Skip to content

CMP-3806: Check resultserver uses a separate service account with correct security context#1184

Open
taimurhafeez wants to merge 2 commits into
ComplianceAsCode:masterfrom
taimurhafeez:CMP-3806-resultserver-seperate-service-account
Open

CMP-3806: Check resultserver uses a separate service account with correct security context#1184
taimurhafeez wants to merge 2 commits into
ComplianceAsCode:masterfrom
taimurhafeez:CMP-3806-resultserver-seperate-service-account

Conversation

@taimurhafeez
Copy link
Copy Markdown
Collaborator

@taimurhafeez taimurhafeez commented Apr 21, 2026

Supersedes: PR-1033

The test validates that the resultserver pod is created with the correct service account and security context settings.

  1. Extracts expected security context values from the compliance-operator pod:

FSGroup (file system group ID)
SELinux options (specifically the security level)

  1. Creates a ComplianceSuite with a moderate profile scan targeting master nodes

  2. Waits for the scan to start running, then finds the resultserver pod

  3. Verifies the resultserver pod has the correct ServiceAccount:

Expected: resultserver (not default)
5. Verifies all security context fields match the operator's values:

FSGroup: Must match operator's FSGroup
RunAsNonRoot: Must be true
RunAsUser: Must equal the FSGroup value (run as that user ID)
SELinuxOptions.Level: Must match operator's SELinux level
SeccompProfile.Type: Must be RuntimeDefault
6. Waits for the scan to complete successfully

Tested on OCP 4.22:
make e2e-parallel E2E_GO_TEST_FLAGS="-v -run TestResultServerSAAndSecurityContext"

--- PASS: TestResultServerSAAndSecurityContext (150.76s)

xiaojiey and others added 2 commits March 23, 2026 15:26
@xiaojiey
Check resultserver uses a separate service account with correct secur…
43cee22 
…ity context settings

Retries if pod hasn't appeared yet after scan reaches RUNNING
@taimurhafeez
Synced PR 1033 with master
4b23020
@openshift-ci-robot
Copy link
Copy Markdown
Collaborator

openshift-ci-robot commented Apr 21, 2026

@taimurhafeez: This pull request references CMP-3806 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Supersedes: PR-1033

The test validates that the resultserver pod is created with the correct service account and security context settings.

  1. Extracts expected security context values from the compliance-operator pod:

FSGroup (file system group ID)
SELinux options (specifically the security level)

  1. Creates a ComplianceSuite with a moderate profile scan targeting master nodes

  2. Waits for the scan to start running, then finds the resultserver pod

  3. Verifies the resultserver pod has the correct ServiceAccount:

Expected: resultserver (not default)
5. Verifies all security context fields match the operator's values:

FSGroup: Must match operator's FSGroup
RunAsNonRoot: Must be true
RunAsUser: Must equal the FSGroup value (run as that user ID)
SELinuxOptions.Level: Must match operator's SELinux level
SeccompProfile.Type: Must be RuntimeDefault
6. Waits for the scan to complete successfully

Tested on OCP 4.22:
make e2e-parallel E2E_GO_TEST_FLAGS="-v -run TestResultServerSAAndSecurityContext"

--- PASS: TestResultServerSAAndSecurityContext (150.76s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 21, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: taimurhafeez

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 21, 2026

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1184-4b2302068fd856ebc34d2430e26db47b9cb8ed70

@taimurhafeez
Copy link
Copy Markdown
Collaborator Author

taimurhafeez commented Apr 27, 2026

/test e2e-aws-parallel

1 similar comment
@taimurhafeez
Copy link
Copy Markdown
Collaborator Author

taimurhafeez commented Apr 28, 2026

/test e2e-aws-parallel

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 28, 2026

@taimurhafeez: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 4b23020 link true /test e2e-rosa
ci/prow/e2e-aws-serial-arm 4b23020 link true /test e2e-aws-serial-arm
ci/prow/e2e-aws-parallel 4b23020 link true /test e2e-aws-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

approved jira/valid-reference

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@taimurhafeez @openshift-ci-robot @xiaojiey