diff --git a/tests/internal/test_secrets_on_pods.py b/tests/internal/test_secrets_on_pods.py index b6037c8e3336..cf45a8d6a8cd 100644 --- a/tests/internal/test_secrets_on_pods.py +++ b/tests/internal/test_secrets_on_pods.py @@ -17,18 +17,15 @@ EXPECTED_NAMES = {"rook-ceph-config", "rook-ceph-mon", "ocs-kms-token"} -class TestSecretsinEnvVariables(ManageTest): +class TestSecretsAndSecurityContext(ManageTest): @tier1 @bugzilla("2171965") def test_secrets_in_env_variables(self): """ - Testing if secrets are used in env variables of pods, in a - normal cluster + Testing if secrets are used in env variables of pods """ logger.info("Checking pods with security refrence in them.") - cmd = """ - oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name}{end}' -A - """ + cmd = "oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name}{end}' -A" output = run_cmd(cmd).strip().split() logger.info("Checking securityKeyRef in pods") for i in range(0, len(output), 2): @@ -51,19 +48,49 @@ def test_secrets_in_env_variables(self): else: break - def checking_securtiyKeyRef(self, data): + @tier1 + @bugzilla("2180732") + def test_securityContext_in_Crashcollector(self): + """ + Testing security context of rook-ceph-crash-collector pods, in a + normal cluster + """ + logger.info("Checking security context on rook-ceph-crashcollector pods") + cmd = "oc --namespace=openshift-storage get pods -l app=rook-ceph-crashcollector -o name" + output = run_cmd(cmd).strip().split("\n") + logger.info("Checking securityContext in ceph-crash container") + for pod in output: + data = run_cmd(f"oc --namespace=openshift-storage get {pod} -o yaml") + yaml_data = yaml.safe_load(data) + securityContext = self.checking_securtiyContext_of_cephcrash_container( + yaml_data + ) + + assert ( + securityContext["runAsGroup"] == 167 + ), f"Security Context key runAsGroup value is not as expected in pod {pod} \ + expected value is 167" + assert securityContext[ + "runAsNonRoot" + ], f"Security Context key runAsNonRoot value is not as expected in pod {pod} \ + expected value is True" + assert ( + securityContext["runAsUser"] == 167 + ), f"Security Context key runAsUser value is not as expected in pod {pod} \ + expected value is 167" + + def checking_securtiyKeyRef(self, yaml_data): """ This function takes the data from describe pod and then checks what is the entry in securityKeyRef of pod. args: - data: yaml: describe data of the pod + yaml_data: yaml: describe data of the pod returns: key, name : list, list : containing list of keys and names in securityKeyRef """ key, name = [], [] - yaml_data = data env_data = yaml_data["spec"]["containers"][0]["env"] for i in env_data: if "valueFrom" in i.keys(): @@ -72,3 +99,20 @@ def checking_securtiyKeyRef(self, data): key.append(item["key"]) name.append(item["name"]) return key, name + + def checking_securtiyContext_of_cephcrash_container(self, yaml_data): + """ + This function takes the data from describe pod of rook-ceph-crashcollector and + then checks what is the entry in securityContext of ceph-crash container. + + args: + yaml_data: yaml: describe data of the pod + + returns: + securityContext: dict: dictonary data of security context + """ + logger.info("Checking the security Context of the container ceph-crash") + container = yaml_data["spec"]["containers"][0] + logger.info(f"checking security context of container {container}") + securityContext = container["securityContext"] + return securityContext