From dec29ecac222f3a46e6b9713789ce00b62c788b9 Mon Sep 17 00:00:00 2001 From: Gonzalo Reyero Ferreras <87083379+greyerof@users.noreply.github.com> Date: Tue, 15 Oct 2024 18:36:02 +0200 Subject: [PATCH] access-control and operator test suite updates (#953) The non-root check test case has been renamed in: https://github.com/redhat-best-practices-for-k8s/certsuite/pull/2479 Also, four operator test cases have been moved to access-control test suite. I just removed them for now as they might need more rework in follow-up PRs. --- tests/accesscontrol/parameters/parameters.go | 2 +- ...ess_control_container_non-root_user_id.go} | 16 +-- ...ontrol_container_non-root_user_id_test.go} | 0 tests/operator/tests/operator_non_root.go | 110 ----------------- .../tests/operator_pod_automount_token.go | 114 ------------------ .../tests/operator_read_only_filesystem.go | 114 ------------------ .../operator/tests/operator_run_as_userid.go | 107 ---------------- 7 files changed, 9 insertions(+), 454 deletions(-) rename tests/accesscontrol/tests/{access_control_container_non-root_user.go => access_control_container_non-root_user_id.go} (94%) rename tests/accesscontrol/tests/{access_control_container_non-root_user_test.go => access_control_container_non-root_user_id_test.go} (100%) delete mode 100644 tests/operator/tests/operator_non_root.go delete mode 100644 tests/operator/tests/operator_pod_automount_token.go delete mode 100644 tests/operator/tests/operator_read_only_filesystem.go delete mode 100644 tests/operator/tests/operator_run_as_userid.go diff --git a/tests/accesscontrol/parameters/parameters.go b/tests/accesscontrol/parameters/parameters.go index 3348f4ee0..418ed77df 100644 --- a/tests/accesscontrol/parameters/parameters.go +++ b/tests/accesscontrol/parameters/parameters.go @@ -58,7 +58,7 @@ const ( TestCaseNameAccessControlBpfCapability = "access-control-bpf-capability-check" TestCaseNameAccessControlContainerHostPort = "access-control-container-host-port" TestCaseNameAccessControlSysAdminCapability = "access-control-sys-admin-capability-check" - TestCaseNameAccessControlNonRootUser = "access-control-security-context-non-root-user-check" + TestCaseNameAccessControlNonRootUserID = "access-control-security-context-non-root-user-id-check" TestCaseNameAccessControlClusterRoleBindings = "access-control-cluster-role-bindings" CertsuiteNodePortTcName = "access-control-service-type" TestCaseNameAccessControlPrivilegeEscalation = "access-control-security-context-privilege-escalation" diff --git a/tests/accesscontrol/tests/access_control_container_non-root_user.go b/tests/accesscontrol/tests/access_control_container_non-root_user_id.go similarity index 94% rename from tests/accesscontrol/tests/access_control_container_non-root_user.go rename to tests/accesscontrol/tests/access_control_container_non-root_user_id.go index 6a475581a..d9e364d6e 100644 --- a/tests/accesscontrol/tests/access_control_container_non-root_user.go +++ b/tests/accesscontrol/tests/access_control_container_non-root_user_id.go @@ -54,13 +54,13 @@ var _ = Describe("Access-control non-root user,", func() { By("Start test") err = globalhelper.LaunchTests( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) Expect(err).ToNot(HaveOccurred()) By("Verify test case status in Claim report") err = globalhelper.ValidateIfReportsAreValid( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalparameters.TestCasePassed, randomReportDir) Expect(err).ToNot(HaveOccurred()) }) @@ -85,13 +85,13 @@ var _ = Describe("Access-control non-root user,", func() { By("Start test") err = globalhelper.LaunchTests( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) Expect(err).ToNot(HaveOccurred()) By("Verify test case status in Claim report") err = globalhelper.ValidateIfReportsAreValid( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalparameters.TestCaseFailed, randomReportDir) Expect(err).ToNot(HaveOccurred()) }) @@ -126,13 +126,13 @@ var _ = Describe("Access-control non-root user,", func() { By("Start test") err = globalhelper.LaunchTests( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) Expect(err).ToNot(HaveOccurred()) By("Verify test case status in Claim report") err = globalhelper.ValidateIfReportsAreValid( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalparameters.TestCasePassed, randomReportDir) Expect(err).ToNot(HaveOccurred()) }) @@ -170,13 +170,13 @@ var _ = Describe("Access-control non-root user,", func() { By("Start test") err = globalhelper.LaunchTests( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) Expect(err).ToNot(HaveOccurred()) By("Verify test case status in Claim report") err = globalhelper.ValidateIfReportsAreValid( - tsparams.TestCaseNameAccessControlNonRootUser, + tsparams.TestCaseNameAccessControlNonRootUserID, globalparameters.TestCaseFailed, randomReportDir) Expect(err).ToNot(HaveOccurred()) }) diff --git a/tests/accesscontrol/tests/access_control_container_non-root_user_test.go b/tests/accesscontrol/tests/access_control_container_non-root_user_id_test.go similarity index 100% rename from tests/accesscontrol/tests/access_control_container_non-root_user_test.go rename to tests/accesscontrol/tests/access_control_container_non-root_user_id_test.go diff --git a/tests/operator/tests/operator_non_root.go b/tests/operator/tests/operator_non_root.go deleted file mode 100644 index 4808caf5d..000000000 --- a/tests/operator/tests/operator_non_root.go +++ /dev/null @@ -1,110 +0,0 @@ -package operator - -import ( - "fmt" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalhelper" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalparameters" - tshelper "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/helper" - tsparams "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/parameters" -) - -var _ = Describe("Operator pods non-root", func() { - var randomNamespace string - var randomReportDir string - var randomCertsuiteConfigDir string - - BeforeEach(func() { - // Create random namespace and keep original report and certsuite config directories - randomNamespace, randomReportDir, randomCertsuiteConfigDir = - globalhelper.BeforeEachSetupWithRandomNamespace( - tsparams.OperatorNamespace) - - By("Define certsuite config file") - err := globalhelper.DefineCertsuiteConfig( - []string{randomNamespace}, - []string{tsparams.TestPodLabel}, - []string{tsparams.CertsuiteTargetOperatorLabels}, - []string{}, - tsparams.CertsuiteTargetCrdFilters, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - }) - - AfterEach(func() { - globalhelper.AfterEachCleanupWithRandomNamespace(randomNamespace, - randomReportDir, randomCertsuiteConfigDir, tsparams.Timeout) - }) - - It("Operator pods should not run as root", func() { - // TODO: Find an operator that runs completely as non-root - }) - - It("Operator pods should not run as root [negative]", func() { - // Deploy an operator that runs as root - By("Deploy operator group") - err := tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - - By("Query the packagemanifest for the " + tsparams.CertifiedOperatorPrefixNginx) - version, err := globalhelper.QueryPackageManifestForVersion(tsparams.CertifiedOperatorPrefixNginx, randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Error querying package manifest for nginx-ingress-operator") - - By(fmt.Sprintf("Deploy nginx-ingress-operator%s for testing", "."+version)) - // nginx-ingress-operator: in certified-operators group and version is certified - err = tshelper.DeployOperatorSubscription( - tsparams.CertifiedOperatorPrefixNginx, - "alpha", - randomNamespace, - tsparams.CertifiedOperatorGroup, - tsparams.OperatorSourceNamespace, - tsparams.CertifiedOperatorPrefixNginx+".v"+version, - v1alpha1.ApprovalAutomatic, - ) - Expect(err).ToNot(HaveOccurred(), ErrorDeployOperatorStr+ - tsparams.CertifiedOperatorPrefixNginx) - - err = waitUntilOperatorIsReady(tsparams.CertifiedOperatorPrefixNginx, - randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Operator "+tsparams.CertifiedOperatorPrefixNginx+".v"+version+ - " is not ready") - - By("Label operator") - Eventually(func() error { - return tshelper.AddLabelToInstalledCSV( - tsparams.CertifiedOperatorPrefixNginx, - randomNamespace, - tsparams.OperatorLabel) - }, tsparams.TimeoutLabelCsv, tsparams.PollingInterval).Should(Not(HaveOccurred()), - ErrorLabelingOperatorStr+tsparams.CertifiedOperatorPrefixNginx) - - By("Assert that the manager pod is not running as root") - controllerPod, err := globalhelper.GetControllerPodFromOperator(randomNamespace, tsparams.CertifiedOperatorPrefixNginx) - Expect(err).ToNot(HaveOccurred(), "Error getting controller pod") - - By(fmt.Sprintf("Checking if pod %s is not running as root", controllerPod.Name)) - Expect(controllerPod.Spec.SecurityContext).ToNot(BeNil()) - Expect(*controllerPod.Spec.SecurityContext.RunAsNonRoot).To(BeTrue()) - - for _, container := range controllerPod.Spec.Containers { - Expect(container.SecurityContext).ToNot(BeNil()) - if container.SecurityContext.RunAsNonRoot != nil { - Expect(*container.SecurityContext.RunAsNonRoot).To(BeTrue()) - } - } - - By("Start test") - err = globalhelper.LaunchTests( - tsparams.CertsuiteOperatorNonRoot, - globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Verify test case status in Claim report") - err = globalhelper.ValidateIfReportsAreValid( - tsparams.CertsuiteOperatorNonRoot, - globalparameters.TestCaseFailed, randomReportDir) - Expect(err).ToNot(HaveOccurred()) - }) -}) diff --git a/tests/operator/tests/operator_pod_automount_token.go b/tests/operator/tests/operator_pod_automount_token.go deleted file mode 100644 index 415986428..000000000 --- a/tests/operator/tests/operator_pod_automount_token.go +++ /dev/null @@ -1,114 +0,0 @@ -package operator - -import ( - "fmt" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalhelper" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalparameters" - tshelper "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/helper" - tsparams "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/parameters" -) - -var _ = Describe("Operator pods automount token", func() { - var randomNamespace string - var randomReportDir string - var randomCertsuiteConfigDir string - - BeforeEach(func() { - // Create random namespace and keep original report and certsuite config directories - randomNamespace, randomReportDir, randomCertsuiteConfigDir = - globalhelper.BeforeEachSetupWithRandomNamespace( - tsparams.OperatorNamespace) - - By("Define certsuite config file") - err := globalhelper.DefineCertsuiteConfig( - []string{randomNamespace}, - []string{tsparams.TestPodLabel}, - []string{tsparams.CertsuiteTargetOperatorLabels}, - []string{}, - tsparams.CertsuiteTargetCrdFilters, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Deploy operator group") - err = tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - }) - - AfterEach(func() { - globalhelper.AfterEachCleanupWithRandomNamespace(randomNamespace, - randomReportDir, randomCertsuiteConfigDir, tsparams.Timeout) - }) - - It("Operator pods should not have automount token [negative]", func() { - // Deploy an operator that does not have automount token - // Note: The service account that gets deployed as part of the nginx operator - // contains a service account that leaves the SA default/nil and that defaults to true. - // The SA should contain a automountServiceAccountToken field that is set explicitly to false. - By("Deploy operator group") - err := tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - - By("Query the packagemanifest for the " + tsparams.CertifiedOperatorPrefixNginx) - version, err := globalhelper.QueryPackageManifestForVersion(tsparams.CertifiedOperatorPrefixNginx, randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Error querying package manifest for nginx-ingress-operator") - - By(fmt.Sprintf("Deploy nginx-ingress-operator%s for testing", "."