test/e2e/framework: add pod security admission configuration

2025-07-21 10:51:29 +00:00 · 2022-01-30 13:36:21 +01:00 · 2022-01-30 13:36:21 +01:00 · e06e6771ef
commit e06e6771ef
parent 6c67869ff2
1 changed files with 25 additions and 5 deletions
--- a/test/e2e/framework/framework.go
+++ b/test/e2e/framework/framework.go
@ -47,6 +47,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/restmapper"
 	scaleclient "k8s.io/client-go/scale"
+	admissionapi "k8s.io/pod-security-admission/api"

 	"github.com/onsi/ginkgo"
 	"github.com/onsi/gomega"
@ -83,6 +84,7 @@ type Framework struct {
 	namespacesToDelete               []*v1.Namespace // Some tests have more than one.
 	NamespaceDeletionTimeout         time.Duration
 	SkipPrivilegedPSPBinding         bool               // Whether to skip creating a binding to the privileged PSP in the test namespace
+	NamespacePodSecurityEnforceLevel admissionapi.Level // The pod security enforcement level for namespaces to be applied.

 	gatherer *ContainerResourceGatherer
 	// Constraints that passed to a check which is executed after data is gathered to
@ -521,6 +523,24 @@ func (f *Framework) CreateNamespace(baseName string, labels map[string]string) (
 	if createTestingNS == nil {
 		createTestingNS = CreateTestingNS
 	}
+
+	if labels == nil {
+		labels = make(map[string]string)
+	} else {
+		labelsCopy := make(map[string]string)
+		for k, v := range labels {
+			labelsCopy[k] = v
+		}
+		labels = labelsCopy
+	}
+
+	// TODO(sur): set to restricted before 1.24 test freeze
+	enforceLevel := admissionapi.LevelPrivileged
+	if f.NamespacePodSecurityEnforceLevel != "" {
+		enforceLevel = f.NamespacePodSecurityEnforceLevel
+	}
+	labels[admissionapi.EnforceLevelLabel] = string(enforceLevel)
+
 	ns, err := createTestingNS(baseName, f.ClientSet, labels)
 	// check ns instead of err to see if it's nil as we may
 	// fail to create serviceAccount in it.