Merge pull request #402 from application-stacks/test-security-context

kabicin · web-flow · commit 34a74adb248f · 2022-06-23T11:25:00.000-04:00
Add security context tests
diff --git a/bundle/tests/scorecard/kuttl/security-context/00-assert.yaml b/bundle/tests/scorecard/kuttl/security-context/00-assert.yaml
@@ -0,0 +1,26 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+# Check the default security context
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: security-context-rc 
+spec:
+  template:
+    spec:
+      containers:
+      - name: app
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/00-default.yaml b/bundle/tests/scorecard/kuttl/security-context/00-default.yaml
@@ -0,0 +1,7 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: security-context-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/01-assert.yaml b/bundle/tests/scorecard/kuttl/security-context/01-assert.yaml
@@ -0,0 +1,21 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: security-context-rc 
+spec:
+  template:
+    spec:
+      containers:
+      - name: app
+        securityContext:
+          allowPrivilegeEscalation: true
+          readOnlyRootFilesystem: true
+          runAsNonRoot: false
+status:
+  replicas: 1
+  readyReplicas: 1
+  availableReplicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/01-override.yaml b/bundle/tests/scorecard/kuttl/security-context/01-override.yaml
@@ -0,0 +1,11 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: security-context-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  securityContext:
+    allowPrivilegeEscalation: true
+    readOnlyRootFilesystem: true
+    runAsNonRoot: false
diff --git a/bundle/tests/scorecard/kuttl/security-context/02-assert.yaml b/bundle/tests/scorecard/kuttl/security-context/02-assert.yaml
@@ -0,0 +1,19 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: security-context-rc 
+spec:
+  template:
+    spec:
+      containers:
+      - name: app
+        securityContext:
+          privileged: true
+status:
+  replicas: 1
+  readyReplicas: 1
+  availableReplicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/02-privileged-override.yaml b/bundle/tests/scorecard/kuttl/security-context/02-privileged-override.yaml
@@ -0,0 +1,9 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: security-context-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  securityContext:
+    privileged: true
diff --git a/bundle/tests/scorecard/kuttl/security-context/03-assert.yaml b/bundle/tests/scorecard/kuttl/security-context/03-assert.yaml
@@ -0,0 +1,22 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: security-context-rc 
+spec:
+  template:
+    spec:
+      containers:
+      - name: app
+        securityContext:
+          capabilities:
+            add:
+              - NET_ADMIN
+              - SYS_TIME
+status:
+  replicas: 1
+  readyReplicas: 1
+  availableReplicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/03-capabilities-override.yaml b/bundle/tests/scorecard/kuttl/security-context/03-capabilities-override.yaml
@@ -0,0 +1,12 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: security-context-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  securityContext:
+    capabilities:
+      add:
+        - NET_ADMIN
+        - SYS_TIME
diff --git a/bundle/tests/scorecard/kuttl/security-context/04-assert.yaml b/bundle/tests/scorecard/kuttl/security-context/04-assert.yaml
@@ -0,0 +1,25 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: security-context-rc 
+spec:
+  template:
+    spec:
+      containers:
+      - name: app
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
diff --git a/bundle/tests/scorecard/kuttl/security-context/04-restore-default.yaml b/bundle/tests/scorecard/kuttl/security-context/04-restore-default.yaml
@@ -0,0 +1,13 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: security-context-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  securityContext:
+    allowPrivilegeEscalation: null
+    capabilities: null
+    privileged: null
+    readOnlyRootFilesystem: null
+    runAsNonRoot: null
