From ea2dee651126510bea2499f85443316828436c67 Mon Sep 17 00:00:00 2001 From: Yuedong Wu <57584831+lunarwhite@users.noreply.github.com> Date: Mon, 23 Dec 2024 19:22:53 +0800 Subject: [PATCH] :sparkles: feat: enforce restricted Pod Security Context Compliance in testing (#4435) feat: enforce restricted Pod Security Context Compliance in testing --- .../testdata/project/test/e2e/e2e_test.go | 37 ++++++++++++++++--- .../testdata/project/test/e2e/e2e_test.go | 37 ++++++++++++++++--- .../testdata/project/test/e2e/e2e_test.go | 37 ++++++++++++++++--- docs/book/src/reference/metrics.md | 2 +- .../internal/templates/test/e2e/test.go | 37 ++++++++++++++++--- test/e2e/deployimage/plugin_cluster_test.go | 3 +- test/e2e/utils/test_context.go | 14 +++---- test/e2e/v4/plugin_cluster_test.go | 34 +++++++++++++---- .../test/e2e/e2e_test.go | 37 ++++++++++++++++--- .../test/e2e/e2e_test.go | 37 ++++++++++++++++--- testdata/project-v4/test/e2e/e2e_test.go | 37 ++++++++++++++++--- 11 files changed, 261 insertions(+), 51 deletions(-) diff --git a/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go b/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go index edb8ef44a24..2f62944eb8b 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go b/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go index 18d160e7477..5ad652b101c 100644 --- a/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go b/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go index 3ffffed2ce8..4f48e35575b 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go +++ b/docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/docs/book/src/reference/metrics.md b/docs/book/src/reference/metrics.md index f345712630a..a46d7d2d119 100644 --- a/docs/book/src/reference/metrics.md +++ b/docs/book/src/reference/metrics.md @@ -113,7 +113,7 @@ spec: serviceAccountName: controller-manager containers: - name: metrics-consumer - image: curlimages/curl:7.78.0 + image: curlimages/curl:latest command: ["/bin/sh"] args: - "-c" diff --git a/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go b/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go index 5338ac4a3fe..c7dea87a265 100644 --- a/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go +++ b/pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go @@ -207,13 +207,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -370,10 +377,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(` + "`" + `{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }` + "`" + `, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/test/e2e/deployimage/plugin_cluster_test.go b/test/e2e/deployimage/plugin_cluster_test.go index 3597d4a1d91..7b2065e5304 100644 --- a/test/e2e/deployimage/plugin_cluster_test.go +++ b/test/e2e/deployimage/plugin_cluster_test.go @@ -93,7 +93,8 @@ func Run(kbc *utils.TestContext) { By("deploying the controller-manager") cmd := exec.Command("make", "deploy", "IMG="+kbc.ImageName) - Expect(kbc.Run(cmd)).NotTo(ContainSubstring("Warning: would violate PodSecurity")) + out, _ := kbc.Run(cmd) + Expect(string(out)).NotTo(ContainSubstring("Warning: would violate PodSecurity")) By("validating that the controller-manager pod is running as expected") verifyControllerUp := func(g Gomega) { diff --git a/test/e2e/utils/test_context.go b/test/e2e/utils/test_context.go index 5ce58f18a3d..2e80c82eed7 100644 --- a/test/e2e/utils/test_context.go +++ b/test/e2e/utils/test_context.go @@ -252,18 +252,18 @@ func (t *TestContext) CreateManagerNamespace() error { return err } -// LabelNamespacesToWarnAboutRestricted will label all namespaces so that we can verify -// if a warning with `Warning: would violate PodSecurity` will be raised when the manifests are applied -func (t *TestContext) LabelNamespacesToWarnAboutRestricted() error { +// LabelNamespacesToEnforceRestricted will label specified namespaces so that we can verify +// if the manifests can be applied in restricted environments with strict security policy enforced +func (t *TestContext) LabelNamespacesToEnforceRestricted() error { _, err := t.Kubectl.Command("label", "--overwrite", "ns", t.Kubectl.Namespace, - "pod-security.kubernetes.io/warn=restricted") + "pod-security.kubernetes.io/enforce=restricted") return