Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for readonlyrootfilesystem test for wafv5 #6708

Merged
merged 9 commits into from
Oct 31, 2024
Merged

Add support for readonlyrootfilesystem test for wafv5 #6708

merged 9 commits into from
Oct 31, 2024

Conversation

vepatel
Copy link
Contributor

@vepatel vepatel commented Oct 24, 2024
edited
Loading

Proposed changes

  • Update fixtures, utils and wafv5 tests for readOnlyRootFileSystem

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@vepatel vepatel requested a review from a team as a code owner October 24, 2024 15:16
@vepatel vepatel requested review from j1m-ryan and jjngx October 24, 2024 15:16
@github-actions github-actions bot added python Pull requests that update Python code tests Pull requests that update tests labels Oct 24, 2024
@vepatel
Copy link
Contributor Author

vepatel commented Oct 24, 2024

Pod spec generated by test:

k get pods -n nginx-ingress nginx-ingress-54f97f79cd-kjc48 -o yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2024-10-24T15:04:13Z"
  generateName: nginx-ingress-54f97f79cd-
  labels:
    app: nginx-ingress
    app.kubernetes.io/name: nginx-ingress
    app.kubernetes.io/version: 4.0.0
    app.nginx.org/version: 1.25.5-nginx-plus-r32-p1
    appprotect.f5.com/version: 5.3.0
    pod-template-hash: 54f97f79cd
  name: nginx-ingress-54f97f79cd-kjc48
  namespace: nginx-ingress
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: nginx-ingress-54f97f79cd
    uid: ef3ad05a-1052-474a-809c-e063865de5d5
  resourceVersion: "15837894"
  uid: 7b8d3234-623c-47a2-8ab9-b4a511efc32b
spec:
  automountServiceAccountToken: true
  containers:
  - args:
    - -nginx-plus
    - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
    - -report-ingress-status
    - -external-service=nginx-ingress
    - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
    - -enable-telemetry-reporting=false
    - -enable-app-protect
    env:
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.namespace
    - name: POD_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: metadata.name
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:edge
    imagePullPolicy: IfNotPresent
    name: nginx-plus-ingress
    ports:
    - containerPort: 80
      name: http
      protocol: TCP
    - containerPort: 443
      name: https
      protocol: TCP
    - containerPort: 8081
      name: readiness-port
      protocol: TCP
    - containerPort: 9113
      name: prometheus
      protocol: TCP
    - containerPort: 9114
      name: service-insight
      protocol: TCP
    readinessProbe:
      failureThreshold: 3
      httpGet:
        path: /nginx-ready
        port: readiness-port
        scheme: HTTP
      periodSeconds: 1
      successThreshold: 1
      timeoutSeconds: 1
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        add:
        - NET_BIND_SERVICE
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 101
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /opt/app_protect/bd_config
      name: app-protect-bd-config
    - mountPath: /opt/app_protect/config
      name: app-protect-config
    - mountPath: /etc/app_protect/bundles
      name: app-protect-bundles
    - mountPath: /etc/nginx
      name: nginx-etc
    - mountPath: /var/log/nginx
      name: nginx-log
    - mountPath: /var/cache/nginx
      name: nginx-cache
    - mountPath: /var/lib/nginx
      name: nginx-lib
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lxkzr
      readOnly: true
  - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-config-mgr:5.3.0
    imagePullPolicy: IfNotPresent
    name: waf-config-mgr
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - all
      readOnlyRootFilesystem: true
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /opt/app_protect/bd_config
      name: app-protect-bd-config
    - mountPath: /opt/app_protect/config
      name: app-protect-config
    - mountPath: /etc/app_protect/bundles
      name: app-protect-bundles
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lxkzr
      readOnly: true
  - env:
    - name: ENFORCER_PORT
      value: "50000"
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-enforcer:5.3.0
    imagePullPolicy: IfNotPresent
    name: waf-enforcer
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - all
      readOnlyRootFilesystem: true
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /opt/app_protect/bd_config
      name: app-protect-bd-config
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lxkzr
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  imagePullSecrets:
  - name: regcred
  initContainers:
  - command:
    - cp
    - -vdR
