Skip to content

Commit

Permalink
Added one more test for bug 2180732
Browse files Browse the repository at this point in the history 
Signed-off-by: Shivam Durgbuns <[email protected]>
  • Loading branch information
@shivamdurgbuns
shivamdurgbuns committed Jun 14, 2024
1 parent 9124dc2 commit 8002f42
Showing 1 changed file with 53 additions and 9 deletions.
62 changes: 53 additions & 9 deletions tests/internal/test_secrets_on_pods.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,15 @@
EXPECTED_NAMES = {"rook-ceph-config", "rook-ceph-mon", "ocs-kms-token"}


class TestSecretsinEnvVariables(ManageTest):
class TestSecretsAndSecurityContext(ManageTest):
@tier1
@bugzilla("2171965")
def test_secrets_in_env_variables(self):
"""
Testing if secrets are used in env variables of pods, in a
normal cluster
Testing if secrets are used in env variables of pods
"""
logger.info("Checking pods with security refrence in them.")
cmd = """
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name}{end}' -A
"""
cmd = "oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name}{end}' -A"
output = run_cmd(cmd).strip().split()
logger.info("Checking securityKeyRef in pods")
for i in range(0, len(output), 2):
Expand All @@ -51,19 +48,49 @@ def test_secrets_in_env_variables(self):
else:
break

def checking_securtiyKeyRef(self, data):
@tier1
@bugzilla("2180732")
def test_securityContext_in_Crashcollector(self):
"""
Testing security context of rook-ceph-crash-collector pods, in a
normal cluster
"""
logger.info("Checking security context on rook-ceph-crashcollector pods")
cmd = "oc --namespace=openshift-storage get pods -l app=rook-ceph-crashcollector -o name"
output = run_cmd(cmd).strip().split("\n")
logger.info("Checking securityContext in ceph-crash container")
for pod in output:
data = run_cmd(f"oc --namespace=openshift-storage get {pod} -o yaml")
yaml_data = yaml.safe_load(data)
securityContext = self.checking_securtiyContext_of_cephcrash_container(
yaml_data
)

assert (
securityContext["runAsGroup"] == 167
), f"Security Context key runAsGroup value is not as expected in pod {pod} \
expected value is 167"
assert securityContext[
"runAsNonRoot"
], f"Security Context key runAsNonRoot value is not as expected in pod {pod} \
expected value is True"
assert (
securityContext["runAsUser"] == 167
), f"Security Context key runAsUser value is not as expected in pod {pod} \
expected value is 167"

def checking_securtiyKeyRef(self, yaml_data):
"""
This function takes the data from describe pod and then checks what is the entry
in securityKeyRef of pod.
args:
data: yaml: describe data of the pod
yaml_data: yaml: describe data of the pod
returns:
key, name : list, list : containing list of keys and names in securityKeyRef
"""
key, name = [], []
yaml_data = data
env_data = yaml_data["spec"]["containers"][0]["env"]
for i in env_data:
if "valueFrom" in i.keys():
Expand All @@ -72,3 +99,20 @@ def checking_securtiyKeyRef(self, data):
key.append(item["key"])
name.append(item["name"])
return key, name

def checking_securtiyContext_of_cephcrash_container(self, yaml_data):
"""
This function takes the data from describe pod of rook-ceph-crashcollector and
then checks what is the entry in securityContext of ceph-crash container.
args:
yaml_data: yaml: describe data of the pod
returns:
securityContext: dict: dictonary data of security context
"""
logger.info("Checking the security Context of the container ceph-crash")
container = yaml_data["spec"]["containers"][0]
logger.info(f"checking security context of container {container}")
securityContext = container["securityContext"]
return securityContext

0 comments on commit 8002f42

Please sign in to comment.