k3s/plugin/pkg/admission/exec/admission_test.go

/*
Copyright 2015 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package exec

import (
	"testing"

	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/kubernetes/pkg/admission"
	"k8s.io/kubernetes/pkg/api"
	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
	"k8s.io/kubernetes/pkg/client/testing/core"
	"k8s.io/kubernetes/pkg/genericapiserver/api/rest"
)

func TestAdmission(t *testing.T) {
	privPod := validPod("privileged")
	priv := true
	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
		Privileged: &priv,
	}

	hostPIDPod := validPod("hostPID")
	hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
	hostPIDPod.Spec.SecurityContext.HostPID = true

	hostIPCPod := validPod("hostIPC")
	hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
	hostIPCPod.Spec.SecurityContext.HostIPC = true

	testCases := map[string]struct {
		pod          *api.Pod
		shouldAccept bool
	}{
		"priv": {
			shouldAccept: false,
			pod:          privPod,
		},
		"hostPID": {
			shouldAccept: false,
			pod:          hostPIDPod,
		},
		"hostIPC": {
			shouldAccept: false,
			pod:          hostIPCPod,
		},
		"non privileged": {
			shouldAccept: true,
			pod:          validPod("nonPrivileged"),
		},
	}

	// use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to
	// inject the client
	handler := &denyExec{
		Handler:    admission.NewHandler(admission.Connect),
		hostIPC:    true,
		hostPID:    true,
		privileged: true,
	}

	for _, tc := range testCases {
		testAdmission(t, tc.pod, handler, tc.shouldAccept)
	}

	// run with a permissive config and all cases should pass
	handler.privileged = false
	handler.hostPID = false
	handler.hostIPC = false

	for _, tc := range testCases {
		testAdmission(t, tc.pod, handler, true)
	}

	// run against an init container
	handler = &denyExec{
		Handler:    admission.NewHandler(admission.Connect),
		hostIPC:    true,
		hostPID:    true,
		privileged: true,
	}

	for _, tc := range testCases {
		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
		tc.pod.Spec.Containers = nil
		testAdmission(t, tc.pod, handler, tc.shouldAccept)
	}

	// run with a permissive config and all cases should pass
	handler.privileged = false
	handler.hostPID = false
	handler.hostIPC = false

	for _, tc := range testCases {
		testAdmission(t, tc.pod, handler, true)
	}
}

func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept bool) {
	mockClient := &fake.Clientset{}
	mockClient.AddReactor("get", "pods", func(action core.Action) (bool, runtime.Object, error) {
		if action.(core.GetAction).GetName() == pod.Name {
			return true, pod, nil
		}
		t.Errorf("Unexpected API call: %#v", action)
		return true, nil, nil
	})

	handler.client = mockClient

	// pods/exec
	{
		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/exec"}
		err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "exec", admission.Connect, nil))
		if shouldAccept && err != nil {
			t.Errorf("Unexpected error returned from admission handler: %v", err)
		}
		if !shouldAccept && err == nil {
			t.Errorf("An error was expected from the admission handler. Received nil")
		}
	}

	// pods/attach
	{
		req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/attach"}
		err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "attach", admission.Connect, nil))
		if shouldAccept && err != nil {
			t.Errorf("Unexpected error returned from admission handler: %v", err)
		}
		if !shouldAccept && err == nil {
			t.Errorf("An error was expected from the admission handler. Received nil")
		}
	}
}

// Test to ensure legacy admission controller works as expected.
func TestDenyExecOnPrivileged(t *testing.T) {
	privPod := validPod("privileged")
	priv := true
	privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
		Privileged: &priv,
	}

	hostPIDPod := validPod("hostPID")
	hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
	hostPIDPod.Spec.SecurityContext.HostPID = true

	hostIPCPod := validPod("hostIPC")
	hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
	hostIPCPod.Spec.SecurityContext.HostIPC = true

	testCases := map[string]struct {
		pod          *api.Pod
		shouldAccept bool
	}{
		"priv": {
			shouldAccept: false,
			pod:          privPod,
		},
		"hostPID": {
			shouldAccept: true,
			pod:          hostPIDPod,
		},
		"hostIPC": {
			shouldAccept: true,
			pod:          hostIPCPod,
		},
		"non privileged": {
			shouldAccept: true,
			pod:          validPod("nonPrivileged"),
		},
	}

	// use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to
	// inject the client
	handler := &denyExec{
		Handler:    admission.NewHandler(admission.Connect),
		hostIPC:    false,
		hostPID:    false,
		privileged: true,
	}
	for _, tc := range testCases {
		testAdmission(t, tc.pod, handler, tc.shouldAccept)
	}

