acccess_control_sys_admin_capability ts: add two positive tcs. (#1042)

* acccess_control_sys_admin_capability ts: add two positive tcs.

These two test cases cover this certsuite fix PR:
redhat-best-practices-for-k8s/certsuite#2352

Without that certsuite fix, the tc
access-control-sys-admin-capability-check failed also when the forbidden
capability SYS_ADMIN was set in the drop list, which is wrong.

These new QE tcs make sure the certsuite tc passes in that scenario.

* Fix typo.

tests/accesscontrol/tests/access_control_sys_admin_capability_check.go

@@ -66,6 +66,40 @@ var _ = Describe("Access-control sys-admin-capability-check,", func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 
+	It("one deployment, one pod, one container, drop sys admin capability", func() {
+		By("Define deployment with cap sys admin dropped")
+		dep, err := tshelper.DefineDeployment(1, 1, "acdeployment", randomNamespace)
+		Expect(err).ToNot(HaveOccurred())
+
+		deployment.RedefineWithContainersSecurityContextCaps(dep, nil, []string{"SYS_ADMIN"})
+
+		By("Create deployment")
+		err = globalhelper.CreateAndWaitUntilDeploymentIsReady(dep, tsparams.Timeout)
+		Expect(err).ToNot(HaveOccurred())
+
+		By("Ensure all running pods are dropping the SYS_ADMIN cap")
+		runningPods, err := globalhelper.GetListOfPodsInNamespace(randomNamespace)
+		Expect(err).ToNot(HaveOccurred(), "Failed getting list of pods in namespace "+randomNamespace)
+
+		Expect(len(runningPods.Items)).To(Equal(1), "Invalid number of pods in namespace "+randomNamespace)
+
+		pod := &runningPods.Items[0]
+		By("Ensure pod " + pod.Name + " has dropped SYS_ADMIN cap")
+		Expect(pod.Spec.Containers[0].SecurityContext.Capabilities.Drop).To(Equal([]corev1.Capability{"SYS_ADMIN"}))
+
+		By("Start test")
+		err = globalhelper.LaunchTests(
+			tsparams.TestCaseNameAccessControlSysAdminCapability,
+			globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir)
+		Expect(err).ToNot(HaveOccurred())
+
+		By("Verify test case status in Claim report")
+		err = globalhelper.ValidateIfReportsAreValid(
+			tsparams.TestCaseNameAccessControlSysAdminCapability,
+			globalparameters.TestCasePassed, randomReportDir)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
 	// 63836
 	It("one deployment, one pod, one container, does have sys admin capability [negative]", func() {
 		By("Define deployment with sys admin")
@@ -139,6 +173,51 @@ var _ = Describe("Access-control sys-admin-capability-check,", func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 
+	It("two deployments, one pod each, one container each, both drop SYS_ADMIN capability", func() {
+		By("Define deployments without sys admin")
+		dep, err := tshelper.DefineDeployment(1, 1, "acdeployment1", randomNamespace)
+		Expect(err).ToNot(HaveOccurred())
+
+		deployment.RedefineWithContainersSecurityContextCaps(dep, nil, []string{"SYS_ADMIN"})
+
+		By("Create deployment 1")
+		err = globalhelper.CreateAndWaitUntilDeploymentIsReady(dep, tsparams.Timeout)
+		Expect(err).ToNot(HaveOccurred())
+
+		dep2, err := tshelper.DefineDeployment(1, 1, "acdeployment2", randomNamespace)
+		Expect(err).ToNot(HaveOccurred())
+
+		deployment.RedefineWithContainersSecurityContextCaps(dep2, nil, []string{"SYS_ADMIN"})
+
+		By("Create deployment 2")
+		err = globalhelper.CreateAndWaitUntilDeploymentIsReady(dep2, tsparams.Timeout)
+		Expect(err).ToNot(HaveOccurred())
+
+		By("Ensure all running pods are dropping the SYS_ADMIN cap")
+		runningPods, err := globalhelper.GetListOfPodsInNamespace(randomNamespace)
+		Expect(err).ToNot(HaveOccurred(), "Failed getting list of pods in namespace "+randomNamespace)
+
+		Expect(len(runningPods.Items)).To(Equal(2), "Invalid number of pods in namespace "+randomNamespace)
+
+		for i := range runningPods.Items {
+			pod := runningPods.Items[i]
+			By("Ensure pod " + pod.Name + " has dropped SYS_ADMIN cap")
+			Expect(pod.Spec.Containers[0].SecurityContext.Capabilities.Drop).To(Equal([]corev1.Capability{"SYS_ADMIN"}))
+		}
+
+		By("Start test")
+		err = globalhelper.LaunchTests(
+			tsparams.TestCaseNameAccessControlSysAdminCapability,
+			globalhelper.ConvertSpecNameToFileName(CurrentSpecReport().FullText()), randomReportDir, randomCertsuiteConfigDir)
+		Expect(err).ToNot(HaveOccurred())
+
+		By("Verify test case status in Claim report")
+		err = globalhelper.ValidateIfReportsAreValid(
+			tsparams.TestCaseNameAccessControlSysAdminCapability,
+			globalparameters.TestCasePassed, randomReportDir)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
 	// 63838
 	It("two deployments, one pod each, one container each, one does have sys admin capability [negative]", func() {
 		By("Define deployments with varying sys admin capabilities")

