From dfc54261222a6a97cfa24c3d46970c7167e3020d Mon Sep 17 00:00:00 2001
From: Cédric Ollivier <cedric.ollivier@orange.com>
Date: Fri, 12 Jan 2024 22:19:36 +0100
Subject: Apply PR " Enforce baseline Pod Security Standard with namespace
 labels"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's needed for any Cluster where PodSecurityConfiguration enforces "restricted" [1].

[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/

Change-Id: I9df12654d09390353a898030314a3fda9074b0d5
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit 05656f790feab78bb02b6ed0e3b11048eea39901)
---
 docker/core/Dockerfile                             |  7 ++--
 ...eline-Pod-Security-Standard-with-namespac.patch | 39 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch

diff --git a/docker/core/Dockerfile b/docker/core/Dockerfile
index 5e463e71..26bcdd49 100644
--- a/docker/core/Dockerfile
+++ b/docker/core/Dockerfile
@@ -6,6 +6,7 @@ ARG OPNFV_TAG=stable/zed
 
 COPY Try-a-quick-fix-vs-asynchronuous-issues.patch /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch
 COPY Switch-to-threading.Thread-for-Rally-tasks.patch /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch
+COPY Enforce-baseline-Pod-Security-Standard-with-namespac.patch /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
 RUN apk -U upgrade && \
     apk --no-cache add --update python3 py3-pip py3-wheel bash git grep libffi openssl mailcap \
         libxml2 libxslt gcompat && \
@@ -35,14 +36,16 @@ RUN apk -U upgrade && \
         /src/functest-kubernetes && \
     (cd /src/rally && patch -p1 < /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch) && \
     (cd /usr/lib/python3.10/site-packages/xrally_kubernetes/ && \
-        patch -p2 < /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch) && \
+        patch -p2 < /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch && \
+        patch -p2 < /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch) && \
     rm -rf /src/functest-kubernetes /tmp/Switch-to-threading.Thread-for-Rally-tasks.patch && \
     bash -c "mkdir -p /var/lib/xtesting /home/opnfv" && \
     ln -s /var/lib/xtesting /home/opnfv/functest && \
     mkdir -p /etc/rally && \
     printf "[database]\nconnection = 'sqlite:////var/lib/rally/database/rally.sqlite'" > /etc/rally/rally.conf && \
     mkdir -p /var/lib/rally/database && rally db create && \
-    rm -r /src/requirements/.git /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch && \
+    rm -r /src/requirements/.git /tmp/Try-a-quick-fix-vs-asynchronuous-issues.patch \
+        /tmp/Enforce-baseline-Pod-Security-Standard-with-namespac.patch && \
     addgroup -g 1000 xtesting && adduser -u 1000 -G xtesting -D xtesting && \
     mkdir -p /etc/xtesting && chown -R xtesting: /etc/xtesting /etc/rally && \
     mkdir -p /var/lib/xtesting/results && chown -R xtesting: /var/lib/xtesting /var/lib/rally && \
diff --git a/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
new file mode 100644
index 00000000..1a4cc1d0
--- /dev/null
+++ b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
@@ -0,0 +1,39 @@
+From cf7998dc92bd9d0bcc99ee2c9a21b6c41d1b2750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= <cedric.ollivier@orange.com>
+Date: Fri, 12 Jan 2024 21:16:54 +0100
+Subject: [PATCH] Enforce baseline Pod Security Standard with namespace labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It allows running the xrally_kubernetes testcases vs clusters where
+PodSecurityConfiguration enforces "restricted" [1].
+
+Please note that Kubernetes.create_and_delete_pod_with_hostpath_volume
+even requests for privileged [2].
+
+[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
+[2] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+
+Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
+---
+ xrally_kubernetes/service.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xrally_kubernetes/service.py b/xrally_kubernetes/service.py
+index d38f84b..4f97550 100644
+--- a/xrally_kubernetes/service.py
++++ b/xrally_kubernetes/service.py
+@@ -238,7 +238,8 @@ class Kubernetes(service.Service):
+             "metadata": {
+                 "name": name,
+                 "labels": {
+-                    "role": name
++                    "role": name,
++                    "pod-security.kubernetes.io/enforce": "baseline"
+                 }
+             }
+         }
+-- 
+2.43.0
+
-- 
cgit 1.2.3-korg