PSA Acceptance Tests (#4483)

* update tests and bases

* change client image back

* remove read only tag

* remove root only file system

* update test target address

* fix kitchen sink gcc

* fix target address

* fix targetAddress

* comment out flaky checks

* Update acceptance/tests/api-gateway/api_gateway_test.go

* update ports on jwt test

* clean up names and enforce versions

* Update acceptance/tests/fixtures/bases/api-gateway/gatewayclassconfig.yaml

Co-authored-by: Nathan Coleman <[email protected]>

* removing test case to reduce chances of flaking

* update deployment sec context

* skip psa in CNI for now

* modify namespace directly not through the config

* add test case back in

* clean up print statement

* gofmt

* add namespace for cni

* don't skip cni

* don't skip cni when tproxy is on

* add sec comp profile

* fix unit test

* update tests and bases

* change client image back

* remove read only tag

* remove root only file system

* update test target address

* fix kitchen sink gcc

* fix target address

* fix targetAddress

* comment out flaky checks

* Update acceptance/tests/api-gateway/api_gateway_test.go

* update ports on jwt test

* clean up names and enforce versions

* Update acceptance/tests/fixtures/bases/api-gateway/gatewayclassconfig.yaml

Co-authored-by: Nathan Coleman <[email protected]>

* removing test case to reduce chances of flaking

* update deployment sec context

* skip psa in CNI for now

* modify namespace directly not through the config

* add test case back in

* clean up print statement

* gofmt

* add namespace for cni

* don't skip cni

* don't skip cni when tproxy is on

* add sec comp profile

* fix unit test

* clean up, add cni comment

* clean up counter

---------

Co-authored-by: Nathan Coleman <[email protected]>

Author: sarahalsmiller

Diff for: acceptance/tests/api-gateway/api_gateway_external_servers_test.go

@@ -120,7 +120,7 @@ func TestAPIGateway_ExternalServers(t *testing.T) {
 	})
 
 	k8sOptions := ctx.KubectlOptions(t)
-	targetAddress := fmt.Sprintf("http://%s/", gatewayAddress)
+	targetAddress := fmt.Sprintf("http://%s:8080/", gatewayAddress)
 
 	// check that intentions keep our connection from happening
 	k8s.CheckStaticServerHTTPConnectionFailing(t, k8sOptions, StaticClientName, targetAddress)

Diff for: acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go

@@ -187,7 +187,7 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
 
 	// finally we check that we can actually route to the service(s) via the gateway
 	k8sOptions := ctx.KubectlOptions(t)
-	targetHTTPAddress := fmt.Sprintf("http://%s/v1", gatewayAddress)
+	targetHTTPAddress := fmt.Sprintf("http://%s:8080/v1", gatewayAddress)
 
 	// Now we create the allow intention.
 	_, _, err = consulClient.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{

Diff for: acceptance/tests/api-gateway/api_gateway_test.go

@@ -37,20 +37,35 @@ const (
 // Test that api gateway basic functionality works in a default installation and a secure installation.
 func TestAPIGateway_Basic(t *testing.T) {
 	cases := []struct {
-		secure bool
+		secure                   bool
+		restrictedPSAEnforcement bool
 	}{
 		{
 			secure: false,
 		},
 		{
 			secure: true,
 		},
+		// There is an argument that all tests should be run in a restricted PSA namespace
+		// However we are on a time crunch and don't want to make sweeping changes to the test suite
+		{
+			secure:                   true,
+			restrictedPSAEnforcement: true,
+		},
+		{
+			secure:                   false,
+			restrictedPSAEnforcement: true,
+		},
 	}
 	for _, c := range cases {
-		name := fmt.Sprintf("secure: %t", c.secure)
+		name := fmt.Sprintf("secure: %t restrictedPSAEnforcement: %t", c.secure, c.restrictedPSAEnforcement)
 		t.Run(name, func(t *testing.T) {
 			ctx := suite.Environment().DefaultContext(t)
 			cfg := suite.Config()
+			if cfg.EnableTransparentProxy && c.restrictedPSAEnforcement && !cfg.EnableCNI {
+				t.Skipf("skipping because -enable-transparent-proxy is set and -enable-cni is not and tproxy cannot run in restrictedPSA without CNI enabled")
+			}
+
 			helmValues := map[string]string{
 				"connectInject.enabled":        "true",
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
@@ -63,6 +78,30 @@ func TestAPIGateway_Basic(t *testing.T) {
 
 			consulCluster.Create(t)
 
