search

SAP-archive / karydia

Kubernetes Security Walnut
Other
76 stars 10 forks source link

Move karydia to namespace "karydia" #215

Closed Neumann-Nils closed 5 years ago

Neumann-Nils commented 5 years ago

Description

Move karydia and all its components to the newly created namespace "karydia".

Resolves #196.

Checklist

Before submitting this PR, please make sure:

Neumann-Nils commented 5 years ago

Have trouble with the e2e tests: 

go test -v ./tests/e2e/... --server "" --kubeconfig "/Users/d064871/.kube/config"
=== RUN   TestAutomountServiceAccountToken
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
--- PASS: TestAutomountServiceAccountToken (37.57s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (3.61s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (6.41s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (12.49s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (4.36s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.39s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (3.31s)
=== RUN   TestAutomountServiceAccountTokenInDefaultNamespace
--- PASS: TestAutomountServiceAccountTokenInDefaultNamespace (6.14s)
    admission_automount_token_test.go:185: expected is mounted to be false but is true
=== RUN   TestAutomountServiceAccountTokenEditServiceAccount
--- FAIL: TestAutomountServiceAccountTokenEditServiceAccount (0.35s)
    admission_automount_token_test.go:218: failed to update service account: Operation cannot be fulfilled on serviceaccounts "dedicated": the object has been modified; please apply your changes to the latest version and try again
=== RUN   TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig
--- PASS: TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig (7.20s)
=== RUN   TestAutomountServiceAccountTokenDedicatedServiceAccountFromConfig
--- PASS: TestAutomountServiceAccountTokenDedicatedServiceAccountFromConfig (6.31s)
=== RUN   TestSeccompWithNamespaceAnnotationUndefinedProfile
--- PASS: TestSeccompWithNamespaceAnnotationUndefinedProfile (3.40s)
=== RUN   TestSeccompWithNamespaceAnnotationDefinedProfile
--- PASS: TestSeccompWithNamespaceAnnotationDefinedProfile (6.26s)
=== RUN   TestSeccompWithoutNamespaceAnnotationUndefinedProfileFromConfig
--- PASS: TestSeccompWithoutNamespaceAnnotationUndefinedProfileFromConfig (6.36s)
=== RUN   TestSeccompWithNamespaceAnnotationUndefinedProfileFromConfig
--- FAIL: TestSeccompWithNamespaceAnnotationUndefinedProfileFromConfig (1.37s)
    admission_seccomp_test.go:184: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-kqptg/default: serviceaccount "default" not found
=== RUN   TestSeccompWithoutNamespaceAnnotationDefinedProfile
--- FAIL: TestSeccompWithoutNamespaceAnnotationDefinedProfile (2.04s)
    admission_seccomp_test.go:228: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-wb8lj/default: serviceaccount "default" not found
=== RUN   TestSecurityContextWithNamespaceAnnotationUndefinedContext
--- FAIL: TestSecurityContextWithNamespaceAnnotationUndefinedContext (1.21s)
    admission_security_context_test.go:55: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-gj59c/default: serviceaccount "default" not found
=== RUN   TestSecurityContextWithNamespaceAnnotationDefinedContext
--- PASS: TestSecurityContextWithNamespaceAnnotationDefinedContext (8.68s)
=== RUN   TestSecurityContextWithoutNamespaceAnnotationUndefinedContextFromConfig
--- PASS: TestSecurityContextWithoutNamespaceAnnotationUndefinedContextFromConfig (3.53s)
=== RUN   TestNetworkPolicyLevel1
--- PASS: TestNetworkPolicyLevel1 (43.74s)
=== RUN   TestCreateKarydiaNetworkPolicyForNewNamespace
--- PASS: TestCreateKarydiaNetworkPolicyForNewNamespace (3.69s)
=== RUN   TestCreateKarydiaNetworkPolicyForAnnotatedNamespace
--- PASS: TestCreateKarydiaNetworkPolicyForAnnotatedNamespace (0.64s)
=== RUN   TestCreateNamespaceAndUpdateWithAnnotation
--- PASS: TestCreateNamespaceAndUpdateWithAnnotation (0.85s)
=== RUN   TestGetKarydiaNetworkPolicyForExcludedNamespace
--- PASS: TestGetKarydiaNetworkPolicyForExcludedNamespace (0.02s)
FAIL
FAIL    github.com/karydia/karydia/tests/e2e    142.026s
?       github.com/karydia/karydia/tests/e2e/framework  [no test files]
make: *** [e2e-test] Error 1

The first error is already looked into. What about the problems with the not found service account "default"?

