testkube
testkube copied to clipboard
Testkube should run as non root
Is your feature request related to a problem? Please describe. Test kube does not run on Openshift due to Security Context issues
Describe the solution you'd like Run containers in a non-root context for better security and to allow running in a wider variety of Kubernetes Clusters
Describe alternatives you've considered Adding documentation for running editing Security context constraints to run as root on a hardened cluster but this would be a poor solution of it opens a lot of further security concerns
Other considerations for Openshift are using routes instead of ingress however most Openshift admins should be able to create routs the bigger issue is this frame work doesn't work as non root (the default operating mode for openshfit)
I have been able to get testkube running on my own Openshfit cluster but I had to set the Security Context for testkube-dashboard to run as root and allow both the testkube-dashboard service account and the testkube-mongodb service account to run as privileged (this is not recommended and goes against RedHat OpenShift best practice
Hey, @Siythrun Thank you a lot. For both a request and suggestion!n Will defimitely do it
Also currently looking at running Testkube on an Openshift cluster, having it natively run as non-root would be a fantastic feature.
Sure, @mnlawler The number of votes to support Openshift grows every hour :) We have no choice)
Added user to following docker containers:
- https://github.com/kubeshop/testkube/pull/2023
- https://github.com/kubeshop/testkube-executor-postman/pull/41
- https://github.com/kubeshop/testkube-executor-cypress/pull/53
- https://github.com/kubeshop/testkube-executor-curl/pull/40
- https://github.com/kubeshop/testkube-dashboard/pull/393
- https://github.com/kubeshop/testkube-executor-artillery/pull/8
- https://github.com/kubeshop/testkube-executor-soapui/pull/10
- https://github.com/kubeshop/testkube-executor-gradle/pull/6
- https://github.com/kubeshop/testkube-executor-maven/pull/7
- https://github.com/kubeshop/testkube-executor-k6/pull/25
oprator is already rootless
Mongo need to be updated to recent version, as it don't work in 11.
blocked by #2067
It would be great to get support for Openshift clusters and have testkube run as non-root, love to benefit from the plugin @vsukhin
Plan to make this faster:
- Make all components non-root. except Mongodb.
- Explain on how to deploy or connect to a MongoDB separately.
Hi @Siythrun I was able to install new version on recent clean Open Shift cluster based on Google Cloud,
Please follow the instructions how to do this here: https://kubeshop.github.io/testkube/installing#intallation-on-openshift
Please ping us in case of any issues, closing for now
Hi @Siythrun I was able to install new version on recent clean Open Shift cluster based on Google Cloud,
Please follow the instructions how to do this here: https://kubeshop.github.io/testkube/installing#intallation-on-openshift
Please ping us in case of any issues, closing for now
Hi @exu This link is dead - there is no mentioning of OpenShift in this document now.
Testkube fails to install by the "testkube init" command and by installing the helm chart manually.
$ testkube init --namespace testkube --no-confirm
WELCOME TO
████████ ███████ ███████ ████████ ██ ██ ██ ██ ██████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ █████ ███████ ██ █████ ██ ██ ██████ █████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ███████ ███████ ██ ██ ██ ██████ ██████ ███████
/tɛst kjub/ by Kubeshop
Helm installing testkube framework
Installing testkube (error: process error: exit status 1
output: Release "testkube" does not exist. Installing it now.
W0301 16:07:29.183775 234137 warnings.go:70] would violate PodSecurity "restricted:v1.24": unrestricted capabilities (containers "migrate", "create" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "migrate", "create" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Error: failed pre-install: timed out waiting for the condition
)
$ helm install -n testkube testkube kubeshop/testkube --debug
install.go:194: [debug] Original chart version: ""
install.go:211: [debug] CHART PATH: /home/pk/.cache/helm/repository/testkube-1.9.85.tgz
client.go:477: [debug] Starting delete for "testkube-operator-webhook-cert-mgr" ServiceAccount
client.go:133: [debug] creating 1 resource(s)
client.go:477: [debug] Starting delete for "testkube-operator-webhook-cert-mgr" ClusterRole
client.go:133: [debug] creating 1 resource(s)
client.go:477: [debug] Starting delete for "testkube-operator-webhook-cert-mgr" ClusterRoleBinding
client.go:133: [debug] creating 1 resource(s)
client.go:477: [debug] Starting delete for "webhook-cert-create" Job
client.go:133: [debug] creating 1 resource(s)
client.go:703: [debug] Watching for changes to Job webhook-cert-create with timeout of 5m0s
client.go:731: [debug] Add/Modify event for webhook-cert-create: ADDED
client.go:770: [debug] webhook-cert-create: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
Error: INSTALLATION FAILED: failed pre-install: timed out waiting for the condition
helm.go:84: [debug] failed pre-install: timed out waiting for the condition
INSTALLATION FAILED
main.newInstallCmd.func2
helm.sh/helm/v3/cmd/helm/install.go:141
github.com/spf13/cobra.(*Command).execute
github.com/spf13/[email protected]/command.go:916
github.com/spf13/cobra.(*Command).ExecuteC
github.com/spf13/[email protected]/command.go:1044
github.com/spf13/cobra.(*Command).Execute
github.com/spf13/[email protected]/command.go:968
main.main
helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
runtime/proc.go:250
runtime.goexit
runtime/asm_amd64.s:1571
$ helm -n testkube status testkube
NAME: testkube
LAST DEPLOYED: Wed Mar 1 16:32:18 2023
NAMESPACE: testkube
STATUS: failed
REVISION: 1
NOTES:
Enjoy testing with Testkube!
@aabedraba @ypoplavs please assist
I've raised a new issue about my problem: https://github.com/kubeshop/testkube/issues/3305