From 97f1cc67933bd41db9f2a58867aea62ae911fdae Mon Sep 17 00:00:00 2001 From: "James (Anh-Tu) Nguyen" Date: Fri, 11 Nov 2022 09:40:31 -0800 Subject: [PATCH] Disable PodSecurityPolicy when global.enablePodSecurityPolicies set to false (#1693) --- ...yption-autogenerate-podsecuritypolicy.yaml | 2 +- .../partition-init-podsecuritypolicy.yaml | 2 +- ...yption-autogenerate-podsecuritypolicy.bats | 21 ++++++- .../partition-init-podsecuritypolicy.bats | 60 +++++++++++++++++-- 4 files changed, 78 insertions(+), 7 deletions(-) diff --git a/charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml index 707ebe57c9..209b3aa343 100644 --- a/charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml +++ b/charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy diff --git a/charts/consul/templates/partition-init-podsecuritypolicy.yaml b/charts/consul/templates/partition-init-podsecuritypolicy.yaml index 8590a691dd..2bc6782394 100644 --- a/charts/consul/templates/partition-init-podsecuritypolicy.yaml +++ b/charts/consul/templates/partition-init-podsecuritypolicy.yaml @@ -1,5 +1,5 @@ {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} -{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats index 810147bed3..3ee4f4058a 100644 --- a/charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats +++ b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats @@ -17,11 +17,30 @@ load _helpers . } -@test "gossipEncryptionAutogenerate/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=true" { +@test "gossipEncryptionAutogenerate/PodSecurityPolicy: disabled with global.gossipEncryption.autoGenerate=true and global.enablePodSecurityPolicies=false" { + cd `chart_dir` + assert_empty helm template \ + -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml \ + --set 'global.gossipEncryption.autoGenerate=true' \ + --set 'global.enablePodSecurityPolicies=false' \ + . +} + +@test "gossipEncryptionAutogenerate/PodSecurityPolicy: disabled with global.gossipEncryption.autoGenerate=false and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml \ + --set 'global.gossipEncryption.autoGenerate=false' \ + --set 'global.enablePodSecurityPolicies=true' \ + . +} + +@test "gossipEncryptionAutogenerate/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=true and global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml \ --set 'global.gossipEncryption.autoGenerate=true' \ + --set 'global.enablePodSecurityPolicies=true' \ . | tee /dev/stderr | yq -s 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/partition-init-podsecuritypolicy.bats b/charts/consul/test/unit/partition-init-podsecuritypolicy.bats index d00c915f6e..c7d4ce4ddd 100644 --- a/charts/consul/test/unit/partition-init-podsecuritypolicy.bats +++ b/charts/consul/test/unit/partition-init-podsecuritypolicy.bats @@ -9,40 +9,92 @@ load _helpers . } -@test "partitionInit/PodSecurityPolicy: enabled with global.adminPartitions.enabled=true and servers = false" { +@test "partitionInit/PodSecurityPolicy: enabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=true and server.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/partition-init-podsecuritypolicy.yaml \ --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=true' \ --set 'server.enabled=false' \ . | tee /dev/stderr | yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } -@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and servers = true" { +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=false and server.enabled=false" { cd `chart_dir` assert_empty helm template \ -s templates/partition-init-podsecuritypolicy.yaml \ --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=false' \ + --set 'server.enabled=false' \ + . +} + +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=true and servers = true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/partition-init-podsecuritypolicy.yaml \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'server.enabled=true' \ + . +} + +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=false and servers = true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/partition-init-podsecuritypolicy.yaml \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=false' \ --set 'server.enabled=true' \ . } -@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enabled = true" { +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=true and global.enabled = true" { cd `chart_dir` assert_empty helm template \ -s templates/partition-init-podsecuritypolicy.yaml \ --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=true' \ --set 'global.enabled=true' \ . } -@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=false" { +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=true and global.enablePodSecurityPolicies=false and global.enabled = true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/partition-init-podsecuritypolicy.yaml \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=false' \ + --set 'global.enabled=true' \ + . +} + +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=false and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + assert_empty helm template \ + -s templates/partition-init-podsecuritypolicy.yaml \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'server.enabled=true' \ + . +} + +@test "partitionInit/PodSecurityPolicy: disabled with global.adminPartitions.enabled=false and global.enablePodSecurityPolicies=false" { cd `chart_dir` assert_empty helm template \ -s templates/partition-init-podsecuritypolicy.yaml \ --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.enablePodSecurityPolicies=false' \ --set 'server.enabled=true' \ . } \ No newline at end of file