err } -// RemoveNamespaceLabelToWarnAboutRestricted will remove the `pod-security.kubernetes.io/warn` label +// RemoveNamespaceLabelToEnforceRestricted will remove the `pod-security.kubernetes.io/enforce` label // from the specified namespace -func (t *TestContext) RemoveNamespaceLabelToWarnAboutRestricted() error { - _, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/warn-") +func (t *TestContext) RemoveNamespaceLabelToEnforceRestricted() error { + _, err := t.Kubectl.Command("label", "ns", t.Kubectl.Namespace, "pod-security.kubernetes.io/enforce-") return err } diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go index 009ea15e0ba..2deab214538 100644 --- a/test/e2e/v4/plugin_cluster_test.go +++ b/test/e2e/v4/plugin_cluster_test.go @@ -58,7 +58,7 @@ var _ = Describe("kubebuilder", func() { AfterEach(func() { By("By removing restricted namespace label") - _ = kbc.RemoveNamespaceLabelToWarnAboutRestricted() + _ = kbc.RemoveNamespaceLabelToEnforceRestricted() By("clean up API objects created during the test") _ = kbc.Make("undeploy") @@ -114,8 +114,8 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller, isToUseHelmChart, err = kbc.CreateManagerNamespace() ExpectWithOffset(1, err).NotTo(HaveOccurred()) - By("labeling all namespaces to warn about restricted") - err = kbc.LabelNamespacesToWarnAboutRestricted() + By("labeling the namespace to enforce the restricted security policy") + err = kbc.LabelNamespacesToEnforceRestricted() ExpectWithOffset(1, err).NotTo(HaveOccurred()) By("updating the go.mod") @@ -581,10 +581,30 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string { "run", "curl", "--restart=Never", "--namespace", kbc.Kubectl.Namespace, - "--image=curlimages/curl:7.78.0", - "--", - "/bin/sh", "-c", fmt.Sprintf("curl -v -k -H 'Authorization: Bearer %s' https://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8443/metrics", - token, kbc.TestSuffix, kbc.Kubectl.Namespace), + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://e2e-%s-controller-manager-metrics-service.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, kbc.TestSuffix, kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount), } return cmdOpts } diff --git a/testdata/project-v4-multigroup/test/e2e/e2e_test.go b/testdata/project-v4-multigroup/test/e2e/e2e_test.go index dbcdfbdcca3..4e042380af9 100644 --- a/testdata/project-v4-multigroup/test/e2e/e2e_test.go +++ b/testdata/project-v4-multigroup/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/testdata/project-v4-with-plugins/test/e2e/e2e_test.go b/testdata/project-v4-with-plugins/test/e2e/e2e_test.go index 0f2508e2f8a..f8f401058f5 100644 --- a/testdata/project-v4-with-plugins/test/e2e/e2e_test.go +++ b/testdata/project-v4-with-plugins/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") diff --git a/testdata/project-v4/test/e2e/e2e_test.go b/testdata/project-v4/test/e2e/e2e_test.go index 5956c9fe687..72d70fa913b 100644 --- a/testdata/project-v4/test/e2e/e2e_test.go +++ b/testdata/project-v4/test/e2e/e2e_test.go @@ -46,13 +46,20 @@ var _ = Describe("Manager", Ordered, func() { var controllerPodName string // Before running the tests, set up the environment by creating the namespace, - // installing CRDs, and deploying the controller. + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. BeforeAll(func() { By("creating manager namespace") cmd := exec.Command("kubectl", "create", "ns", namespace) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + By("installing CRDs") cmd = exec.Command("make", "install") _, err = utils.Run(cmd) @@ -209,10 +216,30 @@ var _ = Describe("Manager", Ordered, func() { By("creating the curl-metrics pod to access the metrics endpoint") cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", "--namespace", namespace, - "--image=curlimages/curl:7.78.0", - "--", "/bin/sh", "-c", fmt.Sprintf( - "curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics", - token, metricsServiceName, namespace)) + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccount": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod")