🌱 improve e2e tests to ensure that pods are restricted

Author: camilamacedo86

test/e2e/utils/test_context.go

@@ -33,16 +33,17 @@ import (
 // TestContext specified to run e2e tests
 type TestContext struct {
 	*CmdContext
-	TestSuffix string
-	Domain     string
-	Group      string
-	Version    string
-	Kind       string
-	Resources  string
-	ImageName  string
-	BinaryName string
-	Kubectl    *Kubectl
-	K8sVersion *KubernetesVersion
+	TestSuffix   string
+	Domain       string
+	Group        string
+	Version      string
+	Kind         string
+	Resources    string
+	ImageName    string
+	BinaryName   string
+	Kubectl      *Kubectl
+	K8sVersion   *KubernetesVersion
+	IsRestricted bool
 }
 
 // NewTestContext init with a random suffix for test TestContext stuff,
@@ -262,6 +263,22 @@ func (t *TestContext) Destroy() {
 	}
 }
 
+// CreateManagerNamespace will create the namespace where the manager is deployed
+func (t *TestContext) CreateManagerNamespace() error {
+	_, err := t.Kubectl.Command("create", "ns", t.Kubectl.Namespace)
+	return err
+}
+
+// LabelAllNamespacesToWarnAboutRestricted will label all namespaces so that we can verify
+// if a warning with `Warning: would violate PodSecurity` will be raised when the manifests are applied
+func (t *TestContext) LabelAllNamespacesToWarnAboutRestricted() error {
+	_, err := t.Kubectl.Command("label", "--overwrite", "ns", "--all",
+		"pod-security.kubernetes.io/audit=restricted",
+		"pod-security.kubernetes.io/enforce-version=v1.24",
+		"pod-security.kubernetes.io/warn=restricted")
+	return err
+}
+
 // LoadImageToKindCluster loads a local docker image to the kind cluster
 func (t *TestContext) LoadImageToKindCluster() error {
 	cluster := "kind"

test/e2e/v3/generate_test.go

@@ -130,7 +130,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) {
+func GenerateV3(kbc *utils.TestContext, crdAndWebhookVersion string) {
 	var err error
 
 	By("initializing a project")
@@ -229,7 +229,7 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 		_ = pluginutil.RunCmd("Update dependencies", "go", "mod", "tidy")
 	}
 
-	if restrictive {
+	if kbc.IsRestricted {
 		By("uncomment kustomize files to ensure that pods are restricted")
 		uncommentPodStandards(kbc)
 	}
@@ -252,7 +252,7 @@ func uncommentPodStandards(kbc *utils.TestContext) {
 }
 
 // GenerateV3 implements a go/v3(-alpha) plugin project defined by a TestContext.
-func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string, restrictive bool) {
+func GenerateV3WithKustomizeV2(kbc *utils.TestContext, crdAndWebhookVersion string) {
 	var err error
 
 	By("initializing a project")
@@ -418,4 +418,8 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 #          index: 1
 #          create: true`, "#")).To(Succeed())
 
+	if kbc.IsRestricted {
+		By("uncomment kustomize files to ensure that pods are restricted")
+		uncommentPodStandards(kbc)
+	}
 }

test/e2e/v3/plugin_cluster_test.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -127,7 +128,7 @@ var _ = Describe("kubebuilder", func() {
 						srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1", false)
+				GenerateV3(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
@@ -136,7 +137,7 @@ var _ = Describe("kubebuilder", func() {
 					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks",
 						srvVer.GitVersion))
 				}
-				GenerateV3WithKustomizeV2(kbc, "v1", false)
+				GenerateV3WithKustomizeV2(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
@@ -148,7 +149,7 @@ var _ = Describe("kubebuilder", func() {
 						srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1beta1", false)
+				GenerateV3(kbc, "v1beta1")
 				Run(kbc)
 			})
 
@@ -161,7 +162,8 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1", true)
+				kbc.IsRestricted = true
+				GenerateV3(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha"+
@@ -174,7 +176,8 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3WithKustomizeV2(kbc, "v1", true)
+				kbc.IsRestricted = true
+				GenerateV3WithKustomizeV2(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with v1beta1 CRDs and Webhooks with restricted pods", func() {
@@ -188,7 +191,8 @@ var _ = Describe("kubebuilder", func() {
 						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
-				GenerateV3(kbc, "v1beta1", true)
+				kbc.IsRestricted = true
+				GenerateV3(kbc, "v1beta1")
 				Run(kbc)
 			})
 		})
@@ -200,6 +204,14 @@ func Run(kbc *utils.TestContext) {
 	var controllerPodName string
 	var err error
 
+	By("creating manager namespace")
+	err = kbc.CreateManagerNamespace()
+	ExpectWithOffset(1, err).NotTo(HaveOccurred())
+
+	By("labeling all namespaces to warn about restricted")
+	err = kbc.LabelAllNamespacesToWarnAboutRestricted()
+	ExpectWithOffset(1, err).NotTo(HaveOccurred())
+
 	By("updating the go.mod")
 	err = kbc.Tidy()
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
@@ -218,9 +230,16 @@ func Run(kbc *utils.TestContext) {
 	// --clusterrole=cluster-admin [email protected]
 	// https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
 	By("deploying the controller-manager")
-	err = kbc.Make("deploy", "IMG="+kbc.ImageName)
+
+	cmd := exec.Command("make", "deploy", "IMG="+kbc.ImageName)
+	output, err := kbc.Run(cmd)
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
+	if kbc.IsRestricted {
+		By("validating that manager Pod/container(s) are restricted")
+		ExpectWithOffset(1, output).NotTo(ContainSubstring("Warning: would violate PodSecurity"))
+	}
+
 	By("validating that the controller-manager pod is running as expected")
 	verifyControllerUp := func() error {
 		// Get pod name