e2e: podSecurity: adapt PodSecurity constraints

The tested pods have some lax spec wrt security, hence a restrict podSecurity namespace won't allow running those pods. In topology-updater tests, the topology-updater pod needs to run the container as root so change the namespace podSecurity from restricted to priviliged. In node-feature-discovery tests, we don't need root access, so add the required security context configuration. Signed-off-by: Talor Itzhak <[email protected]>
kubernetes-sigs · Nov 21, 2022 · 00319b0 · 00319b0
1 parent be8012e
commit 00319b0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/test/e2e/node_feature_discovery.go b/test/e2e/node_feature_discovery.go
@@ -38,9 +38,10 @@ import (
 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
 	e2enetwork "k8s.io/kubernetes/test/e2e/framework/network"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
-	nfdclient "sigs.k8s.io/node-feature-discovery/pkg/generated/clientset/versioned"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/v1alpha1"
+	nfdclient "sigs.k8s.io/node-feature-discovery/pkg/generated/clientset/versioned"
 	"sigs.k8s.io/node-feature-discovery/source/custom"
 	testutils "sigs.k8s.io/node-feature-discovery/test/e2e/utils"
 )
@@ -100,6 +101,7 @@ func cleanupNode(cs clientset.Interface) {
 // Actual test suite
 var _ = SIGDescribe("Node Feature Discovery", func() {
 	f := framework.NewDefaultFramework("node-feature-discovery")
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 
 	Context("when deploying a single nfd-master pod", func() {
 		var masterPod *corev1.Pod

diff --git a/test/e2e/topology_updater.go b/test/e2e/topology_updater.go
@@ -36,6 +36,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/framework/kubelet"
 	e2enetwork "k8s.io/kubernetes/test/e2e/framework/network"
+	admissionapi "k8s.io/pod-security-admission/api"
 
 	testutils "sigs.k8s.io/node-feature-discovery/test/e2e/utils"
 )
@@ -51,7 +52,7 @@ var _ = SIGDescribe("Node Feature Discovery topology updater", func() {
 	)
 
 	f := framework.NewDefaultFramework("node-topology-updater")
-
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 	BeforeEach(func() {
 		var err error
 

diff --git a/test/e2e/utils/pod.go b/test/e2e/utils/pod.go
@@ -203,6 +203,8 @@ func newDaemonSet(name string, podSpec *corev1.PodSpec) *appsv1.DaemonSet {
 }
 
 func nfdWorkerPodSpec(image string, extraArgs []string) *corev1.PodSpec {
+	yes := true
+	no := false
 	return &corev1.PodSpec{
 		Containers: []corev1.Container{
 			{
@@ -221,6 +223,15 @@ func nfdWorkerPodSpec(image string, extraArgs []string) *corev1.PodSpec {
 						},
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					Capabilities: &corev1.Capabilities{
+						Drop: []corev1.Capability{"ALL"},
+					},
+					Privileged:               &no,
+					RunAsNonRoot:             &yes,
+					ReadOnlyRootFilesystem:   &yes,
+					AllowPrivilegeEscalation: &no,
+				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
 						Name:      "host-boot",