Merge pull request #211 from lpiwowar/bugfix/privileges

Use the most restrictive service account possible

api/bases/test.openstack.org_ansibletests.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: AnsibleTestSpec defines the desired state of AnsibleTest
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               ansibleCollections:
                 default: ""
                 description: AnsibleCollections - extra ansible collections to instal
@@ -191,6 +196,10 @@ spec:
                 description: A parameter that contains a workflow definition.
                 items:
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     ansibleCollections:
                       description: AnsibleCollections - extra ansible collections
                         to instal in additionn to the ones exist in the requirements.yaml

api/bases/test.openstack.org_horizontests.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: HorizonTestSpec defines the desired state of HorizonTest
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               adminPassword:
                 default: admin
                 description: AdminPassword is the password for the OpenStack admin

api/bases/test.openstack.org_tempests.yaml

@@ -46,9 +46,9 @@ spec:
               see TempestconfRunSpec.
             properties:
               SELinuxLevel:
-                default: s0:c478,c978
-                description: A SELinuxLevel that is used for all the tempest test
-                  pods.
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
                 type: string
               SSHKeySecretName:
                 default: ""
@@ -490,6 +490,10 @@ spec:
                     For specific configuration of tempest see TempestRunSpec and for
                     discover-tempest-config see TempestconfRunSpec.
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     SSHKeySecretName:
                       description: SSHKeySecretName is the name of the k8s secret
                         that contains an ssh key. The key is mounted to ~/.ssh/id_ecdsa

api/bases/test.openstack.org_tobikoes.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: TobikoSpec defines the desired state of Tobiko
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               backoffLimit:
                 default: 0
                 description: BackoffLimit allows to define the maximum number of retried
@@ -202,6 +207,10 @@ spec:
                 description: A parameter  that contains a workflow definition.
                 items:
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     backoffLimit:
                       default: 0
                       description: BackoffLimit allows to define the maximum number

api/v1beta1/ansibletest_webhook.go

@@ -67,6 +67,10 @@ func (r *AnsibleTest) ValidateCreate() (admission.Warnings, error) {
 		allWarnings = append(allWarnings, fmt.Sprintf(WarnPrivilegedModeOn, "AnsibleTest"))
 	}
 
+	if r.Spec.Privileged && len(r.Spec.Workflow) > 0 && len(r.Spec.SELinuxLevel) == 0 {
+		allWarnings = append(allWarnings, fmt.Sprintf(WarnSELinuxLevel, r.Kind))
+	}
+
 	return allWarnings, nil
 }
 

api/v1beta1/common.go

@@ -59,6 +59,14 @@ type CommonOptions struct {
 	// StorageClass used to create any test-operator related PVCs.
 	StorageClass string `json:"storageClass"`
 
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=""
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// A SELinuxLevel that should be used for test pods spawned by the test
+	// operator.
+	SELinuxLevel string `json:"SELinuxLevel"`
+
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default:=""
@@ -136,6 +144,13 @@ type WorkflowCommonParameters struct {
 	// StorageClass used to create any test-operator related PVCs.
 	StorageClass *string `json:"storageClass"`
 
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +optional
+	// A SELinuxLevel that should be used for test pods spawned by the test
+	// operator.
+	SELinuxLevel *string `json:"SELinuxLevel,omitempty"`
+
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default:=""

api/v1beta1/common_webhook.go

@@ -21,4 +21,10 @@ const (
 		"set of tests might fail, as this configuration may be " +
 		"required for the tests to run successfully. Before enabling" +
 		"this parameter, consult documentation of the %[1]s CR."
+
+	// WarnSELinuxLevel
+	WarnSELinuxLevel = "%[1]s.Spec.Workflow is used and %[1]s.Spec.Privileged is " +
+		"set to true. Please, consider setting %[1]s.Spec.SELinuxLevel. This " +
+		"ensures that the copying of the logs to the PV is completed without any " +
+		"complications."
 )

