[ModelRegistry] ensure RunAsUser and RunAsGroup are not set explicitly

dbasunag · dbasunag · commit 20cd45708437 · 2025-04-08T12:44:48.000-04:00
updates! 4813f2b
diff --git a/tests/model_registry/constants.py b/tests/model_registry/constants.py
@@ -31,7 +31,7 @@ class ModelRegistryEndpoints:
     "authProvider": "redhat-ods-applications-auth-provider",
     "gateway": {"grpc": {"tls": {}}, "rest": {"tls": {}}},
 }
-DB_RESOURCES_NAME: str = "model-registry-db"
+DB_RESOURCES_NAME: str = "db-model-registry"
 MR_DB_IMAGE_DIGEST: str = (
     "public.ecr.aws/docker/library/mysql@sha256:9de9d54fecee6253130e65154b930978b1fcc336bcc86dfd06e89b72a2588ebe"
 )
diff --git a/tests/model_registry/scc/__init__.py b/tests/model_registry/scc/__init__.py
diff --git a/tests/model_registry/scc/test_model_registry_scc.py b/tests/model_registry/scc/test_model_registry_scc.py
@@ -0,0 +1,144 @@
+from __future__ import annotations
+import pytest
+from typing import Self
+from simple_logger.logger import get_logger
+from _pytest.fixtures import FixtureRequest
+
+from ocp_resources.namespace import Namespace
+from ocp_resources.pod import Pod
+from ocp_resources.deployment import Deployment
+from ocp_resources.resource import NamespacedResource
+from tests.model_registry.scc.utils import get_uid_from_namespace, validate_pod_security_context
+from utilities.constants import DscComponents
+from tests.model_registry.constants import MR_NAMESPACE, MODEL_DICT, MR_INSTANCE_NAME
+
+from kubernetes.dynamic import DynamicClient
+from ocp_utilities.infra import get_pods_by_name_prefix
+
+KEYS_TO_VALIDATE = ["runAsGroup", "runAsUser"]
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.fixture(scope="class")
+def model_registry_scc_namespace(model_registry_namespace: Namespace):
+    mr_annotations = model_registry_namespace.instance.metadata.annotations
+    return {
+        "seLinuxOptions": mr_annotations.get("openshift.io/sa.scc.mcs"),
+        "uid-range": mr_annotations.get("openshift.io/sa.scc.uid-range"),
+    }
+
+
+@pytest.fixture(scope="class")
+def model_registry_resource(
+    request: FixtureRequest, admin_client: DynamicClient, model_registry_namespace: Namespace
+) -> NamespacedResource:
+    if request.param["kind"] == Deployment:
+        return Deployment(name=MR_INSTANCE_NAME, namespace=model_registry_namespace.name, ensure_exists=True)
+    elif request.param["kind"] == Pod:
+        pods = get_pods_by_name_prefix(
+            client=admin_client, pod_prefix=MR_INSTANCE_NAME, namespace=model_registry_namespace.name
+        )
+        if len(pods) != 1:
+            pytest.fail(
+                "Expected one model registry pod. Found: {[{pod.name: pod.status} for pod in pods] if pods else None}"
+            )
+        return pods[0]
+    else:
+        raise AssertionError(f"Invalid resource: {request.param['kind']}. Valid options: Deployment and Pod")
+
+
+@pytest.mark.parametrize(
+    "model_registry_namespace, updated_dsc_component_state_scope_class, registered_model",
+    [
+        pytest.param(
+            {"namespace_name": MR_NAMESPACE},
+            {
+                "component_patch": {
+                    DscComponents.MODELREGISTRY: {
+                        "managementState": DscComponents.ManagementState.MANAGED,
+                        "registriesNamespace": MR_NAMESPACE,
+                    },
+                },
+            },
+            MODEL_DICT,
+        ),
+    ],
+    indirect=True,
+)
+@pytest.mark.usefixtures("model_registry_namespace", "updated_dsc_component_state_scope_class", "registered_model")
+class TestModelRegistrySecurityContextValidation:
+    @pytest.mark.parametrize(
+        "model_registry_resource",
+        [
+            pytest.param({"kind": Deployment}),
+        ],
+        indirect=["model_registry_resource"],
+    )
+    def test_model_registry_deployment_security_context_validation(
+        self: Self,
+        model_registry_resource: NamespacedResource,
+        model_registry_namespace: Namespace,
+    ):
+        """
+        Validate that model registry deployment does not set runAsUser/runAsGroup
+        """
+        error = []
+        for container in model_registry_resource.instance.spec.template.spec.containers:
+            if not all([True for key in KEYS_TO_VALIDATE if not container.get(key)]):
+                error.append({container.name: container.securityContext})
+
+        if error:
+            pytest.fail(
+                f"{model_registry_resource.name} {model_registry_resource.kind} containers expected to not "
+                f"set {KEYS_TO_VALIDATE}, actual: {error}"
+            )
+
+    @pytest.mark.parametrize(
+        "model_registry_resource",
+        [
+            pytest.param({"kind": Pod}),
+        ],
+        indirect=["model_registry_resource"],
+    )
+    def test_model_registry_pod_security_context_validation(
+        self: Self,
+        model_registry_resource: NamespacedResource,
+        model_registry_scc_namespace: dict[str, str],
+    ):
+        """
+        Validate that model registry pod gets runAsUser/runAsGroup from openshift and the values matches namespace
+        annotations
+        """
+        errors = []
+        ns_uid = get_uid_from_namespace(namespace_scc=model_registry_scc_namespace)
+        pod_spec = model_registry_resource.instance.spec
+        errors = validate_pod_security_context(
+            pod_security_context=pod_spec.securityContext,
+            namespace_scc=model_registry_scc_namespace,
+            model_registry_resource=model_registry_resource,
+            ns_uid=ns_uid,
+        )
+        containers = model_registry_resource.instance.spec.containers
+        for container in containers:
+            expected_value = {
+                "runAsUser": int(ns_uid) + 1 if "sidecar" in container.args else int(ns_uid),
+                "runAsGroup": int(ns_uid) + 1 if "sidecar" in container.args else None,
+            }
+
+            for key in KEYS_TO_VALIDATE:
+                if container.securityContext.get(key) == expected_value[key]:
+                    LOGGER.info(
+                        f"For container: {container.name}, {key} validation: {expected_value[key]} completed "
+                        "successfully"
+                    )
+                else:
+                    errors.append(
+                        f"For {container.name}, expected key {key} value: {expected_value[key]},"
+                        f" actual: {container.securityContext.get(key)}"
+                    )
+
+        if errors:
+            pytest.fail(
+                f"{model_registry_resource.name} {model_registry_resource.kind} pod security context validation failed"
+                f" with error: {errors}"
+            )
diff --git a/tests/model_registry/scc/utils.py b/tests/model_registry/scc/utils.py
@@ -0,0 +1,28 @@
+from typing import Any
+
+from ocp_resources.resource import NamespacedResource
+
+
+def get_uid_from_namespace(namespace_scc: dict[str, str]) -> str:
+    return namespace_scc["uid-range"].split("/")[0]
+
+
+def validate_pod_security_context(
+    pod_security_context: dict[str, Any],
+    namespace_scc: dict[str, str],
+    model_registry_resource: NamespacedResource,
+    ns_uid: str,
+) -> list[str]:
+    errors = []
+    pod_selinux_option = pod_security_context.get("seLinuxOptions", {}).get("level")
+    if pod_selinux_option != namespace_scc["seLinuxOptions"]:
+        errors.append(
+            f"selinux option from pod {model_registry_resource.name} {pod_selinux_option},"
+            f" namespace: {namespace_scc['seLinuxOptions']}"
+        )
+    if pod_security_context.get("fsGroup") != int(ns_uid):
+        errors.append(
+            f"UID-range from pod {model_registry_resource.name} {pod_security_context.get('fsGroup')},"
+            f" namespace: {ns_uid}"
+        )
+    return errors
diff --git a/tests/model_registry/test_model_registry_creation.py b/tests/model_registry/test_model_registry_creation.py
@@ -1,3 +1,4 @@
+from __future__ import annotations
 import pytest
 from typing import Self
 from simple_logger.logger import get_logger

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class ModelRegistryEndpoints:`
`31`	`31`	`"authProvider": "redhat-ods-applications-auth-provider",`
`32`	`32`	`"gateway": {"grpc": {"tls": {}}, "rest": {"tls": {}}},`
`33`	`33`	`}`
`34`		`-DB_RESOURCES_NAME: str = "model-registry-db"`
	`34`	`+DB_RESOURCES_NAME: str = "db-model-registry"`
`35`	`35`	`MR_DB_IMAGE_DIGEST: str = (`
`36`	`36`	`"public.ecr.aws/docker/library/mysql@sha256:9de9d54fecee6253130e65154b930978b1fcc336bcc86dfd06e89b72a2588ebe"`
`37`	`37`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+from __future__ import annotations`
`1`	`2`	`import pytest`
`2`	`3`	`from typing import Self`
`3`	`4`	`from simple_logger.logger import get_logger`