    - /etc/nginx/.
    - /mnt/etc
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:edge
    imagePullPolicy: IfNotPresent
    name: init-nginx-ingress
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 101
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /mnt/etc
      name: nginx-etc
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lxkzr
      readOnly: true
  nodeName: gke-venktesh-test-default-pool-39c70a26-gtwh
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: nginx-ingress
  serviceAccountName: nginx-ingress
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - emptyDir: {}
    name: app-protect-bd-config
  - emptyDir: {}
    name: app-protect-config
  - emptyDir: {}
    name: app-protect-bundles
  - emptyDir: {}
    name: nginx-etc
  - emptyDir: {}
    name: nginx-log
  - emptyDir: {}
    name: nginx-cache
  - emptyDir: {}
    name: nginx-lib
  - name: kube-api-access-lxkzr
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-10-24T15:04:15Z"
    status: "True"
    type: PodReadyToStartContainers
  - lastProbeTime: null
    lastTransitionTime: "2024-10-24T15:04:15Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-10-24T15:04:17Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-10-24T15:04:17Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-10-24T15:04:14Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://a054d7cb4596481d3f800fffb59600f08d4e7ac2455adc8281f7e56dccf89d78
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:edge
    imageID: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress@sha256:a639b72a0ad0156e4140be88f36155cfc6e49d3313c50aa8f640dca9572ba3a5
    lastState: {}
    name: nginx-plus-ingress
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-10-24T15:04:15Z"
  - containerID: containerd://1ffbc55eb6d09cc726df1aeff5cc04b0c2f0a047470521eaee82b4950b17080c
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-config-mgr:5.3.0
    imageID: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-config-mgr@sha256:518c05da9c967f5fc1a39941f27c0006b4a6b28cb08e94ca2d85b88075fc1cf9
    lastState: {}
    name: waf-config-mgr
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-10-24T15:04:15Z"
  - containerID: containerd://4f4ad9f6a405bf82b70c47aee3e231997ad25ee4e080ef2982fa6b241eb7989f
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-enforcer:5.3.0
    imageID: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-enforcer@sha256:0115b3e91ee5e0b7fef0470c5afeff101d6ebb7b8c726d81225e9fe8d835d9c9
    lastState: {}
    name: waf-enforcer
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-10-24T15:04:15Z"
  hostIP: 10.132.0.72
  hostIPs:
  - ip: 10.132.0.72
  initContainerStatuses:
  - containerID: containerd://ccb36f5f82b9717c480ccddcf2ef6d72a084f0fe867ba7645662811e4e0fc7c4
    image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:edge
    imageID: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress@sha256:a639b72a0ad0156e4140be88f36155cfc6e49d3313c50aa8f640dca9572ba3a5
    lastState: {}
    name: init-nginx-ingress
    ready: true
    restartCount: 0
    started: false
    state:
      terminated:
        containerID: containerd://ccb36f5f82b9717c480ccddcf2ef6d72a084f0fe867ba7645662811e4e0fc7c4
        exitCode: 0
        finishedAt: "2024-10-24T15:04:14Z"
        reason: Completed
        startedAt: "2024-10-24T15:04:14Z"
  phase: Running
  podIP: 10.112.0.48
  podIPs:
  - ip: 10.112.0.48
  qosClass: Burstable
  startTime: "2024-10-24T15:04:14Z"

@vepatel vepatel enabled auto-merge (squash) October 25, 2024 08:39
@shaun-nx shaun-nx linked an issue Oct 30, 2024 that may be closed by this pull request
Add integration test to validated WAF v5 with readOnlyRootFilesystem: true #6627
Closed
@vepatel vepatel merged commit b078841 into main Oct 31, 2024
79 checks passed
@vepatel vepatel deleted the tests/wafv5-read-only branch October 31, 2024 14:41
@pdabelf5 pdabelf5 added tests Pull requests that update tests and removed python Pull requests that update Python code tests Pull requests that update tests labels Dec 13, 2024
@pdabelf5 pdabelf5 changed the title add support for readonlyrootfilesystem test for wafv5 Add support for readonlyrootfilesystem test for wafv5 Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@j1m-ryan j1m-ryan j1m-ryan approved these changes

@jjngx jjngx jjngx approved these changes

Assignees
No one assigned
Labels
tests Pull requests that update tests
Projects
NGINX Ingress Controller
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add integration test to validated WAF v5 with readOnlyRootFilesystem: true
4 participants
@vepatel @j1m-ryan @jjngx @pdabelf5