From 702ab9772236ac84140abb1c11a27f6866a3a637 Mon Sep 17 00:00:00 2001
From: Tim Allclair <tallclair@google.com>
Date: Tue, 24 May 2022 16:10:11 -0700
Subject: [PATCH] Run common pod E2Es as restricted

---
 test/e2e/common/node/pods.go | 96 ++++++++++++++++++------------------
 1 file changed, 49 insertions(+), 47 deletions(-)

diff --git a/test/e2e/common/node/pods.go b/test/e2e/common/node/pods.go
index 5e5b1f4f9e1..c3c90954085 100644
--- a/test/e2e/common/node/pods.go
+++ b/test/e2e/common/node/pods.go
@@ -184,7 +184,7 @@ func expectNoErrorWithRetries(fn func() error, maxRetries int, explain ...interf
 
 var _ = SIGDescribe("Pods", func() {
 	f := framework.NewDefaultFramework("pods")
-	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelBaseline
+	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelRestricted
 	var podClient *framework.PodClient
 	var dc dynamic.Interface
 
@@ -200,7 +200,7 @@ var _ = SIGDescribe("Pods", func() {
 	*/
 	framework.ConformanceIt("should get a host IP [NodeConformance]", func() {
 		name := "pod-hostip-" + string(uuid.NewUUID())
-		testHostIP(podClient, &v1.Pod{
+		testHostIP(podClient, e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 			},
@@ -212,7 +212,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		})
+		}))
 	})
 
 	/*
@@ -224,7 +224,7 @@ var _ = SIGDescribe("Pods", func() {
 		ginkgo.By("creating the pod")
 		name := "pod-submit-remove-" + string(uuid.NewUUID())
 		value := strconv.Itoa(time.Now().Nanosecond())
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 				Labels: map[string]string{
@@ -235,12 +235,12 @@ var _ = SIGDescribe("Pods", func() {
 			Spec: v1.PodSpec{
 				Containers: []v1.Container{
 					{
-						Name:  "nginx",
-						Image: imageutils.GetE2EImage(imageutils.Nginx),
+						Name:  "pause",
+						Image: imageutils.GetPauseImageName(),
 					},
 				},
 			},
-		}
+		})
 
 		ginkgo.By("setting up watch")
 		selector := labels.SelectorFromSet(labels.Set(map[string]string{"time": value}))
@@ -342,7 +342,7 @@ var _ = SIGDescribe("Pods", func() {
 		ginkgo.By("creating the pod")
 		name := "pod-update-" + string(uuid.NewUUID())
 		value := strconv.Itoa(time.Now().Nanosecond())
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 				Labels: map[string]string{
@@ -353,12 +353,12 @@ var _ = SIGDescribe("Pods", func() {
 			Spec: v1.PodSpec{
 				Containers: []v1.Container{
 					{
-						Name:  "nginx",
-						Image: imageutils.GetE2EImage(imageutils.Nginx),
+						Name:  "pause",
+						Image: imageutils.GetPauseImageName(),
 					},
 				},
 			},
-		}
+		})
 
 		ginkgo.By("submitting the pod to kubernetes")
 		pod = podClient.CreateSync(pod)
@@ -396,7 +396,7 @@ var _ = SIGDescribe("Pods", func() {
 		ginkgo.By("creating the pod")
 		name := "pod-update-activedeadlineseconds-" + string(uuid.NewUUID())
 		value := strconv.Itoa(time.Now().Nanosecond())
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 				Labels: map[string]string{
@@ -407,18 +407,18 @@ var _ = SIGDescribe("Pods", func() {
 			Spec: v1.PodSpec{
 				Containers: []v1.Container{
 					{
-						Name:  "nginx",
-						Image: imageutils.GetE2EImage(imageutils.Nginx),
+						Name:  "pause",
+						Image: imageutils.GetPauseImageName(),
 					},
 				},
 			},
-		}
+		})
 
 		ginkgo.By("submitting the pod to kubernetes")
 		podClient.CreateSync(pod)
 
 		ginkgo.By("verifying the pod is in kubernetes")
-		selector := labels.SelectorFromSet(labels.Set(map[string]string{"time": value}))
+		selector := labels.SelectorFromSet(labels.Set{"time": value})
 		options := metav1.ListOptions{LabelSelector: selector.String()}
 		pods, err := podClient.List(context.TODO(), options)
 		framework.ExpectNoError(err, "failed to query for pods")
@@ -442,7 +442,7 @@ var _ = SIGDescribe("Pods", func() {
 		// Make a pod that will be a service.
 		// This pod serves its hostname via HTTP.
 		serverName := "server-envvars-" + string(uuid.NewUUID())
-		serverPod := &v1.Pod{
+		serverPod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   serverName,
 				Labels: map[string]string{"name": serverName},
@@ -456,7 +456,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 		podClient.CreateSync(serverPod)
 
 		// This service exposes port 8080 of the test pod as a service on port 8765
@@ -490,7 +490,7 @@ var _ = SIGDescribe("Pods", func() {
 		// Make a client pod that verifies that it has the service environment variables.
 		podName := "client-envvars-" + string(uuid.NewUUID())
 		const containerName = "env3cont"
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   podName,
 				Labels: map[string]string{"name": podName},
@@ -505,7 +505,7 @@ var _ = SIGDescribe("Pods", func() {
 				},
 				RestartPolicy: v1.RestartPolicyNever,
 			},
-		}
+		})
 
