Make the E2E testing pods obey the restricted pod security standard. (#6279)

Signed-off-by: Xun Jiang <blackpiglet@gmail.com> Co-authored-by: Xun Jiang <blackpiglet@gmail.com>
2026-01-07 05:46:37 +00:00 · 2023-05-17 22:25:38 +08:00
parent 7ed286d886
commit 7417e5b5f7
2 changed files with 31 additions and 1 deletions
--- a/test/e2e/util/k8s/deployment.go
+++ b/test/e2e/util/k8s/deployment.go
@@ -26,6 +26,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
+
+	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 )

 const (
@@ -52,6 +54,19 @@ func NewDeployment(name, ns string, replicas int32, labels map[string]string, co
 				Name:    "container-busybox",
 				Image:   "gcr.io/velero-gcp/busybox:latest",
 				Command: []string{"sleep", "1000000"},
+				// Make pod obeys the restricted pod security standards.
+				SecurityContext: &v1.SecurityContext{
+					AllowPrivilegeEscalation: boolptr.False(),
+					Capabilities: &v1.Capabilities{
+						Drop: []v1.Capability{"ALL"},
+					},
+					RunAsNonRoot: boolptr.True(),
+					RunAsUser:    func(i int64) *int64 { return &i }(65534),
+					RunAsGroup:   func(i int64) *int64 { return &i }(65534),
+					SeccompProfile: &v1.SeccompProfile{
+						Type: v1.SeccompProfileTypeRuntimeDefault,
+					},
+				},
 			},
 		}
 	}
--- a/test/e2e/util/k8s/pod.go
+++ b/test/e2e/util/k8s/pod.go
@@ -22,8 +22,10 @@ import (

 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
-
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 )

 func CreatePod(client TestClient, ns, name, sc, pvcName string, volumeNameList []string, pvcAnn, ann map[string]string) (*corev1.Pod, error) {
@@ -74,6 +76,19 @@ func CreatePod(client TestClient, ns, name, sc, pvcName string, volumeNameList [
 					Image:        "gcr.io/velero-gcp/busybox",
 					Command:      []string{"sleep", "3600"},
 					VolumeMounts: vmList,
+					// Make pod obeys the restricted pod security standards.
+					SecurityContext: &v1.SecurityContext{
+						AllowPrivilegeEscalation: boolptr.False(),
+						Capabilities: &v1.Capabilities{
+							Drop: []v1.Capability{"ALL"},
+						},
+						RunAsNonRoot: boolptr.True(),
+						RunAsUser:    func(i int64) *int64 { return &i }(65534),
+						RunAsGroup:   func(i int64) *int64 { return &i }(65534),
+						SeccompProfile: &v1.SeccompProfile{
+							Type: v1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 				},
 			},
 			Volumes: volumes,