From 4fe2cd9b0ee4a19e11811cf97d07bc291277ffc5 Mon Sep 17 00:00:00 2001 From: Cédric Ollivier Date: Sat, 13 Jan 2024 12:15:54 +0100 Subject: Apply privileged pod security standard to kube-bench MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I0336d73f8a9663ef259adfe4377ce20499844021 Signed-off-by: Cédric Ollivier (cherry picked from commit 1bd69d63994d66582f4e7967e4a1f703dc247c69) --- functest_kubernetes/security/security.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index 997a0b7a..2cd345cd 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -51,6 +51,7 @@ class SecurityTesting(testcase.TestCase): self.output_debug_log_name = 'functest-kubernetes.debug.log' self.namespace = "" self.ns_generate_name = "security-" + self.pss = "baseline" def deploy_job(self): """Run Security job @@ -62,7 +63,7 @@ class SecurityTesting(testcase.TestCase): api_response = self.corev1.create_namespace( client.V1Namespace(metadata=client.V1ObjectMeta( generate_name=self.ns_generate_name, - labels={"pod-security.kubernetes.io/enforce": "baseline"}))) + labels={"pod-security.kubernetes.io/enforce": self.pss}))) self.namespace = api_response.metadata.name self.__logger.debug("create_namespace: %s", api_response) with open(pkg_resources.resource_filename( @@ -201,6 +202,7 @@ class KubeBench(SecurityTesting): super().__init__(**kwargs) self.job_name = "kube-bench" self.ns_generate_name = "kube-bench-" + self.pss = "privileged" def run(self, **kwargs): self.job_name = f'kube-bench-{kwargs.get("target", "node")}' -- cgit 1.2.3-korg