UPSTREAM: <carry>: (aws) Make workload pod explicity unprivileged

[chiragkyal]

Summary by CodeRabbit

• Tests
  • Hardened Kubernetes security in test environments: namespace policy enforce=restricted; audit/warn=baseline.
  • Updated test Pods/containers to run as non-root with specific runAsUser/group/fsGroup, seccompProfile RuntimeDefault, no privilege escalation, and all capabilities dropped.
  • Made secrets-store CSI volume and mount read-only in tests.
  • Adjusted provider installation tests to skip installing the secrets-store CSI driver via the chart.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[chiragkyal]

/test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chiragkyal
Once this PR has been reviewed and has the lgtm label, please assign arkadeepsen for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chiragkyal]

/test all

[openshift-ci]

@chiragkyal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-commits	a1c799a	link	true	/test verify-commits
ci/prow/e2e-aws	a1c799a	link	true	/test e2e-aws
ci/prow/e2e-gcp	a1c799a	link	true	/test e2e-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[chiragkyal]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

Updates test files to comply with restricted Pod Security standards and harden the AWS basic mount test manifest. The Helm install test disables secrets-store-csi-driver installation via an added value. The test Pod and container gain explicit securityContext settings and read-only mounts/volumes.

Changes

Cohort / File(s)	Summary of changes
Pod Security policy and provider install test test/bats/aws.bats	Switch namespace pod-security labels to enforce=restricted and audit/warn=baseline; keep overwrite. Add Helm flag --set "secrets-store-csi-driver.install=false" to the provider install test.
AWS BasicTestMount security hardening test/bats/tests/aws/BasicTestMount.yaml	Add Pod-level securityContext (runAsNonRoot, runAsUser=1000, runAsGroup=3000, fsGroup=2000, seccompProfile=RuntimeDefault). Add container securityContext (no privilege escalation, drop ALL caps, runAsNonRoot, runAsUser=1000, seccompProfile=RuntimeDefault). Mark volumeMount and CSI volume as readOnly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

test/bats/tests/aws/BasicTestMount.yaml (1)

21-29: Add readOnlyRootFilesystem and consider trimming duplicates.

• Add readOnlyRootFilesystem for extra defense.
• Container-level seccomp/runAsNonRoot duplicate pod defaults; optional to drop to reduce drift.

     securityContext:
       allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
       capabilities:
         drop:
           - ALL
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
+      # Inherit pod-level runAs* and seccomp (optional simplification)

test/bats/aws.bats (2)

54-54: Align audit/warn to restricted for consistency.

Enforce is restricted but audit/warn are baseline. Consider matching all three to restricted to surface relevant warnings.

-run kubectl label ns $NAMESPACE security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=baseline pod-security.kubernetes.io/warn=baseline --overwrite
+run kubectl label ns $NAMESPACE security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted --overwrite

---

146-146: Await Secrets Store CSI Driver readiness after disabling its installation
Add a kubectl -n $CSI_DRIVER_INSTALLED_NAMESPACE rollout status ds/secrets-store-csi-driver --timeout=150s after setting secrets-store-csi-driver.install=false to prevent race conditions.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ed594b7 and a1c799a.

📒 Files selected for processing (2)

• test/bats/aws.bats (2 hunks)
• test/bats/tests/aws/BasicTestMount.yaml (1 hunks)

🔇 Additional comments (1)

test/bats/tests/aws/BasicTestMount.yaml (1)

7-13: Good hardening for restricted PSS.

Pod-level defaults (runAsNonRoot, runAsUser/Group, fsGroup, seccomp=RuntimeDefault) are appropriate. No blockers.