aboutsummaryrefslogtreecommitdiffstats
path: root/functest_kubernetes
diff options
context:
space:
mode:
authorCédric Ollivier <cedric.ollivier@orange.com>2024-01-13 11:35:36 +0100
committerCédric Ollivier <cedric.ollivier@orange.com>2024-01-13 11:38:49 +0100
commitd080ed7fbc963f70834ff513865acd03502c4b71 (patch)
tree570cab7234eb15aa42000a8bc491725a4a5774c9 /functest_kubernetes
parent869a1d1da62ec900f6c47ecf76cff82ef3ca9fe5 (diff)
Enforce baseline Pod Security Standard
It allows running both security and ims testcases vs clusters where PodSecurityConfiguration enforces "restricted" [1]. [1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ Change-Id: I9eb420cbb695ec8fb002f25cfd3c96ab50118fcc Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit 553d57ffd4ff9c3c4f319454a4d190ac7aa4cc76)
Diffstat (limited to 'functest_kubernetes')
-rw-r--r--functest_kubernetes/ims/ims.py3
-rw-r--r--functest_kubernetes/security/security.py3
2 files changed, 4 insertions, 2 deletions
diff --git a/functest_kubernetes/ims/ims.py b/functest_kubernetes/ims/ims.py
index 9a7c6485..85b412fb 100644
--- a/functest_kubernetes/ims/ims.py
+++ b/functest_kubernetes/ims/ims.py
@@ -68,7 +68,8 @@ class Vims(testcase.TestCase): # pylint: disable=too-many-instance-attributes
"""
api_response = self.corev1.create_namespace(
client.V1Namespace(metadata=client.V1ObjectMeta(
- generate_name=self.ns_generate_name)))
+ generate_name=self.ns_generate_name,
+ labels={"pod-security.kubernetes.io/enforce": "baseline"})))
self.namespace = api_response.metadata.name
self.__logger.debug("create_namespace: %s", api_response)
self.zone = f'{self.namespace}.svc.cluster.local'
diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index f03845a4..997a0b7a 100644
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -61,7 +61,8 @@ class SecurityTesting(testcase.TestCase):
assert self.job_name
api_response = self.corev1.create_namespace(
client.V1Namespace(metadata=client.V1ObjectMeta(
- generate_name=self.ns_generate_name)))
+ generate_name=self.ns_generate_name,
+ labels={"pod-security.kubernetes.io/enforce": "baseline"})))
self.namespace = api_response.metadata.name
self.__logger.debug("create_namespace: %s", api_response)
with open(pkg_resources.resource_filename(