e2e: podSecurity: adapt PodSecurity constraints

The tested pods have some lax spec wrt security, hence a restrict podSecurity namespace won't allow running those pods. In topology-updater tests, the topology-updater pod needs to run the container as root so change the namespace podSecurity from restricted to priviliged. In node-feature-discovery tests, we don't need root access, so add the required security context configuration. Signed-off-by: Talor Itzhak <titzhak@redhat.com>
2024-12-14 11:57:51 +00:00 · 2022-11-17 16:57:20 +02:00 · 2022-11-17 16:57:20 +02:00 · a65278d890
commit a65278d890
parent be8012e035
3 changed files with 14 additions and 3 deletions
--- a/test/e2e/node_feature_discovery.go
+++ b/test/e2e/node_feature_discovery.go
@ -38,9 +38,8 @@ import (
 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
 	e2enetwork "k8s.io/kubernetes/test/e2e/framework/network"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
-	nfdclient "sigs.k8s.io/node-feature-discovery/pkg/generated/clientset/versioned"
-
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/v1alpha1"
+	nfdclient "sigs.k8s.io/node-feature-discovery/pkg/generated/clientset/versioned"
 	"sigs.k8s.io/node-feature-discovery/source/custom"
 	testutils "sigs.k8s.io/node-feature-discovery/test/e2e/utils"
 )
--- a/test/e2e/topology_updater.go
+++ b/test/e2e/topology_updater.go
@ -36,6 +36,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/framework/kubelet"
 	e2enetwork "k8s.io/kubernetes/test/e2e/framework/network"
+	admissionapi "k8s.io/pod-security-admission/api"

 	testutils "sigs.k8s.io/node-feature-discovery/test/e2e/utils"
 )
@ -51,7 +52,7 @@ var _ = SIGDescribe("Node Feature Discovery topology updater", func() {
 	)

 	f := framework.NewDefaultFramework("node-topology-updater")
-
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 	BeforeEach(func() {
 		var err error

--- a/test/e2e/utils/pod.go
+++ b/test/e2e/utils/pod.go
@ -203,6 +203,8 @@ func newDaemonSet(name string, podSpec *corev1.PodSpec) *appsv1.DaemonSet {
 }

 func nfdWorkerPodSpec(image string, extraArgs []string) *corev1.PodSpec {
+	yes := true
+	no := false
 	return &corev1.PodSpec{
 		Containers: []corev1.Container{
 			{
@ -221,6 +223,15 @@ func nfdWorkerPodSpec(image string, extraArgs []string) *corev1.PodSpec {
 						},
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					Capabilities: &corev1.Capabilities{
+						Drop: []corev1.Capability{"ALL"},
+					},
+					Privileged:               &no,
+					RunAsNonRoot:             &yes,
+					ReadOnlyRootFilesystem:   &yes,
+					AllowPrivilegeEscalation: &no,
+				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      "host-boot",