 		// It's possible for the Pod to be created before the Kubelet is updated with the new
 		// service. In that case, we just retry.
@@ -536,7 +536,7 @@ var _ = SIGDescribe("Pods", func() {
 
 		ginkgo.By("creating the pod")
 		name := "pod-exec-websocket-" + string(uuid.NewUUID())
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 			},
@@ -549,7 +549,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 
 		ginkgo.By("submitting the pod to kubernetes")
 		pod = podClient.CreateSync(pod)
@@ -618,7 +618,7 @@ var _ = SIGDescribe("Pods", func() {
 
 		ginkgo.By("creating the pod")
 		name := "pod-logs-websocket-" + string(uuid.NewUUID())
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 			},
@@ -631,7 +631,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 
 		ginkgo.By("submitting the pod to kubernetes")
 		podClient.CreateSync(pod)
@@ -673,7 +673,7 @@ var _ = SIGDescribe("Pods", func() {
 	ginkgo.It("should have their auto-restart back-off timer reset on image update [Slow][NodeConformance]", func() {
 		podName := "pod-back-off-image"
 		containerName := "back-off"
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   podName,
 				Labels: map[string]string{"test": "back-off-image"},
@@ -687,7 +687,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 
 		delay1, delay2 := startPodAndGetBackOffs(podClient, pod, buildBackOffDuration)
 
@@ -714,7 +714,7 @@ var _ = SIGDescribe("Pods", func() {
 	ginkgo.It("should cap back-off at MaxContainerBackOff [Slow][NodeConformance]", func() {
 		podName := "back-off-cap"
 		containerName := "back-off-cap"
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   podName,
 				Labels: map[string]string{"test": "liveness"},
@@ -728,7 +728,7 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 
 		podClient.CreateSync(pod)
 		time.Sleep(2 * kubelet.MaxContainerBackOff) // it takes slightly more than 2*x to get to a back-off of x
@@ -770,7 +770,7 @@ var _ = SIGDescribe("Pods", func() {
 		readinessGate1 := "k8s.io/test-condition1"
 		readinessGate2 := "k8s.io/test-condition2"
 		patchStatusFmt := `{"status":{"conditions":[{"type":%q, "status":%q}]}}`
-		pod := &v1.Pod{
+		pod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   podName,
 				Labels: map[string]string{"test": "pod-readiness-gate"},
@@ -788,7 +788,7 @@ var _ = SIGDescribe("Pods", func() {
 					{ConditionType: v1.PodConditionType(readinessGate2)},
 				},
 			},
-		}
+		})
 
 		validatePodReadiness := func(expectReady bool) {
 			err := wait.Poll(time.Second, time.Minute, func() (bool, error) {
@@ -843,20 +843,22 @@ var _ = SIGDescribe("Pods", func() {
 		ginkgo.By("Create set of pods")
 		// create a set of pods in test namespace
 		for _, podTestName := range podTestNames {
-			_, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(context.TODO(), &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: podTestName,
-					Labels: map[string]string{
-						"type": "Testing"},
-				},
-				Spec: v1.PodSpec{
-					TerminationGracePeriodSeconds: &one,
-					Containers: []v1.Container{{
-						Image: imageutils.GetE2EImage(imageutils.Agnhost),
-						Name:  "token-test",
-					}},
-					RestartPolicy: v1.RestartPolicyNever,
-				}}, metav1.CreateOptions{})
+			_, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(context.TODO(),
+				e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: podTestName,
+						Labels: map[string]string{
+							"type": "Testing",
+						},
+					},
+					Spec: v1.PodSpec{
+						TerminationGracePeriodSeconds: &one,
+						Containers: []v1.Container{{
+							Image: imageutils.GetE2EImage(imageutils.Agnhost),
+							Name:  "token-test",
+						}},
+						RestartPolicy: v1.RestartPolicyNever,
+					}}), metav1.CreateOptions{})
 			framework.ExpectNoError(err, "failed to create pod")
 			framework.Logf("created %v", podTestName)
 		}
@@ -903,7 +905,7 @@ var _ = SIGDescribe("Pods", func() {
 		podsList, err := f.ClientSet.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{LabelSelector: testPodLabelsFlat})
 		framework.ExpectNoError(err, "failed to list Pods")
 
-		testPod := v1.Pod{
+		testPod := e2epod.MustMixinRestrictedPodSecurity(&v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:   testPodName,
 				Labels: testPodLabels,
@@ -917,9 +919,9 @@ var _ = SIGDescribe("Pods", func() {
 					},
 				},
 			},
-		}
+		})
 		ginkgo.By("creating a Pod with a static label")
-		_, err = f.ClientSet.CoreV1().Pods(testNamespaceName).Create(context.TODO(), &testPod, metav1.CreateOptions{})
+		_, err = f.ClientSet.CoreV1().Pods(testNamespaceName).Create(context.TODO(), testPod, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create Pod %v in namespace %v", testPod.ObjectMeta.Name, testNamespaceName)
 
 		ginkgo.By("watching for Pod to be ready")