	// test init containers
	for _, tc := range testCases {
		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
		tc.pod.Spec.Containers = nil
		testAdmission(t, tc.pod, handler, tc.shouldAccept)
	}
}

func validPod(name string) *api.Pod {
	return &api.Pod{
		ObjectMeta: api.ObjectMeta{Name: name, Namespace: "test"},
		Spec: api.PodSpec{
			Containers: []api.Container{
				{Name: "ctr1", Image: "image"},
				{Name: "ctr2", Image: "image2"},
			},
		},
	}
}
pid mode 2015-09-15 16:43:59 +00:00			`/*`
Remove "All rights reserved" from all the headers. 2016-06-03 00:25:58 +00:00			`Copyright 2015 The Kubernetes Authors.`
pid mode 2015-09-15 16:43:59 +00:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package exec`

			`import (`
			`"testing"`

start the apimachinery repo 2017-01-11 14:09:48 +00:00			`"k8s.io/apimachinery/pkg/runtime"`
pid mode 2015-09-15 16:43:59 +00:00			`"k8s.io/kubernetes/pkg/admission"`
			`"k8s.io/kubernetes/pkg/api"`
generate fake client for release_1_2 2016-02-16 22:16:45 +00:00			`"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"`
replace client with clientset in kubelet and other places 2016-02-01 22:30:47 +00:00			`"k8s.io/kubernetes/pkg/client/testing/core"`
Fix imports 2017-01-17 08:30:30 +00:00			`"k8s.io/kubernetes/pkg/genericapiserver/api/rest"`
pid mode 2015-09-15 16:43:59 +00:00			`)`

			`func TestAdmission(t *testing.T) {`
			`privPod := validPod("privileged")`
			`priv := true`
			`privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{`
			`Privileged: &priv,`
			`}`

			`hostPIDPod := validPod("hostPID")`
Add PodSecurityContext and backward compatibility tests 2015-09-14 21:56:51 +00:00			`hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}`
			`hostPIDPod.Spec.SecurityContext.HostPID = true`
pid mode 2015-09-15 16:43:59 +00:00
Support pods with containers using host ipc Add a HostIPC field to the Pod Spec to create containers sharing the same ipc of the host. This feature must be explicitly enabled in apiserver using the option host-ipc-sources. Signed-off-by: Federico Simoncelli <fsimonce@redhat.com> 2015-08-10 08:14:01 +00:00			`hostIPCPod := validPod("hostIPC")`
Add PodSecurityContext and backward compatibility tests 2015-09-14 21:56:51 +00:00			`hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}`
			`hostIPCPod.Spec.SecurityContext.HostIPC = true`
pid mode 2015-09-15 16:43:59 +00:00
			`testCases := map[string]struct {`
			`pod *api.Pod`
			`shouldAccept bool`
			`}{`
			`"priv": {`
			`shouldAccept: false,`
			`pod: privPod,`
			`},`
			`"hostPID": {`
			`shouldAccept: false,`
			`pod: hostPIDPod,`
			`},`
Support pods with containers using host ipc Add a HostIPC field to the Pod Spec to create containers sharing the same ipc of the host. This feature must be explicitly enabled in apiserver using the option host-ipc-sources. Signed-off-by: Federico Simoncelli <fsimonce@redhat.com> 2015-08-10 08:14:01 +00:00			`"hostIPC": {`
			`shouldAccept: false,`
			`pod: hostIPCPod,`
			`},`
pid mode 2015-09-15 16:43:59 +00:00			`"non privileged": {`
			`shouldAccept: true,`
			`pod: validPod("nonPrivileged"),`
			`},`
			`}`

			`// use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to`
			`// inject the client`
			`handler := &denyExec{`
			`Handler: admission.NewHandler(admission.Connect),`
			`hostIPC: true,`
			`hostPID: true,`
			`privileged: true,`
			`}`

			`for _, tc := range testCases {`
			`testAdmission(t, tc.pod, handler, tc.shouldAccept)`
			`}`

			`// run with a permissive config and all cases should pass`
			`handler.privileged = false`
			`handler.hostPID = false`
			`handler.hostIPC = false`

			`for _, tc := range testCases {`
			`testAdmission(t, tc.pod, handler, true)`
			`}`
Add init container support to other admission controllers 2016-05-19 02:32:08 +00:00
			`// run against an init container`
			`handler = &denyExec{`
			`Handler: admission.NewHandler(admission.Connect),`
			`hostIPC: true,`
			`hostPID: true,`
			`privileged: true,`
			`}`

			`for _, tc := range testCases {`
			`tc.pod.Spec.InitContainers = tc.pod.Spec.Containers`
			`tc.pod.Spec.Containers = nil`
			`testAdmission(t, tc.pod, handler, tc.shouldAccept)`
			`}`