+			if c.restrictedPSAEnforcement {
+				//enable PSA enforcment for some tests
+				k8s.RunKubectl(t, ctx.KubectlOptions(t), "label", "--overwrite", "ns", ctx.KubectlOptions(t).Namespace,
+					"pod-security.kubernetes.io/enforce=restricted",
+				)
+
+				if cfg.EnableCNI {
+					helmValues["connectInject.cni.namespace"] = "cni-namespace"
+					//create namespace for CNI. CNI pods require NET_ADMIN so the need to run in a non PSA restricted namespace.
+					k8s.RunKubectl(t, ctx.KubectlOptions(t), "create", "namespace", "cni-namespace")
+				}
+			}
+			helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
+				if c.restrictedPSAEnforcement {
+					//reset namespace
+					k8s.RunKubectl(t, ctx.KubectlOptions(t), "label", "--overwrite", "ns", ctx.KubectlOptions(t).Namespace,
+						"pod-security.kubernetes.io/enforce=privileged",
+					)
+					if cfg.EnableCNI {
+						k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "namespace", "cni-namespace")
+					}
+				}
+			})
+
 			// Override the default proxy config settings for this test
 			consulClient, _ := consulCluster.SetupConsulClient(t, c.secure)
 			_, _, err := consulClient.ConfigEntries().Set(&api.ProxyConfigEntry{
@@ -208,6 +247,7 @@ func TestAPIGateway_Basic(t *testing.T) {
 			require.Len(t, tcpRoute.Status.Parents, 1)
 			require.EqualValues(t, gatewayClassControllerName, tcpRoute.Status.Parents[0].ControllerName)
 			require.EqualValues(t, "gateway", tcpRoute.Status.Parents[0].ParentRef.Name)
+
 			checkStatusCondition(t, tcpRoute.Status.Parents[0].Conditions, trueCondition("Accepted", "Accepted"))
 			checkStatusCondition(t, tcpRoute.Status.Parents[0].Conditions, trueCondition("ResolvedRefs", "ResolvedRefs"))
 			checkStatusCondition(t, tcpRoute.Status.Parents[0].Conditions, trueCondition("ConsulAccepted", "Accepted"))
@@ -239,9 +279,10 @@ func TestAPIGateway_Basic(t *testing.T) {
 
 			// finally we check that we can actually route to the service via the gateway
 			k8sOptions := ctx.KubectlOptions(t)
-			targetHTTPAddress := fmt.Sprintf("http://%s", gatewayAddress)
-			targetHTTPSAddress := fmt.Sprintf("https://%s", gatewayAddress)
-			targetTCPAddress := fmt.Sprintf("http://%s:81", gatewayAddress)
+			//we have to account for port mapping inside the cluster.
+			targetHTTPAddress := fmt.Sprintf("http://%s:8080", gatewayAddress)
+			targetHTTPSAddress := fmt.Sprintf("https://%s:8443", gatewayAddress)
+			targetTCPAddress := fmt.Sprintf("http://%s:8081", gatewayAddress)
 
 			if c.secure {
 				// check that intentions keep our connection from happening
@@ -543,13 +584,13 @@ func TestAPIGateway_JWTAuth_Basic(t *testing.T) {
 
