From 0bc77d501c8fe30b389641df5821010df62f64da Mon Sep 17 00:00:00 2001 From: David Elie-Dit-Cosaque <86730676+edcdavid@users.noreply.github.com> Date: Mon, 6 Nov 2023 08:44:54 -0600 Subject: [PATCH 1/4] Allow Role bindings across namespaces (#1583) * Allows CNF to share roles across namespaces as long as namespace belongs to CNF * Fixing Formating bug in parser --- cnf-certification-test/accesscontrol/suite.go | 28 +++++++++++++------ pkg/testhelper/testhelper.go | 1 + 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/cnf-certification-test/accesscontrol/suite.go b/cnf-certification-test/accesscontrol/suite.go index 22fe7834e..10917ccad 100644 --- a/cnf-certification-test/accesscontrol/suite.go +++ b/cnf-certification-test/accesscontrol/suite.go @@ -474,7 +474,9 @@ func testPodServiceAccount(env *provider.TestEnvironment) { testhelper.AddTestResultReason(compliantObjects, nonCompliantObjects, tnf.ClaimFilePrintf, ginkgo.Fail) } -// testPodRoleBindings verifies that the pod utilizes a valid role binding that does not cross namespaces +// testPodRoleBindings verifies that the pod utilizes a valid role binding that does not cross non-CNF namespaces +// +//nolint:funlen func testPodRoleBindings(env *provider.TestEnvironment) { ginkgo.By("Should not have RoleBinding in other namespaces") var compliantObjects []*testhelper.ReportObject @@ -502,18 +504,28 @@ func testPodRoleBindings(env *provider.TestEnvironment) { // We must check if the pod's service account is in the role binding's subjects. found := false for _, subject := range env.RoleBindings[rbIndex].Subjects { - // If the subject is a service account and the service account is in the same namespace as the pod, then we have a failure - //nolint:gocritic - if subject.Kind == rbacv1.ServiceAccountKind && subject.Namespace == put.Namespace && subject.Name == put.Spec.ServiceAccountName { - tnf.Logf(logrus.WarnLevel, "Pod: %s/%s has the following role bindings that do not live in the same namespace: %s", put.Namespace, put.Name, env.RoleBindings[rbIndex].Name) + // If the subject is a service account and the service account is in the same namespace as one of the CNF's namespaces, then continue, this is allowed + if subject.Kind == rbacv1.ServiceAccountKind && + subject.Namespace == put.Namespace && + subject.Name == put.Spec.ServiceAccountName && + stringhelper.StringInSlice(env.Namespaces, env.RoleBindings[rbIndex].Namespace, false) { + continue + } + + // Finally, if the subject is a service account and the service account is in the same namespace as the pod, then we have a failure + if subject.Kind == rbacv1.ServiceAccountKind && + subject.Namespace == put.Namespace && + subject.Name == put.Spec.ServiceAccountName { + tnf.Logf(logrus.WarnLevel, "Pod: %s has the following role bindings that do not live in one of the CNF namespaces: %s", put, env.RoleBindings[rbIndex].Name) // Add the pod to the non-compliant list nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, - "The role bindings used by this pod do not live in the same namespace", false). + "The role bindings used by this pod do not live in one of the CNF namespaces", false). AddField(testhelper.RoleBindingName, env.RoleBindings[rbIndex].Name). AddField(testhelper.RoleBindingNamespace, env.RoleBindings[rbIndex].Namespace). - AddField(testhelper.ServiceAccountName, put.Spec.ServiceAccountName)) + AddField(testhelper.ServiceAccountName, put.Spec.ServiceAccountName). + SetType(testhelper.PodRoleBinding)) found = true podIsCompliant = false break @@ -528,7 +540,7 @@ func testPodRoleBindings(env *provider.TestEnvironment) { // Add pod to the compliant object list if podIsCompliant { compliantObjects = append(compliantObjects, - testhelper.NewPodReportObject(put.Namespace, put.Name, "All the role bindings used by this pod (applied by the service accounts) live in the same namespace", true)) + testhelper.NewPodReportObject(put.Namespace, put.Name, "All the role bindings used by this pod (applied by the service accounts) live in one of the CNF namespaces", true)) } } testhelper.AddTestResultReason(compliantObjects, nonCompliantObjects, tnf.ClaimFilePrintf, ginkgo.Fail) diff --git a/pkg/testhelper/testhelper.go b/pkg/testhelper/testhelper.go index 9cd2525d9..a6a95f158 100644 --- a/pkg/testhelper/testhelper.go +++ b/pkg/testhelper/testhelper.go @@ -200,6 +200,7 @@ const ( ImageRepo = "Image Repo" ImageTag = "Image Tag" ImageRegistry = "Image Registry" + PodRoleBinding = "Pods with RoleBindings details" ) func (obj *ReportObject) SetContainerProcessValues(aPolicy, aPriority, aCommandLine string) *ReportObject { From 8728a3e403748434824d4fc8aec55fb48ce546cd Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Mon, 6 Nov 2023 10:25:45 -0600 Subject: [PATCH 2/4] Prepare for v4.5.4 (#1586) --- docs/runtime-env.md | 2 +- docs/test-container.md | 10 +++++----- pkg/provider/provider.go | 2 +- pkg/provider/provider_test.go | 2 +- version.json | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/runtime-env.md b/docs/runtime-env.md index 98f33109d..32c4aa4c0 100644 --- a/docs/runtime-env.md +++ b/docs/runtime-env.md @@ -68,4 +68,4 @@ export TNF_PARTNER_REPO=registry.dfwt5g.lab:5000/testnetworkfunction ``` Note that you can also specify the debug pod image to use with `SUPPORT_IMAGE` -environment variable, default to `debug-partner:4.5.3`. +environment variable, default to `debug-partner:4.5.4`. diff --git a/docs/test-container.md b/docs/test-container.md index e54c606e8..86bc36de4 100644 --- a/docs/test-container.md +++ b/docs/test-container.md @@ -112,8 +112,8 @@ Two env vars allow to control the web artifacts and the the new tar.gz file gene ### Build locally ```shell -podman build -t cnf-certification-test:v4.5.3 \ - --build-arg TNF_VERSION=v4.5.3 \ +podman build -t cnf-certification-test:v4.5.4 \ + --build-arg TNF_VERSION=v4.5.4 \ ``` * `TNF_VERSION` value is set to a branch, a tag, or a hash of a commit that will be installed into the image @@ -125,8 +125,8 @@ The unofficial source could be a fork of the TNF repository. Use the `TNF_SRC_URL` build argument to override the URL to a source repository. ```shell -podman build -t cnf-certification-test:v4.5.3 \ - --build-arg TNF_VERSION=v4.5.3 \ +podman build -t cnf-certification-test:v4.5.4 \ + --build-arg TNF_VERSION=v4.5.4 \ --build-arg TNF_SRC_URL=https://github.com/test-network-function/cnf-certification-test . ``` @@ -135,7 +135,7 @@ podman build -t cnf-certification-test:v4.5.3 \ Specify the custom TNF image using the `-i` parameter. ```shell -./run-tnf-container.sh -i cnf-certification-test:v4.5.3 +./run-tnf-container.sh -i cnf-certification-test:v4.5.4 -t ~/tnf/config -o ~/tnf/output -l "networking,access-control" ``` diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 4801ba906..b63695d0e 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -60,7 +60,7 @@ const ( cscosName = "CentOS Stream CoreOS" rhelName = "Red Hat Enterprise Linux" tnfPartnerRepoDef = "quay.io/testnetworkfunction" - supportImageDef = "debug-partner:4.5.3" + supportImageDef = "debug-partner:4.5.4" ) // Node's roles labels. Node is role R if it has **any** of the labels of each list. diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index af45c911f..1662ba58f 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -788,7 +788,7 @@ func TestBuildImageWithVersion(t *testing.T) { { repoVar: "", supportImageVar: "", - expectedOutput: "quay.io/testnetworkfunction/debug-partner:4.5.3", + expectedOutput: "quay.io/testnetworkfunction/debug-partner:4.5.4", }, } diff --git a/version.json b/version.json index 1f0a5efe2..e8bd2e579 100644 --- a/version.json +++ b/version.json @@ -1,5 +1,5 @@ { - "partner_tag": "v4.5.3", + "partner_tag": "v4.5.4", "claimFormat": "v0.1.0", "parserTag": "v0.1.2" } From 7fe04f43c87d39992344c6717d85c2ffd3dad759 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Nov 2023 00:09:30 +0200 Subject: [PATCH 3/4] Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#1588) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8cb3a2da2..e81482f0a 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/basgys/goxml2json v1.1.0 github.com/sirupsen/logrus v1.9.3 - github.com/spf13/cobra v1.7.0 + github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 github.com/test-network-function/test-network-function-claim v1.0.30 github.com/xeipuuv/gojsonschema v1.2.0 // indirect diff --git a/go.sum b/go.sum index a6fd080b9..de0426a9a 100644 --- a/go.sum +++ b/go.sum @@ -123,6 +123,7 @@ github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= @@ -539,8 +540,8 @@ github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= From b2402cc2fdc4f6a47da7696b11b573ecc2e08407 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Nov 2023 00:29:09 +0200 Subject: [PATCH 4/4] Bump github.com/fatih/color from 1.15.0 to 1.16.0 (#1589) Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.15.0 to 1.16.0. - [Release notes](https://github.com/fatih/color/releases) - [Commits](https://github.com/fatih/color/compare/v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: github.com/fatih/color dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: David Rabkin --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index e81482f0a..32d9c88f8 100644 --- a/go.mod +++ b/go.mod @@ -110,7 +110,7 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.18 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.14 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -168,7 +168,7 @@ require ( golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect golang.org/x/sync v0.3.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect @@ -208,7 +208,7 @@ require ( require ( github.com/deckarep/golang-set/v2 v2.3.1 - github.com/fatih/color v1.15.0 + github.com/fatih/color v1.16.0 github.com/go-logr/logr v1.3.0 github.com/go-logr/stdr v1.2.2 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 diff --git a/go.sum b/go.sum index de0426a9a..f4b2c7deb 100644 --- a/go.sum +++ b/go.sum @@ -171,8 +171,8 @@ github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= @@ -403,8 +403,8 @@ github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kN github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98= -github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU= github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= @@ -793,8 +793,8 @@ golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=