postgres-operator/testing/kuttl/e2e/security-context/01-security-context.yaml at 8afdb0b26d7b7419097aae73501332947bacd28d · dsessler7/postgres-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
  - script: |
      # Check that every container has the correct capabilities.

      # Capture every container name alongside its list of dropped capabilities.
      CONTAINERS_DROP_CAPS=$(
        kubectl --namespace "${NAMESPACE}" get pods --output "jsonpath={\
          range .items[*].spec.containers[*]\
        }{ @.name }{'\t\t'}{ @.securityContext.capabilities.drop }{'\n'}{\
          end\
        }"
      ) || exit

      WRONG=$( ! echo "${CONTAINERS_DROP_CAPS}" | grep -Fv '"ALL"' ) || {
        echo 'Not all containers have dropped "ALL" capabilities!'
        echo "${WRONG}"
        exit 1
      }

  - script: |
      # Check that every Pod is assigned to the "restricted" SecurityContextConstraint
      # in OpenShift.

      SCC=$(
        kubectl api-resources --cached |
        grep -F 'security.openshift.io/v1' |
        grep -F 'SecurityContextConstraint'
      )

      # Skip this check when the API has no notion of SecurityContextConstraint.
      [ -z "${SCC}" ] && exit

      PODS_SCC=$(
        kubectl --namespace "${NAMESPACE}" get pods --no-headers \
          --output "custom-columns=\
            NAME:.metadata.name,\
            SCC:.metadata.annotations['openshift\.io/scc']\
          "
      ) || exit

      WRONG=$( ! echo "${PODS_SCC}" | grep -Ev -e '\<restricted$' -e '\<restricted-v2$' ) || {
        echo 'Found pods not assigned to the restricted security context constraint!'
        echo "${PODS_SCC}"
        exit 1
      }