|
| 1 | +.. _test-pod-privileges: |
| 2 | + |
| 3 | +=================== |
| 4 | +Test Pod Privileges |
| 5 | +=================== |
| 6 | +The test-operator follows security best practices by applying a restricted |
| 7 | +security profile to all test pods by default. This section describes the |
| 8 | +defaults and when you might need to change them. |
| 9 | + |
| 10 | +Default Security Profile |
| 11 | +======================== |
| 12 | + |
| 13 | +Every test pod runs with the following restrictions: |
| 14 | + |
| 15 | +* **Seccomp**: A :code:`RuntimeDefault` profile filters system calls at the |
| 16 | + kernel level. |
| 17 | + |
| 18 | +* **Privilege escalation**: Disabled processes cannot gain more privileges |
| 19 | + than their parent. |
| 20 | + |
| 21 | +* **Root filesystem**: Read-only containers cannot modify their own binaries |
| 22 | + or write to unexpected locations. |
| 23 | + |
| 24 | +* **Capabilities**: All capabilities are dropped. |
| 25 | + |
| 26 | +* **SELinux level**: Not set by default. Only needed for privileged |
| 27 | + workflows that write to shared PVCs. |
| 28 | + |
| 29 | +When to Use Privileged Mode |
| 30 | +=========================== |
| 31 | + |
| 32 | +.. important:: |
| 33 | + Leave :code:`privileged: false` unless your tests specifically require it. |
| 34 | + |
| 35 | +Set :code:`privileged: true` on the CR spec when your tests need capabilities |
| 36 | +that the default profile blocks. The two capabilities added in privileged mode |
| 37 | +are: |
| 38 | + |
| 39 | +* :code:`NET_ADMIN` allows modifying network configuration such as routing |
| 40 | + tables, interfaces, and firewall rules. |
| 41 | + |
| 42 | +* :code:`NET_RAW` allows raw socket access for tools like :code:`ping` and |
| 43 | + :code:`tcpdump`. |
| 44 | + |
| 45 | +Privileged mode is also required when Tempest installs additional RPMs at |
| 46 | +runtime via :code:`extraRPMs`, since that needs a writable root filesystem. |
0 commit comments