -87,6 +87,20 @@ securityContext:
  seccompProfile:
    type: RuntimeDefault

+# -- Security context for the test containers
+testSecurityContext:
+  runAsUser: 65534
+  runAsGroup: 65534
+  runAsNonRoot: true
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
 # -- Optional priority class to be used for kyverno pods
 priorityClassName: ''

@ -197,6 +211,16 @@ initResources:
    cpu: 10m
    memory: 64Mi

+testResources:
+  # -- Pod resource limits
+  limits:
+    cpu: 100m
+    memory: 256Mi
+  # -- Pod resource requests
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
 # -- Liveness probe.
 # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -218,7 +218,6 @@ func main() {
 		logger.Error(err, "Failed to create kubernetes leader client")
 		os.Exit(1)
 	}
-
 	// sanity checks
 	if !utils.CRDsInstalled(dynamicClient.Discovery()) {
 		logger.Error(fmt.Errorf("CRDs not installed"), "Failed to access Kyverno CRDs")