Merge pull request #256 from lpiwowar/readOnlyRootFilesystem

Run test pods with readOnlyRootFileSystem: true

Author: openshift-merge-bot[bot]

api/bases/test.openstack.org_ansibletests.yaml

@@ -146,11 +146,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

api/bases/test.openstack.org_horizontests.yaml

@@ -159,11 +159,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               projectName:
                 default: horizontest

api/bases/test.openstack.org_tempests.yaml

@@ -153,11 +153,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

api/bases/test.openstack.org_tobikoes.yaml

@@ -143,11 +143,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               publicKey:
                 default: ""

api/v1beta1/common.go

@@ -46,11 +46,11 @@ type CommonOptions struct {
 	// +kubebuilder:default=false
 	// +optional
 	// Use with caution! This parameter specifies whether test-operator should spawn test
-	// pods with allowedPrivilegedEscalation: true and the default capabilities on
-	// top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-	// This parameter is deemed insecure but it is needed for certain test-operator
-	// functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-	// of tobiko tests).
+	// pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+	// default capabilities on top of capabilities that are usually needed by the test
+	// pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+	// certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+	// CR, or certain set of tobiko tests).
 	Privileged bool `json:"privileged"`
 
 	// +operator-sdk:csv:customresourcedefinitions:type=spec

api/v1beta1/common_webhook.go

@@ -12,8 +12,8 @@ const (
 const (
 	// WarnPrivilegedModeOn
 	WarnPrivilegedModeOn = "%s.Spec.Privileged is set to true. This means that test pods " +
-		"are spawned with allowPrivilegedEscalation: true and default " +
-		"capabilities on top of those required by the test operator " +
+		"are spawned with allowPrivilegedEscalation: true, readOnlyRootFilesystem: false " +
+		"and default capabilities on top of those required by the test operator " +
 		"(NET_ADMIN, NET_RAW)."
 
 	// WarnPrivilegedModeOff

config/crd/bases/test.openstack.org_ansibletests.yaml

@@ -146,11 +146,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

config/crd/bases/test.openstack.org_horizontests.yaml

@@ -159,11 +159,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               projectName:
                 default: horizontest

config/crd/bases/test.openstack.org_tempests.yaml

@@ -153,11 +153,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               storageClass:
                 default: local-storage

config/crd/bases/test.openstack.org_tobikoes.yaml

@@ -143,11 +143,11 @@ spec:
                 default: false
                 description: |-
                   Use with caution! This parameter specifies whether test-operator should spawn test
-                  pods with allowedPrivilegedEscalation: true and the default capabilities on
-                  top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-                  This parameter is deemed insecure but it is needed for certain test-operator
-                  functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-                  of tobiko tests).
+                  pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+                  default capabilities on top of capabilities that are usually needed by the test
+                  pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+                  certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest
+                  CR, or certain set of tobiko tests).
                 type: boolean
               publicKey:
                 default: ""

config/samples/test_v1beta1_tempest.yaml

@@ -31,11 +31,11 @@ spec:
   # Privileged
   # ----------
   # Use with caution! This parameter specifies whether test-operator should spawn test
-  # pods with allowedPrivilegedEscalation: true and the default capabilities on
-  # top of capabilities that are usually needed by the test pods (NET_ADMIN, NET_RAW).
-  # This parameter is deemed insecure but it is needed for certain test-operator
-  # functionalities to work properly (e.g.: extraRPMs in Tempest CR, or certain set
-  # tobiko tests).
+  # pods with allowedPrivilegedEscalation: true, readOnlyRootFilesystem: false and the
+  # default capabilities on top of capabilities that are usually needed by the test
+  # pods (NET_ADMIN, NET_RAW). This parameter is deemed insecure but it is needed for
+  # certain test-operator functionalities to work properly (e.g.: extraRPMs in Tempest CR,
+  # or certain set tobiko tests).
   #
   # privileged: false
   tempestRun:

pkg/ansibletest/volumes.go

@@ -2,6 +2,7 @@ package ansibletest
 
 import (
 	testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
+	util "github.com/openstack-k8s-operators/test-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -50,6 +51,18 @@ func GetVolumes(
 				},
 			},
 		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameWorkdir,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameTmp,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 	}
 
 	if mountCerts {
@@ -129,6 +142,16 @@ func GetVolumes(
 // GetVolumeMounts -
 func GetVolumeMounts(mountCerts bool, instance *testv1beta1.AnsibleTest, externalWorkflowCounter int) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameWorkdir,
+			MountPath: "/var/lib/ansible",
+			ReadOnly:  false,
+		},
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameTmp,
+			MountPath: "/tmp",
+			ReadOnly:  false,
+		},
 		{
 			Name:      "test-operator-logs",
 			MountPath: "/var/lib/AnsibleTests/external_files",

