Run integration tests with pod security standards. (#93)

README.md

@@ -56,9 +56,9 @@ kubectl delete -f  examples/csi-app.yaml
 kubectl delete -f examples/csi-pvc.yaml
 ```
 
-## Development ###
+### Development ###
 
-In order to run the integration tests locally, you need to create to loop devices on your host machine. Make sure the loop device mount paths are not used on your system (default path is `/dev/loop10{1,2}`).
+In order to run the integration tests locally, you need to create to loop devices on your host machine. Make sure the loop device mount paths are not used on your system (default path is `/dev/loop10{0,1}`).
 
 You can create these loop devices like this:
 

config/kind-pss.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "restricted"
+      enforce-version: "latest"
+      audit: "restricted"
+      audit-version: "latest"
+      warn: "restricted"
+      warn-version: "latest"
+    exemptions:
+      usernames: []
+      runtimeClasses: []
+      namespaces: [kube-system, local-path-storage, csi-driver-lvm]

tests/bats/test.bats

@@ -1,7 +1,8 @@
 #!/usr/bin/env bats -p
 
 @test "deploy csi-lvm-controller" {
-    run helm upgrade --install --repo ${HELM_REPO} csi-driver-lvm csi-driver-lvm --values values.yaml --wait --timeout=120s
+    run kubectl create namespace csi-driver-lvm || true
+    run helm upgrade --debug --install --repo ${HELM_REPO} --namespace csi-driver-lvm csi-driver-lvm csi-driver-lvm --values values.yaml --wait --timeout=120s
     [ "$status" -eq 0 ]
 }
 
@@ -16,7 +17,7 @@
 }
 
 @test "delete inline linear pod" {
-    run kubectl delete -f files/pod.inline.vol.yaml --wait --timeout=10s
+    run kubectl delete -f files/pod.inline.vol.yaml --grace-period=0 --wait --timeout=10s
     [ "$status" -eq 0 ]
 }
 
@@ -83,22 +84,22 @@
 }
 
 @test "delete linear pod" {
-    run kubectl delete -f files/pod.linear.vol.yaml --wait --timeout=10s
+    run kubectl delete -f files/pod.linear.vol.yaml --grace-period=0 --wait --timeout=10s
     [ "$status" -eq 0 ]
 }
 
 @test "delete resized linear pvc" {
-    run kubectl delete -f files/pvc.linear.resize.yaml --wait --timeout=10s
+    run kubectl delete -f files/pvc.linear.resize.yaml --grace-period=0 --wait --timeout=10s
     [ "$status" -eq 0 ]
 }
 
 @test "delete block pod" {
-    run kubectl delete -f files/pod.block.vol.yaml --wait --timeout=10s
+    run kubectl delete -f files/pod.block.vol.yaml --grace-period=0 --wait --timeout=10s
     [ "$status" -eq 0 ]
 }
 
 @test "delete resized block pvc" {
-    run kubectl delete -f files/pvc.block.resize.yaml --wait --timeout=10s
+    run kubectl delete -f files/pvc.block.resize.yaml --grace-period=0 --wait --timeout=10s
     [ "$status" -eq 0 ]
 }
 
@@ -119,14 +120,14 @@
 }
 
 @test "delete inline xfs linear pod" {
-    run kubectl delete -f files/pod.inline.vol.xfs.yaml --wait --timeout=10s
+    run kubectl delete -f files/pod.inline.vol.xfs.yaml --wait --grace-period=0 --timeout=10s
     [ "$status" -eq 0 ]
 }
 
 @test "delete csi-lvm-controller" {
     echo "⏳ Wait 10s for all PVCs to be cleaned up..." >&3
     sleep 10
 
-    run helm uninstall csi-driver-lvm --wait --timeout=30s
+    run helm uninstall --namespace csi-driver-lvm csi-driver-lvm --wait --timeout=30s
     [ "$status" -eq 0 ]
 }

tests/files/pod.block.vol.yaml

@@ -5,10 +5,21 @@ metadata:
 spec:
   containers:
   - name: volume-test-block
-    image: nginx:stable-alpine
+    image: alpine
     imagePullPolicy: IfNotPresent
-    ports:
-    - containerPort: 80
+    command:
+      - tail
+      - -f
+      - /etc/hosts
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 10014
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
     volumeDevices:
       - name: block
         devicePath: /dev/xvda

tests/files/pod.inline.vol.xfs.yaml

@@ -5,8 +5,21 @@ metadata:
 spec:
   containers:
     - name: inline
-      image: nginx:stable-alpine
+      image: alpine
       imagePullPolicy: IfNotPresent
+      command:
+        - tail
+        - -f
+        - /etc/hosts
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 10014
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       volumeMounts:
         - mountPath: "/data"
           name: lvm-pvc-inline-xfs
@@ -17,4 +30,4 @@ spec:
         volumeAttributes:
           size: "20MB"
           type: "linear"
-        fsType: xfs
+        fsType: xfs

tests/files/pod.inline.vol.yaml

@@ -5,8 +5,21 @@ metadata:
 spec:
   containers:
   - name: inline
-    image: nginx:stable-alpine
+    image: alpine
     imagePullPolicy: IfNotPresent
+    command:
+      - tail
+      - -f
+      - /etc/hosts
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 10014
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
     volumeMounts:
     - mountPath: "/data"
       name: lvm-pvc-inline

tests/files/pod.linear.vol.yaml

@@ -5,14 +5,24 @@ metadata:
 spec:
   containers:
   - name: volume-test
-    image: nginx:stable-alpine
+    image: alpine
     imagePullPolicy: IfNotPresent
+    command:
+      - tail
+      - -f
+      - /etc/hosts
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 10014
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
     volumeMounts:
     - name: linear
       mountPath: /linear
-
-    ports:
-    - containerPort: 80
     resources:
       limits:
         cpu: 100m

tests/kind.yaml

@@ -8,3 +8,18 @@ nodes:
         containerPath: /dev/loop100
       - hostPath: /dev/loop101
         containerPath: /dev/loop101
+      - hostPath: config
+        containerPath: /etc/config
+
+    kubeadmConfigPatches:
+    - |
+      kind: ClusterConfiguration
+      apiServer:
+          extraArgs:
+            admission-control-config-file: /etc/config/kind-pss.yaml
+          extraVolumes:
+            - name: accf
+              hostPath: /etc/config
+              mountPath: /etc/config
+              readOnly: true
+              pathType: "DirectoryOrCreate"