From acf8c09a8c58e394a19984fc748a0eb03f038128 Mon Sep 17 00:00:00 2001
From: Christopher Zell <zelldon91@googlemail.com>
Date: Tue, 30 Apr 2024 14:55:54 +0200
Subject: [PATCH 1/2] test: verify that namespace label get removed

In SaaS we recently introduced a label that indicates to prevent certain actions (security related)
---
 go-chaos/internal/helper_test.go | 11 +++++++++++
 go-chaos/internal/labels_test.go | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/go-chaos/internal/helper_test.go b/go-chaos/internal/helper_test.go
index 80ac4332..b9437ec1 100644
--- a/go-chaos/internal/helper_test.go
+++ b/go-chaos/internal/helper_test.go
@@ -133,3 +133,14 @@ func (c K8Client) CreateStatefulSetWithLabelsAndName(t *testing.T, selector *met
 
 	require.NoError(t, err)
 }
+
+func (c *K8Client) createSaaSNamespace(t *testing.T) {
+	namespace := v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   c.GetCurrentNamespace(),
+			Labels: map[string]string{"pod-security.kubernetes.io/enforce": "true"},
+		},
+	}
+	_, err := c.Clientset.CoreV1().Namespaces().Create(context.TODO(), &namespace, metav1.CreateOptions{})
+	require.NoError(t, err)
+}
diff --git a/go-chaos/internal/labels_test.go b/go-chaos/internal/labels_test.go
index 50693b41..2fcaa291 100644
--- a/go-chaos/internal/labels_test.go
+++ b/go-chaos/internal/labels_test.go
@@ -15,6 +15,9 @@
 package internal
 
 import (
+	"context"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -63,3 +66,18 @@ func Test_shouldGetSaasGatewayLabels(t *testing.T) {
 	// then
 	assert.Equal(t, expected, actual, "Labels should be equal")
 }
+
+func Test_shouldRemoveNamespaceLabel(t *testing.T) {
+	// given
+	k8Client := CreateFakeClient()
+	k8Client.createSaaSNamespace(t)
+
+	// when
+	err := k8Client.disableSaaSNamespaceSecurityLabel()
+
+	// then
+	require.NoError(t, err)
+	namespace, err := k8Client.Clientset.CoreV1().Namespaces().Get(context.TODO(), k8Client.GetCurrentNamespace(), metav1.GetOptions{})
+	require.NoError(t, err)
+	assert.Empty(t, namespace.Labels)
+}

From d39f0738f34233b30428a248d56e3f4bd120e6ff Mon Sep 17 00:00:00 2001
From: Christopher Zell <zelldon91@googlemail.com>
Date: Tue, 30 Apr 2024 14:58:06 +0200
Subject: [PATCH 2/2] fix: disable security enforcement in SaaS per default

In order to make sure that our experiments, actions are successful in SaaS
we need to make sure that reconciliation is paused and the
security enforcement label is removed from the corresponding
target namespace.

After doing so we are able to get furhter priviliges, that are needed for
actions like putting stress on CPU, network partition, etc.
---
 go-chaos/internal/k8helper.go | 18 ++++++++++++++++++
 go-chaos/internal/labels.go   | 14 ++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/go-chaos/internal/k8helper.go b/go-chaos/internal/k8helper.go
index d161c0b1..54f7125c 100644
--- a/go-chaos/internal/k8helper.go
+++ b/go-chaos/internal/k8helper.go
@@ -61,6 +61,10 @@ func createK8Client(settings KubernetesSettings) (K8Client, error) {
 
 	if client.SaaSEnv {
 		LogVerbose("Running experiment in SaaS environment.")
+		err = prepareSaaSTargetCluster(client)
+		if err != nil {
+			return K8Client{}, err
+		}
 	} else {
 		LogVerbose("Running experiment in self-managed environment.")
 	}
@@ -68,6 +72,20 @@ func createK8Client(settings KubernetesSettings) (K8Client, error) {
 	return client, nil
 }
 
+func prepareSaaSTargetCluster(client K8Client) error {
+	LogVerbose("Pausing reconciliation preventive.")
+	err := client.PauseReconciliation()
+	if err != nil {
+		return err
+	}
+
+	err = client.disableSaaSNamespaceSecurityLabel()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func internalCreateClient(settings KubernetesSettings) (K8Client, error) {
 	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
 		&clientcmd.ClientConfigLoadingRules{ExplicitPath: settings.kubeConfigPath},
diff --git a/go-chaos/internal/labels.go b/go-chaos/internal/labels.go
index 213041cf..2e53cbca 100644
--- a/go-chaos/internal/labels.go
+++ b/go-chaos/internal/labels.go
@@ -15,6 +15,7 @@
 package internal
 
 import (
+	"context"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
@@ -84,3 +85,16 @@ func (c K8Client) getWorkerLabels() string {
 	}
 	return labels.Set(labelSelector.MatchLabels).String()
 }
+
+func (c K8Client) disableSaaSNamespaceSecurityLabel() error {
+	ns, err := c.Clientset.CoreV1().Namespaces().Get(context.TODO(), c.GetCurrentNamespace(), metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	LogVerbose("Removing namespace label: 'pod-security.kubernetes.io/enforce' to allow further privileges.")
+	delete(ns.Labels, "pod-security.kubernetes.io/enforce")
+
+	_, err = c.Clientset.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{})
+	return err
+}