+version)) - // nginx-ingress-operator: in certified-operators group and version is certified - err = tshelper.DeployOperatorSubscription( - tsparams.CertifiedOperatorPrefixNginx, - "alpha", - randomNamespace, - tsparams.CertifiedOperatorGroup, - tsparams.OperatorSourceNamespace, - tsparams.CertifiedOperatorPrefixNginx+".v"+version, - v1alpha1.ApprovalAutomatic, - ) - Expect(err).ToNot(HaveOccurred(), ErrorDeployOperatorStr+ - tsparams.CertifiedOperatorPrefixNginx) - - err = waitUntilOperatorIsReady(tsparams.CertifiedOperatorPrefixNginx, - randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Operator "+tsparams.CertifiedOperatorPrefixNginx+".v"+version+ - " is not ready") - - By("Label operator") - Eventually(func() error { - return tshelper.AddLabelToInstalledCSV( - tsparams.CertifiedOperatorPrefixNginx, - randomNamespace, - tsparams.OperatorLabel) - }, tsparams.TimeoutLabelCsv, tsparams.PollingInterval).Should(Not(HaveOccurred()), - ErrorLabelingOperatorStr+tsparams.CertifiedOperatorPrefixNginx) - - By("Assert that the manager pod has automount token nil or false") - controllerPod, err := globalhelper.GetControllerPodFromOperator(randomNamespace, tsparams.CertifiedOperatorPrefixNginx) - Expect(err).ToNot(HaveOccurred(), "Error getting controller pod") - - By(fmt.Sprintf("Checking if pod %s has automount token nil or false", controllerPod.Name)) - if controllerPod.Spec.AutomountServiceAccountToken != nil { - Expect(*controllerPod.Spec.AutomountServiceAccountToken).To(BeFalse()) - } else { - Expect(controllerPod.Spec.AutomountServiceAccountToken).To(BeNil()) - } - - By("Start test") - err = globalhelper.LaunchTests( - tsparams.CertsuiteOperatorPodAutomountToken, - globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Verify test case status in Claim report") - err = globalhelper.ValidateIfReportsAreValid( - tsparams.CertsuiteOperatorPodAutomountToken, - globalparameters.TestCaseFailed, randomReportDir) - Expect(err).ToNot(HaveOccurred()) - }) - - It("Operator pods have automount token [negative]", func() { - // Deploy an operator that explicitly has automount token - // TODO: Find an operator that has automount token set explicitly - }) -}) diff --git a/tests/operator/tests/operator_read_only_filesystem.go b/tests/operator/tests/operator_read_only_filesystem.go deleted file mode 100644 index 93c04fa14..000000000 --- a/tests/operator/tests/operator_read_only_filesystem.go +++ /dev/null @@ -1,114 +0,0 @@ -package operator - -import ( - "fmt" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalhelper" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalparameters" - tshelper "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/helper" - tsparams "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/parameters" -) - -var _ = Describe("Operator pods read only filesystem", func() { - var randomNamespace string - var randomReportDir string - var randomCertsuiteConfigDir string - - BeforeEach(func() { - // Create random namespace and keep original report and certsuite config directories - randomNamespace, randomReportDir, randomCertsuiteConfigDir = - globalhelper.BeforeEachSetupWithRandomNamespace( - tsparams.OperatorNamespace) - - By("Define certsuite config file") - err := globalhelper.DefineCertsuiteConfig( - []string{randomNamespace}, - []string{tsparams.TestPodLabel}, - []string{tsparams.CertsuiteTargetOperatorLabels}, - []string{}, - tsparams.CertsuiteTargetCrdFilters, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Deploy