e2e framework: allow setting all PSa labels at once

2025-08-08 11:38:15 +00:00 · 2023-05-10 15:25:50 +02:00 · 2023-05-10 15:25:50 +02:00 · e5cbc51d29
commit e5cbc51d29
parent 9e0569f2ed
1 changed files with 21 additions and 5 deletions
--- a/test/e2e/framework/framework.go
+++ b/test/e2e/framework/framework.go
@ -89,6 +89,12 @@ var (
 // Framework supports common operations used by e2e tests; it will keep a client & a namespace for you.
 // Eventual goal is to merge this with integration test framework.
 //
 // You can configure the pod security level for your test by setting the `NamespacePodSecurityLevel`
 // which will set all three of pod security admission enforce, warn and audit labels on the namespace.
 // The default pod security profile is "restricted".
 // Each of the labels can be overridden by using more specific NamespacePodSecurity* attributes of this
 // struct.
 type Framework struct {
 	BaseName string
@ -111,6 +117,9 @@ type Framework struct {
 	namespacesToDelete               []*v1.Namespace // Some tests have more than one.
 	NamespaceDeletionTimeout         time.Duration
 	NamespacePodSecurityEnforceLevel admissionapi.Level // The pod security enforcement level for namespaces to be applied.
 	NamespacePodSecurityWarnLevel    admissionapi.Level // The pod security warn (client logging) level for namespaces to be applied.
 	NamespacePodSecurityAuditLevel   admissionapi.Level // The pod security audit (server logging) level for namespaces to be applied.
 	NamespacePodSecurityLevel        admissionapi.Level // The pod security level to be used for all of enforcement, warn and audit. Can be rewritten by more specific configuration attributes.
 	// Flaky operation failures in an e2e test can be captured through this.
 	flakeReport *FlakeReport
@ -448,11 +457,9 @@ func (f *Framework) CreateNamespace(ctx context.Context, baseName string, labels
 		labels = labelsCopy
 	}
-	enforceLevel := admissionapi.LevelRestricted
+	labels[admissionapi.EnforceLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityEnforceLevel, f.NamespacePodSecurityLevel)
-	if f.NamespacePodSecurityEnforceLevel != "" {
+	labels[admissionapi.WarnLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityWarnLevel, f.NamespacePodSecurityLevel)
-		enforceLevel = f.NamespacePodSecurityEnforceLevel
+	labels[admissionapi.AuditLevelLabel] = firstNonEmptyPSaLevelOrRestricted(f.NamespacePodSecurityAuditLevel, f.NamespacePodSecurityLevel)
 	}
 	labels[admissionapi.EnforceLevelLabel] = string(enforceLevel)
 	ns, err := createTestingNS(ctx, baseName, f.ClientSet, labels)
 	// check ns instead of err to see if it's nil as we may
@ -481,6 +488,15 @@ func (f *Framework) CreateNamespace(ctx context.Context, baseName string, labels
 	return ns, err
 }
 func firstNonEmptyPSaLevelOrRestricted(levelConfig ...admissionapi.Level) string {
 	for _, l := range levelConfig {
 		if len(l) > 0 {
 			return string(l)
 		}
 	}
 	return string(admissionapi.LevelRestricted)
 }
 // createSecretFromDockerConfig creates a secret using the private image registry credentials.
 // The credentials are provided by --e2e-docker-config-file flag.
 func (f *Framework) createSecretFromDockerConfig(ctx context.Context, namespace string) (*v1.Secret, error) {