Neumann-Nils commented 5 years ago

Have trouble with the e2e tests:

go test -v ./tests/e2e/... --server "" --kubeconfig "/Users/d064871/.kube/config"
=== RUN   TestAutomountServiceAccountToken
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
=== RUN   TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount
--- PASS: TestAutomountServiceAccountToken (37.57s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (3.61s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (6.41s)
    --- PASS: TestAutomountServiceAccountToken/defaultServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (12.49s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountUndefinedAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (4.36s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-defaultAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (7.39s)
    --- PASS: TestAutomountServiceAccountToken/dedicatedServiceAccountchange-allAnnotationUndefinedServiceAccountAutomountUndefinedPodAutomount (3.31s)
=== RUN   TestAutomountServiceAccountTokenInDefaultNamespace
--- PASS: TestAutomountServiceAccountTokenInDefaultNamespace (6.14s)
    admission_automount_token_test.go:185: expected is mounted to be false but is true
=== RUN   TestAutomountServiceAccountTokenEditServiceAccount
--- FAIL: TestAutomountServiceAccountTokenEditServiceAccount (0.35s)
    admission_automount_token_test.go:218: failed to update service account: Operation cannot be fulfilled on serviceaccounts "dedicated": the object has been modified; please apply your changes to the latest version and try again
=== RUN   TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig
--- PASS: TestAutomountServiceAccountTokenDefaultServiceAccountFromConfig (7.20s)
=== RUN   TestAutomountServiceAccountTokenDedicatedServiceAccountFromConfig
--- PASS: TestAutomountServiceAccountTokenDedicatedServiceAccountFromConfig (6.31s)
=== RUN   TestSeccompWithNamespaceAnnotationUndefinedProfile
--- PASS: TestSeccompWithNamespaceAnnotationUndefinedProfile (3.40s)
=== RUN   TestSeccompWithNamespaceAnnotationDefinedProfile
--- PASS: TestSeccompWithNamespaceAnnotationDefinedProfile (6.26s)
=== RUN   TestSeccompWithoutNamespaceAnnotationUndefinedProfileFromConfig
--- PASS: TestSeccompWithoutNamespaceAnnotationUndefinedProfileFromConfig (6.36s)
=== RUN   TestSeccompWithNamespaceAnnotationUndefinedProfileFromConfig
--- FAIL: TestSeccompWithNamespaceAnnotationUndefinedProfileFromConfig (1.37s)
    admission_seccomp_test.go:184: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-kqptg/default: serviceaccount "default" not found
=== RUN   TestSeccompWithoutNamespaceAnnotationDefinedProfile
--- FAIL: TestSeccompWithoutNamespaceAnnotationDefinedProfile (2.04s)
    admission_seccomp_test.go:228: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-wb8lj/default: serviceaccount "default" not found
=== RUN   TestSecurityContextWithNamespaceAnnotationUndefinedContext
--- FAIL: TestSecurityContextWithNamespaceAnnotationUndefinedContext (1.21s)
    admission_security_context_test.go:55: failed to create pod: pods "karydia-e2e-test-pod" is forbidden: error looking up service account karydia-e2e-test-gj59c/default: serviceaccount "default" not found
=== RUN   TestSecurityContextWithNamespaceAnnotationDefinedContext
--- PASS: TestSecurityContextWithNamespaceAnnotationDefinedContext (8.68s)
=== RUN   TestSecurityContextWithoutNamespaceAnnotationUndefinedContextFromConfig
--- PASS: TestSecurityContextWithoutNamespaceAnnotationUndefinedContextFromConfig (3.53s)
=== RUN   TestNetworkPolicyLevel1
--- PASS: TestNetworkPolicyLevel1 (43.74s)
=== RUN   TestCreateKarydiaNetworkPolicyForNewNamespace
--- PASS: TestCreateKarydiaNetworkPolicyForNewNamespace (3.69s)
=== RUN   TestCreateKarydiaNetworkPolicyForAnnotatedNamespace
--- PASS: TestCreateKarydiaNetworkPolicyForAnnotatedNamespace (0.64s)
=== RUN   TestCreateNamespaceAndUpdateWithAnnotation
--- PASS: TestCreateNamespaceAndUpdateWithAnnotation (0.85s)
=== RUN   TestGetKarydiaNetworkPolicyForExcludedNamespace
--- PASS: TestGetKarydiaNetworkPolicyForExcludedNamespace (0.02s)
FAIL
FAIL  github.com/karydia/karydia/tests/e2e    142.026s
?     github.com/karydia/karydia/tests/e2e/framework  [no test files]
make: *** [e2e-test] Error 1

The first error is already looked into. What about the problems with the not found service account "default"?

I added a workaround that waits for the "default" service account in these specific cases. However, we should have a deeper look how we want to approach these kind of problems (put in a separate issue #221).