 	// finally we check that we can actually route to the service(s) via the gateway
 	k8sOptions := ctx.KubectlOptions(t)
-	targetHTTPAddress := fmt.Sprintf("http://%s/v1", gatewayAddress)
-	targetHTTPAddressAdmin := fmt.Sprintf("http://%s:8081/admin", gatewayAddress)
-	targetHTTPAddressPet := fmt.Sprintf("http://%s:8081/pet", gatewayAddress)
-	targetHTTPAddressAdmin2 := fmt.Sprintf("http://%s:8081/admin-2", gatewayAddress)
-	targetHTTPAddressPet2 := fmt.Sprintf("http://%s:8081/pet-2", gatewayAddress)
-	targetHTTPAddressAdminNoAuthOnRoute := fmt.Sprintf("http://%s:8081/admin-no-auth", gatewayAddress)
-	targetHTTPAddressPetNotAuthOnRoute := fmt.Sprintf("http://%s:8081/pet-no-auth", gatewayAddress)
+	targetHTTPAddress := fmt.Sprintf("http://%s:8080/v1", gatewayAddress)
+	targetHTTPAddressAdmin := fmt.Sprintf("http://%s:8083/admin", gatewayAddress)
+	targetHTTPAddressPet := fmt.Sprintf("http://%s:8083/pet", gatewayAddress)
+	targetHTTPAddressAdmin2 := fmt.Sprintf("http://%s:8083/admin-2", gatewayAddress)
+	targetHTTPAddressPet2 := fmt.Sprintf("http://%s:8083/pet-2", gatewayAddress)
+	targetHTTPAddressAdminNoAuthOnRoute := fmt.Sprintf("http://%s:8083/admin-no-auth", gatewayAddress)
+	targetHTTPAddressPetNotAuthOnRoute := fmt.Sprintf("http://%s:8083/pet-no-auth", gatewayAddress)
 
 	// Now we create the allow intention.
 	_, _, err = consulClient.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{

Diff for: acceptance/tests/fixtures/bases/api-gateway/gatewayclassconfig.yaml

@@ -4,4 +4,7 @@
 apiVersion: consul.hashicorp.com/v1alpha1
 kind: GatewayClassConfig
 metadata:
-  name: gateway-class-config
+  name: gateway-class-config
+spec:
+  # In order for Gateways to work whether or not we're enforcing the "restricted" pod security policy, they must not used privileged ports
+  mapPrivilegedContainerPorts: 8000

Diff for: acceptance/tests/fixtures/bases/static-client/deployment.yaml

@@ -18,6 +18,17 @@ spec:
     spec:
       containers:
         - name: static-client
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              add:
+                - "NET_BIND_SERVICE"
+              drop:
+                - ALL
           image: docker.mirror.hashicorp.services/buildpack-deps:jammy-curl
           command: [ "/bin/sh", "-c", "--" ]
           args: [ "while true; do sleep 30; done;" ]

Diff for: acceptance/tests/fixtures/bases/static-server-https/deployment.yaml

@@ -18,6 +18,17 @@ spec:
       containers:
         - name: caddy
           image: caddy:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              add:
+                - "NET_BIND_SERVICE"
+              drop:
+                - ALL
           ports:
             - name: https-port
               containerPort: 443

Diff for: acceptance/tests/fixtures/bases/static-server-tcp/deployment.yaml

@@ -22,6 +22,17 @@ spec:
       containers:
         - name: static-server
           image: docker.mirror.hashicorp.services/kschoche/http-echo:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              add:
+                - "NET_BIND_SERVICE"
+              drop:
+                - ALL
           args:
             - -text="hello world"
             - -listen=:8080

Diff for: acceptance/tests/fixtures/bases/static-server/deployment.yaml

@@ -21,6 +21,17 @@ spec:
           # Using alpine vs latest as there is a build issue with M1s. Also other tests in multiport-app reference
           # alpine so standardizing this.
           image: docker.mirror.hashicorp.services/hashicorp/http-echo:alpine
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              add:
+                - "NET_BIND_SERVICE"
+              drop:
+                - ALL
           args:
             - -text="hello world"
             - -listen=:8080

