|
| 1 | +.. _test-pod-privileges: |
| 2 | + |
| 3 | +=================== |
| 4 | +Test Pod Privileges |
| 5 | +=================== |
| 6 | +The test-operator follows security best practices by applying a restricted |
| 7 | +security profile to all test pods by default. This section describes the |
| 8 | +defaults and when you might need to change them. |
| 9 | + |
| 10 | +Default Security Profile |
| 11 | +======================== |
| 12 | + |
| 13 | +Every test pod runs with the following restrictions: |
| 14 | + |
| 15 | +* **Seccomp**: A :code:`RuntimeDefault` profile filters system calls at the |
| 16 | + kernel level. |
| 17 | + |
| 18 | +* **Privilege escalation**: Disabled — processes cannot gain more privileges |
| 19 | + than their parent. |
| 20 | + |
| 21 | +* **Root filesystem**: Read-only — containers cannot modify their own binaries |
| 22 | + or write to unexpected locations. |
| 23 | + |
| 24 | +* **Capabilities**: All capabilities are dropped. |
| 25 | + |
| 26 | +* **SELinux level**: No default — users set this explicitly when needed. |
| 27 | + |
| 28 | +No configuration is required to get these defaults. They apply automatically |
| 29 | +to Tempest, Tobiko, HorizonTest, and AnsibleTest pods. |
| 30 | + |
| 31 | +When to Use Privileged Mode |
| 32 | +=========================== |
| 33 | +Set :code:`privileged: true` on the CR spec when your tests need capabilities |
| 34 | +that the default profile blocks. The two capabilities added in privileged mode |
| 35 | +are: |
| 36 | + |
| 37 | +* :code:`NET_ADMIN` — allows modifying network configuration (routing tables, |
| 38 | + interfaces, firewall rules). Needed by Tempest neutron plugin tests and |
| 39 | + Tobiko fault injection scenarios. |
| 40 | + |
| 41 | +* :code:`NET_RAW` — allows raw socket access for tools like :code:`ping` and |
| 42 | + :code:`tcpdump`. Needed by Tempest connectivity tests and Tobiko |
| 43 | + reachability checks. |
| 44 | + |
| 45 | +Privileged mode is also required when Tempest installs additional RPMs at |
| 46 | +runtime via :code:`extraRPMs`, since that needs a writable root filesystem. |
| 47 | + |
| 48 | +If your tests do not exercise network infrastructure or install extra |
| 49 | +packages, leave :code:`privileged: false` (the default). |
0 commit comments