Skip to content

Commit 8e7d743

Browse files
Ish Shahlaxmikantbpandhare
Ish Shah
and
laxmikantbpandhare
authored
Add PSA Flag to Scorecard (#6187)
* add pod security flag to scorecard cli Signed-off-by: Ish Shah <ishah@redhat.com> * plumbing for cli Signed-off-by: Ish Shah <ishah@redhat.com> * struct packing Signed-off-by: Ish Shah <ishah@redhat.com> * change flag to string Signed-off-by: Ish Shah <ishah@redhat.com> * errors Signed-off-by: Ish Shah <ishah@redhat.com> * Updated According to review comments * removed Unused code removed unused function code getLegacyPodDefinition() * sanity errors sanity errors fix Signed-off-by: Ish Shah <ishah@redhat.com> Co-authored-by: Laxmikant Bhaskar Pandhare <47066536+laxmikantbpandhare@users.noreply.github.com>
1 parent f6c820d commit 8e7d743

File tree

3 files changed

+26
-4
lines changed

3 files changed

+26
-4
lines changed

internal/cmd/operator-sdk/scorecard/cmd.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ type scorecardCmd struct {
5252
storageImage string
5353
untarImage string
5454
testOutput string
55+
podSecurity string
5556
}
5657

5758
func NewCmd() *cobra.Command {
@@ -80,6 +81,7 @@ If the argument holds an image tag, it must be present remotely.`,
8081
scorecardCmd.Flags().StringVarP(&c.namespace, "namespace", "n", "", "namespace to run the test images in")
8182
scorecardCmd.Flags().StringVarP(&c.outputFormat, "output", "o", "text",
8283
"Output format for results. Valid values: text, json, xunit")
84+
scorecardCmd.Flags().StringVar(&c.podSecurity, "pod-security", "legacy", "option to run scorecard with legacy pod security context")
8385
scorecardCmd.Flags().StringVarP(&c.serviceAccount, "service-account", "s", "default",
8486
"Service account to use for tests")
8587
scorecardCmd.Flags().BoolVarP(&c.list, "list", "L", false,
@@ -187,8 +189,16 @@ func (c *scorecardCmd) run() (err error) {
187189
log.Fatal(err)
188190
}
189191

192+
podSecFlag := true
193+
if c.podSecurity == "restricted" {
194+
podSecFlag = true
195+
} else if c.podSecurity == "legacy" {
196+
podSecFlag = false
197+
}
198+
190199
o := scorecard.Scorecard{
191200
SkipCleanup: c.skipCleanup,
201+
PodSecurity: podSecFlag,
192202
}
193203

194204
configPath := c.config

internal/scorecard/scorecard.go

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ import (
3333

3434
type TestRunner interface {
3535
Initialize(context.Context) error
36-
RunTest(context.Context, v1alpha3.TestConfiguration) (*v1alpha3.TestStatus, error)
36+
RunTest(context.Context, v1alpha3.TestConfiguration, bool) (*v1alpha3.TestStatus, error)
3737
Cleanup(context.Context) error
3838
}
3939

@@ -42,6 +42,7 @@ type Scorecard struct {
4242
Selector labels.Selector
4343
TestRunner TestRunner
4444
SkipCleanup bool
45+
PodSecurity bool
4546
}
4647

4748
type PodTestRunner struct {
@@ -56,6 +57,7 @@ type PodTestRunner struct {
5657
UntarImage string
5758

5859
configMapName string
60+
PodSecurity bool
5961
}
6062

6163
type FakeTestRunner struct {
@@ -141,7 +143,7 @@ func (o Scorecard) runStageSequential(ctx context.Context, tests []v1alpha3.Test
141143
}
142144

143145
func (o Scorecard) runTest(ctx context.Context, test v1alpha3.TestConfiguration) v1alpha3.Test {
144-
result, err := o.TestRunner.RunTest(ctx, test)
146+
result, err := o.TestRunner.RunTest(ctx, test, o.PodSecurity)
145147
if err != nil {
146148
result = convertErrorToStatus(err, "")
147149
}
@@ -217,10 +219,19 @@ func (r PodTestRunner) Cleanup(ctx context.Context) (err error) {
217219
}
218220

219221
// RunTest executes a single test
220-
func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfiguration) (*v1alpha3.TestStatus, error) {
222+
func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfiguration, podSec bool) (*v1alpha3.TestStatus, error) {
221223

222224
// Create a Pod to run the test
223225
podDef := getPodDefinition(r.configMapName, test, r)
226+
if podSec {
227+
secCtx := v1.PodSecurityContext{}
228+
secCtx.RunAsNonRoot = &podSec
229+
secCtx.SeccompProfile = &v1.SeccompProfile{
230+
Type: v1.SeccompProfileTypeRuntimeDefault,
231+
}
232+
233+
podDef.Spec.SecurityContext = &secCtx
234+
}
224235

225236
if test.Storage.Spec.MountPath.Path != "" {
226237
addStorageToPod(podDef, test.Storage.Spec.MountPath.Path, r.StorageImage)
@@ -248,7 +259,7 @@ func (r PodTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfigurat
248259
}
249260

250261
// RunTest executes a single test
251-
func (r FakeTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfiguration) (result *v1alpha3.TestStatus, err error) {
262+
func (r FakeTestRunner) RunTest(ctx context.Context, test v1alpha3.TestConfiguration, podSec bool) (result *v1alpha3.TestStatus, err error) {
252263
select {
253264
case <-time.After(r.Sleep):
254265
return r.TestStatus, r.Error

website/content/en/docs/cli/operator-sdk_scorecard.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ operator-sdk scorecard [flags]
2424
-L, --list Option to enable listing which tests are run
2525
-n, --namespace string namespace to run the test images in
2626
-o, --output string Output format for results. Valid values: text, json, xunit (default "text")
27+
--pod-security string option to run scorecard with legacy pod security context (default "legacy")
2728
-l, --selector string label selector to determine which tests are run
2829
-s, --service-account string Service account to use for tests (default "default")
2930
-x, --skip-cleanup Disable resource cleanup after tests are run

0 commit comments

Comments
 (0)