tests/utils/deployment/deployment.go

@@ -475,6 +475,29 @@ func RedefineWithContainersSecurityContextSysAdmin(deployment *appsv1.Deployment
 	}
 }
 
+func RedefineWithContainersSecurityContextCaps(deployment *appsv1.Deployment, add, drop []string) {
+	var addedCaps, droppedCaps []corev1.Capability
+
+	for _, cap := range add {
+		addedCaps = append(addedCaps, corev1.Capability(cap))
+	}
+
+	for _, cap := range drop {
+		droppedCaps = append(droppedCaps, corev1.Capability(cap))
+	}
+
+	for index := range deployment.Spec.Template.Spec.Containers {
+		deployment.Spec.Template.Spec.Containers[index].SecurityContext = &corev1.SecurityContext{
+			Privileged: ptr.To[bool](true),
+			RunAsUser:  ptr.To[int64](0),
+			Capabilities: &corev1.Capabilities{
+				Add:  addedCaps,
+				Drop: droppedCaps,
+			},
+		}
+	}
+}
+
 func RedefineWithContainersSecurityContextBpf(deployment *appsv1.Deployment) {
 	for index := range deployment.Spec.Template.Spec.Containers {
 		deployment.Spec.Template.Spec.Containers[index].SecurityContext = &corev1.SecurityContext{

tests/utils/deployment/deployment_test.go

@@ -623,6 +623,62 @@ func TestRedefineWithContainersSecurityContextSysAdmin(t *testing.T) {
 	assert.Equal(t, securityContext.Capabilities, deployment.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities)
 }
 
+func TestRedefineWithContainersSecurityContextCaps(t *testing.T) {
+	testCases := []struct {
+		name         string
+		add          []string
+		drop         []string
+		expectedCaps corev1.Capabilities
+	}{
+		{
+			name: "add sys_admin and net_raw",
+			add:  []string{"SYS_ADMIN", "NET_RAW"},
+			drop: nil,
+			expectedCaps: corev1.Capabilities{
+				Add: []corev1.Capability{"SYS_ADMIN", "NET_RAW"},
+			},
+		},
+		{
+			name: "drop sys_admin",
+			add:  nil,
+			drop: []string{"SYS_ADMIN"},
+			expectedCaps: corev1.Capabilities{
+				Drop: []corev1.Capability{"SYS_ADMIN"},
+			},
+		},
+		{
+			name: "add net_raw drop sys_admin",
+			add:  []string{"NET_RAW"},
+			drop: []string{"SYS_ADMIN"},
+			expectedCaps: corev1.Capabilities{
+				Add:  []corev1.Capability{"NET_RAW"},
+				Drop: []corev1.Capability{"SYS_ADMIN"},
+			},
+		},
+		{
+			name: "add net_raw drop all",
+			add:  []string{"NET_RAW"},
+			drop: []string{"ALL"},
+			expectedCaps: corev1.Capabilities{
+				Add:  []corev1.Capability{"NET_RAW"},
+				Drop: []corev1.Capability{"ALL"},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			deployment := DefineDeployment("test-deployment", "test-namespace", "test-image", map[string]string{"app": "test"})
+			assert.NotNil(t, deployment)
+
+			RedefineWithContainersSecurityContextCaps(deployment, testCase.add, testCase.drop)
+
+			// Assert the container's securityContext's capabilities were set correctly
+			assert.Equal(t, &testCase.expectedCaps, deployment.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities)
+		})
+	}
+}
+
 func TestRedefineWithContainersSecurityContextBpf(t *testing.T) {
 	deployment := DefineDeployment("test-deployment", "test-namespace", "test-image", map[string]string{"app": "test"})
 	securityContext := corev1.SecurityContext{