Diff for: acceptance/tests/fixtures/cases/api-gateways/jwt-auth/api-gateway.yaml

@@ -9,13 +9,13 @@ spec:
   gatewayClassName: gateway-class
   listeners:
   - protocol: HTTP
-    port: 8081
+    port: 83
     name: http-auth
     allowedRoutes:
       namespaces:
         from: "All"
   - protocol: HTTP
-    port: 8082
+    port: 84
     name: http-invalid-attach
     allowedRoutes:
       namespaces:

Diff for: acceptance/tests/fixtures/cases/static-server-inject/patch.yaml

@@ -14,6 +14,17 @@ spec:
       containers:
         - name: static-server
           image: docker.mirror.hashicorp.services/kschoche/http-echo:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              add:
+                - "NET_BIND_SERVICE"
+              drop:
+                - ALL
           args:
             - -text="hello world"
             - -listen=:8080

Diff for: acceptance/tests/partitions/partitions_gateway_test.go

@@ -259,7 +259,7 @@ func TestPartitions_Gateway(t *testing.T) {
 		gatewayAddress = gateway.Status.Addresses[0].Value
 	})
 
-	targetAddress := fmt.Sprintf("http://%s/", gatewayAddress)
+	targetAddress := fmt.Sprintf("http://%s:8080/", gatewayAddress)
 
 	// This section of the tests runs the in-partition networking tests.
 	t.Run("in-partition", func(t *testing.T) {

Diff for: acceptance/tests/peering/peering_gateway_test.go

@@ -276,7 +276,7 @@ func TestPeering_Gateway(t *testing.T) {
 		gatewayAddress = gateway.Status.Addresses[0].Value
 	})
 
-	targetAddress := fmt.Sprintf("http://%s/", gatewayAddress)
+	targetAddress := fmt.Sprintf("http://%s:8080/", gatewayAddress)
 
 	logger.Log(t, "creating local service resolver")
 	k8s.KubectlApplyK(t, staticClientOpts, "../fixtures/cases/api-gateways/peer-resolver")

Diff for: acceptance/tests/wan-federation/wan_federation_gateway_test.go

@@ -208,7 +208,7 @@ func checkConnectivity(t *testing.T, ctx environment.TestContext, client *api.Cl
 		gatewayAddress = gateway.Status.Addresses[0].Value
 	})
 
-	targetAddress := fmt.Sprintf("http://%s/", gatewayAddress)
+	targetAddress := fmt.Sprintf("http://%s:8080/", gatewayAddress)
 
 	logger.Log(t, "checking that the connection is not successful because there's no intention")
 	k8s.CheckStaticServerHTTPConnectionFailing(t, ctx.KubectlOptions(t), connhelper.StaticClientName, targetAddress)

Diff for: control-plane/connect-inject/webhook/container_init.go

@@ -254,6 +254,9 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 			}
 
 			container.SecurityContext = &corev1.SecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
 				RunAsUser:    ptr.To(uid),
 				RunAsGroup:   ptr.To(group),
 				RunAsNonRoot: ptr.To(true),

Diff for: control-plane/connect-inject/webhook/container_init_test.go

@@ -296,6 +296,9 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 			var expectedSecurityContext *corev1.SecurityContext
 			if c.cniEnabled && !c.openShiftEnabled {
 				expectedSecurityContext = &corev1.SecurityContext{
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
 					RunAsUser:    ptr.To(int64(initContainersUserAndGroupID)),
 					RunAsGroup:   ptr.To(int64(initContainersUserAndGroupID)),
 					RunAsNonRoot: ptr.To(true),
@@ -319,6 +322,9 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 			} else if c.cniEnabled && c.openShiftEnabled {
 				// When cni + openShift
 				expectedSecurityContext = &corev1.SecurityContext{
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
 					RunAsUser:    ptr.To(int64(1000799999)),
 					RunAsGroup:   ptr.To(int64(1000799999)),
 					RunAsNonRoot: ptr.To(true),