api/v1beta1/tempest_types.go

@@ -368,14 +368,8 @@ type TempestconfRunSpec struct {
 // TempestSpec - configuration of execution of tempest. For specific configuration
 // of tempest see TempestRunSpec and for discover-tempest-config see TempestconfRunSpec.
 type TempestSpec struct {
-	CommonOptions              `json:",inline"`
-	CommonOpenstackConfig      `json:",inline"`
-
-	// +kubebuilder:validation:Optional
-	// +operator-sdk:csv:customresourcedefinitions:type=spec
-	// +kubebuilder:default:="s0:c478,c978"
-	// A SELinuxLevel that is used for all the tempest test pods.
-	SELinuxLevel string `json:"SELinuxLevel"`
+	CommonOptions         `json:",inline"`
+	CommonOpenstackConfig `json:",inline"`
 
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec

api/v1beta1/tempest_webhook.go

@@ -112,6 +112,10 @@ func (r *Tempest) ValidateCreate() (admission.Warnings, error) {
 		allWarnings = append(allWarnings, fmt.Sprintf(WarnPrivilegedModeOn, "Tempest"))
 	}
 
+	if r.Spec.Privileged && len(r.Spec.Workflow) > 0 && len(r.Spec.SELinuxLevel) == 0 {
+		allWarnings = append(allWarnings, fmt.Sprintf(WarnSELinuxLevel, r.Kind))
+	}
+
 	if len(allErrs) > 0 {
 		return allWarnings, apierrors.NewInvalid(
 			schema.GroupKind{

api/v1beta1/tobiko_webhook.go

@@ -89,6 +89,10 @@ func (r *Tobiko) ValidateCreate() (admission.Warnings, error) {
 			}, r.GetName(), allErrs)
 	}
 
+	if r.Spec.Privileged && len(r.Spec.Workflow) > 0 && len(r.Spec.SELinuxLevel) == 0 {
+		allWarnings = append(allWarnings, fmt.Sprintf(WarnSELinuxLevel, r.Kind))
+	}
+
 	return allWarnings, nil
 }
 

config/crd/bases/test.openstack.org_ansibletests.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: AnsibleTestSpec defines the desired state of AnsibleTest
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               ansibleCollections:
                 default: ""
                 description: AnsibleCollections - extra ansible collections to instal
@@ -191,6 +196,10 @@ spec:
                 description: A parameter that contains a workflow definition.
                 items:
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     ansibleCollections:
                       description: AnsibleCollections - extra ansible collections
                         to instal in additionn to the ones exist in the requirements.yaml

config/crd/bases/test.openstack.org_horizontests.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: HorizonTestSpec defines the desired state of HorizonTest
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               adminPassword:
                 default: admin
                 description: AdminPassword is the password for the OpenStack admin

config/crd/bases/test.openstack.org_tempests.yaml

@@ -46,9 +46,9 @@ spec:
               see TempestconfRunSpec.
             properties:
               SELinuxLevel:
-                default: s0:c478,c978
-                description: A SELinuxLevel that is used for all the tempest test
-                  pods.
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
                 type: string
               SSHKeySecretName:
                 default: ""
@@ -490,6 +490,10 @@ spec:
                     For specific configuration of tempest see TempestRunSpec and for
                     discover-tempest-config see TempestconfRunSpec.
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     SSHKeySecretName:
                       description: SSHKeySecretName is the name of the k8s secret
                         that contains an ssh key. The key is mounted to ~/.ssh/id_ecdsa

config/crd/bases/test.openstack.org_tobikoes.yaml

@@ -43,6 +43,11 @@ spec:
           spec:
             description: TobikoSpec defines the desired state of Tobiko
             properties:
+              SELinuxLevel:
+                default: ""
+                description: A SELinuxLevel that should be used for test pods spawned
+                  by the test operator.
+                type: string
               backoffLimit:
                 default: 0
                 description: BackoffLimit allows to define the maximum number of retried
@@ -202,6 +207,10 @@ spec:
                 description: A parameter  that contains a workflow definition.
                 items:
                   properties:
+                    SELinuxLevel:
+                      description: A SELinuxLevel that should be used for test pods
+                        spawned by the test operator.
+                      type: string
                     backoffLimit:
                       default: 0
                       description: BackoffLimit allows to define the maximum number