pkg/horizontest/volumes.go

@@ -61,6 +61,18 @@ func GetVolumes(
 				},
 			},
 		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameWorkdir,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameTmp,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 	}
 
 	if mountCerts {
@@ -117,6 +129,16 @@ func GetVolumes(
 // GetVolumeMounts -
 func GetVolumeMounts(mountCerts bool, mountKeys bool, mountKubeconfig bool, instance *testv1beta1.HorizonTest) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameWorkdir,
+			MountPath: "/var/lib/horizontest",
+			ReadOnly:  false,
+		},
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameTmp,
+			MountPath: "/tmp",
+			ReadOnly:  false,
+		},
 		{
 			Name:      "test-operator-logs",
 			MountPath: "/var/lib/horizontest/external_files",

pkg/tempest/volumes.go

@@ -2,6 +2,7 @@ package tempest
 
 import (
 	testv1beta1 "github.com/openstack-k8s-operators/test-operator/api/v1beta1"
+	util "github.com/openstack-k8s-operators/test-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -61,6 +62,18 @@ func GetVolumes(
 				},
 			},
 		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameWorkdir,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameTmp,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 	}
 
 	if mountCerts {
@@ -119,6 +132,16 @@ func GetVolumes(
 // GetVolumeMounts -
 func GetVolumeMounts(mountCerts bool, mountSSHKey bool, instance *testv1beta1.Tempest) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameWorkdir,
+			MountPath: "/var/lib/tempest",
+			ReadOnly:  false,
+		},
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameTmp,
+			MountPath: "/tmp",
+			ReadOnly:  false,
+		},
 		{
 			Name:      "config-data",
 			MountPath: "/etc/test_operator",

pkg/tobiko/volumes.go

@@ -63,6 +63,18 @@ func GetVolumes(
 				},
 			},
 		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameWorkdir,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: util.TestOperatorEphemeralVolumeNameTmp,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 	}
 
 	if mountCerts {
@@ -150,6 +162,16 @@ func GetVolumes(
 // GetVolumeMounts -
 func GetVolumeMounts(mountCerts bool, mountKeys bool, mountKubeconfig bool, instance *testv1beta1.Tobiko) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameWorkdir,
+			MountPath: "/var/lib/tobiko",
+			ReadOnly:  false,
+		},
+		{
+			Name:      util.TestOperatorEphemeralVolumeNameTmp,
+			MountPath: "/tmp",
+			ReadOnly:  false,
+		},
 		{
 			Name:      "test-operator-logs",
 			MountPath: "/var/lib/tobiko/external_files",

pkg/util/common.go

@@ -9,6 +9,12 @@ const (
 	// modified clouds.yaml obtained from openstack-config ConfigMap. The modified
 	// CM is needed by some test frameworks (e.g., HorizonTest and Tobiko)
 	TestOperatorCloudsConfigMapName = "test-operator-clouds-config"
+
+	// TestOperatorEphemeralVolumeNameWorkdir
+	TestOperatorEphemeralVolumeNameWorkdir = "test-operator-ephemeral-workdir"
+
+	// TestOperatorEphemeralVolumeNameTmp
+	TestOperatorEphemeralVolumeNameTmp = "test-operator-ephemeral-temporary"
 )
 
 func GetSecurityContext(
@@ -22,6 +28,7 @@ func GetSecurityContext(
 	securityContext := corev1.SecurityContext{
 		RunAsUser:                &runAsUser,
 		RunAsGroup:               &runAsUser,
+		ReadOnlyRootFilesystem:   &trueVar,
 		AllowPrivilegeEscalation: &falseVar,
 		Capabilities:             &corev1.Capabilities{},
 		SeccompProfile: &corev1.SeccompProfile{
@@ -33,6 +40,10 @@ func GetSecurityContext(
 		// We need to run pods with AllowPrivilegedEscalation: true to remove
 		// nosuid from the pod (in order to be able to run sudo)
 		securityContext.AllowPrivilegeEscalation = &trueVar
+
+		// We need to run pods with ReadOnlyRootFileSystem: false when installing
+		// additional tests using extraRPMs parameter in Tempest CR
+		securityContext.ReadOnlyRootFilesystem = &falseVar
 		securityContext.Capabilities.Add = addCapabilities
 	}