operator group") - err = tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - }) - - AfterEach(func() { - globalhelper.AfterEachCleanupWithRandomNamespace(randomNamespace, - randomReportDir, randomCertsuiteConfigDir, tsparams.Timeout) - }) - - It("Operator pods should have read-only filesystem", func() { - // Deploy an operator that has read-only filesystem - // TODO: Find an operator that has a read-only filesystem - // TODO: Run the actual tests - }) - - It("Operator pods should not have read-only filesystem [negative]", func() { - // Deploy an operator that has read-only filesystem - By("Deploy operator group") - err := tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - - By("Query the packagemanifest for the " + tsparams.CertifiedOperatorPrefixNginx) - version, err := globalhelper.QueryPackageManifestForVersion(tsparams.CertifiedOperatorPrefixNginx, randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Error querying package manifest for nginx-ingress-operator") - - By(fmt.Sprintf("Deploy nginx-ingress-operator%s for testing", "."+version)) - // nginx-ingress-operator: in certified-operators group and version is certified - err = tshelper.DeployOperatorSubscription( - tsparams.CertifiedOperatorPrefixNginx, - "alpha", - randomNamespace, - tsparams.CertifiedOperatorGroup, - tsparams.OperatorSourceNamespace, - tsparams.CertifiedOperatorPrefixNginx+".v"+version, - v1alpha1.ApprovalAutomatic, - ) - Expect(err).ToNot(HaveOccurred(), ErrorDeployOperatorStr+ - tsparams.CertifiedOperatorPrefixNginx) - - err = waitUntilOperatorIsReady(tsparams.CertifiedOperatorPrefixNginx, - randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Operator "+tsparams.CertifiedOperatorPrefixNginx+".v"+version+ - " is not ready") - - By("Label operator") - Eventually(func() error { - return tshelper.AddLabelToInstalledCSV( - tsparams.CertifiedOperatorPrefixNginx, - randomNamespace, - tsparams.OperatorLabel) - }, tsparams.TimeoutLabelCsv, tsparams.PollingInterval).Should(Not(HaveOccurred()), - ErrorLabelingOperatorStr+tsparams.CertifiedOperatorPrefixNginx) - - // We are expecting the operator being deployed to not have a read-only filesystem. - // Thus, this will fail the test eventually and we will have to expect failure. - - By("Assert that the manager pod has read-only filesystem") - controllerPod, err := globalhelper.GetControllerPodFromOperator(randomNamespace, tsparams.CertifiedOperatorPrefixNginx) - Expect(err).ToNot(HaveOccurred(), "Error getting controller pod") - - By(fmt.Sprintf("Checking if pod %s does not have read only filesystem", controllerPod.Name)) - for _, container := range controllerPod.Spec.Containers { - Expect(container.SecurityContext).ToNot(BeNil()) - Expect(container.SecurityContext.ReadOnlyRootFilesystem).To(BeNil()) - } - - By("Start test") - err = globalhelper.LaunchTests( - tsparams.CertsuiteOperatorReadOnlyFilesystem, - globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Verify test case status in Claim report") - err = globalhelper.ValidateIfReportsAreValid( - tsparams.CertsuiteOperatorReadOnlyFilesystem, - globalparameters.TestCaseFailed, randomReportDir) - Expect(err).ToNot(HaveOccurred()) - }) -}) diff --git a/tests/operator/tests/operator_run_as_userid.go b/tests/operator/tests/operator_run_as_userid.go deleted file mode 100644 index 8d5c63b68..000000000 --- a/tests/operator/tests/operator_run_as_userid.go +++ /dev/null @@ -1,107 +0,0 @@ -package operator - -import ( - "fmt" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/operator-framework/api/pkg/operators/v1alpha1" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalhelper" - "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/globalparameters" - tshelper "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/helper" - tsparams "github.com/redhat-best-practices-for-k8s/certsuite-qe/tests/operator/parameters" -) - -var _ = Describe("Operator pods have runAs userid", func() { - var randomNamespace string - var randomReportDir string - var randomCertsuiteConfigDir string - - BeforeEach(func() { - // Create random namespace and keep original report and certsuite config directories - randomNamespace, randomReportDir, randomCertsuiteConfigDir = - globalhelper.BeforeEachSetupWithRandomNamespace( - tsparams.OperatorNamespace) - - By("Define certsuite config file") - err := globalhelper.DefineCertsuiteConfig( - []string{randomNamespace}, - []string{tsparams.TestPodLabel}, - []string{tsparams.CertsuiteTargetOperatorLabels}, - []string{}, - tsparams.CertsuiteTargetCrdFilters, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - }) - - AfterEach(func() { - globalhelper.AfterEachCleanupWithRandomNamespace(randomNamespace, - randomReportDir, randomCertsuiteConfigDir, tsparams.Timeout) - }) - - It("Operator pods should have runAs userid", func() { - // Deploy an operator that has runAs userid - By("Deploy operator group") - err := tshelper.DeployTestOperatorGroup(randomNamespace, false) - Expect(err).ToNot(HaveOccurred(), "Error deploying operator group") - - By("Query the packagemanifest for the " + tsparams.CertifiedOperatorPrefixNginx) - version, err := globalhelper.QueryPackageManifestForVersion(tsparams.CertifiedOperatorPrefixNginx, randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Error querying package manifest for nginx-ingress-operator") - - By(fmt.Sprintf("Deploy nginx-ingress-operator%s for testing", "."+version)) - // nginx-ingress-operator: in certified-operators group and version is certified - err = tshelper.DeployOperatorSubscription( - tsparams.CertifiedOperatorPrefixNginx, - "alpha", - randomNamespace, - tsparams.CertifiedOperatorGroup, - tsparams.OperatorSourceNamespace, - tsparams.CertifiedOperatorPrefixNginx+".v"+version, - v1alpha1.ApprovalAutomatic, - ) - Expect(err).ToNot(HaveOccurred(), ErrorDeployOperatorStr+ - tsparams.CertifiedOperatorPrefixNginx) - - err = waitUntilOperatorIsReady(tsparams.CertifiedOperatorPrefixNginx, - randomNamespace) - Expect(err).ToNot(HaveOccurred(), "Operator "+tsparams.CertifiedOperatorPrefixNginx+".v"+version+ - " is not ready") - - By("Label operator") - Eventually(func() error { - return tshelper.AddLabelToInstalledCSV( - tsparams.CertifiedOperatorPrefixNginx, - randomNamespace, - tsparams.OperatorLabel) - }, tsparams.TimeoutLabelCsv, tsparams.PollingInterval).Should(Not(HaveOccurred()), - ErrorLabelingOperatorStr+tsparams.CertifiedOperatorPrefixNginx) - - By("Assert that the manager pod has runAs userid") - controllerPod, err := globalhelper.GetControllerPodFromOperator(randomNamespace, tsparams.CertifiedOperatorPrefixNginx) - Expect(err).ToNot(HaveOccurred(), "Error getting controller pod") - - for _, container := range controllerPod.Spec.Containers { - Expect(container.SecurityContext).ToNot(BeNil()) - Expect(container.SecurityContext.RunAsUser).ToNot(BeNil()) - Expect(*container.SecurityContext.RunAsUser).ToNot(Equal(0)) - } - - By("Start test") - err = globalhelper.LaunchTests( - tsparams.CertsuiteOperatorPodRunAsUserID, - globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir) - Expect(err).ToNot(HaveOccurred()) - - By("Verify test case status in Claim report") - err = globalhelper.ValidateIfReportsAreValid( - tsparams.CertsuiteOperatorPodRunAsUserID, - globalparameters.TestCasePassed, randomReportDir) - Expect(err).ToNot(HaveOccurred()) - }) - - It("Operator pods do not have runAs userid [negative]", func() { - // Deploy an operator that has runAs userid - - // TODO: Find an operator that does not have runAs userid - }) -})