			`// run with a permissive config and all cases should pass`
			`handler.privileged = false`
			`handler.hostPID = false`
			`handler.hostIPC = false`

			`for _, tc := range testCases {`
			`testAdmission(t, tc.pod, handler, true)`
			`}`
pid mode 2015-09-15 16:43:59 +00:00			`}`

			`func testAdmission(t testing.T, pod api.Pod, handler *denyExec, shouldAccept bool) {`
replace client with clientset in kubelet and other places 2016-02-01 22:30:47 +00:00			`mockClient := &fake.Clientset{}`
			`mockClient.AddReactor("get", "pods", func(action core.Action) (bool, runtime.Object, error) {`
use fully qualified resource in fake clients actions 2016-04-13 22:33:15 +00:00			`if action.(core.GetAction).GetName() == pod.Name {`
pid mode 2015-09-15 16:43:59 +00:00			`return true, pod, nil`
			`}`
			`t.Errorf("Unexpected API call: %#v", action)`
			`return true, nil, nil`
			`})`

			`handler.client = mockClient`

			`// pods/exec`
			`{`
			`req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/exec"}`
Change rest storage Update interface to retrieve updated object Add OldObject to admission attributes Update resthandler Patch/Update admission plumbing 2016-04-29 01:21:35 +00:00			`err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "exec", admission.Connect, nil))`
pid mode 2015-09-15 16:43:59 +00:00			`if shouldAccept && err != nil {`
			`t.Errorf("Unexpected error returned from admission handler: %v", err)`
			`}`
			`if !shouldAccept && err == nil {`
			`t.Errorf("An error was expected from the admission handler. Received nil")`
			`}`
			`}`

			`// pods/attach`
			`{`
			`req := &rest.ConnectRequest{Name: pod.Name, ResourcePath: "pods/attach"}`
Change rest storage Update interface to retrieve updated object Add OldObject to admission attributes Update resthandler Patch/Update admission plumbing 2016-04-29 01:21:35 +00:00			`err := handler.Admit(admission.NewAttributesRecord(req, nil, api.Kind("Pod").WithVersion("version"), "test", "name", api.Resource("pods").WithVersion("version"), "attach", admission.Connect, nil))`
pid mode 2015-09-15 16:43:59 +00:00			`if shouldAccept && err != nil {`
			`t.Errorf("Unexpected error returned from admission handler: %v", err)`
			`}`
			`if !shouldAccept && err == nil {`
			`t.Errorf("An error was expected from the admission handler. Received nil")`
			`}`
			`}`
			`}`

			`// Test to ensure legacy admission controller works as expected.`
			`func TestDenyExecOnPrivileged(t *testing.T) {`
			`privPod := validPod("privileged")`
			`priv := true`
			`privPod.Spec.Containers[0].SecurityContext = &api.SecurityContext{`
			`Privileged: &priv,`
			`}`

			`hostPIDPod := validPod("hostPID")`
Add PodSecurityContext and backward compatibility tests 2015-09-14 21:56:51 +00:00			`hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}`
			`hostPIDPod.Spec.SecurityContext.HostPID = true`
pid mode 2015-09-15 16:43:59 +00:00
Support pods with containers using host ipc Add a HostIPC field to the Pod Spec to create containers sharing the same ipc of the host. This feature must be explicitly enabled in apiserver using the option host-ipc-sources. Signed-off-by: Federico Simoncelli <fsimonce@redhat.com> 2015-08-10 08:14:01 +00:00			`hostIPCPod := validPod("hostIPC")`
Add PodSecurityContext and backward compatibility tests 2015-09-14 21:56:51 +00:00			`hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}`
			`hostIPCPod.Spec.SecurityContext.HostIPC = true`
pid mode 2015-09-15 16:43:59 +00:00
			`testCases := map[string]struct {`
			`pod *api.Pod`
			`shouldAccept bool`
			`}{`
			`"priv": {`
			`shouldAccept: false,`
			`pod: privPod,`
			`},`
			`"hostPID": {`
			`shouldAccept: true,`
			`pod: hostPIDPod,`
			`},`
Support pods with containers using host ipc Add a HostIPC field to the Pod Spec to create containers sharing the same ipc of the host. This feature must be explicitly enabled in apiserver using the option host-ipc-sources. Signed-off-by: Federico Simoncelli <fsimonce@redhat.com> 2015-08-10 08:14:01 +00:00			`"hostIPC": {`
			`shouldAccept: true,`
			`pod: hostIPCPod,`
			`},`
pid mode 2015-09-15 16:43:59 +00:00			`"non privileged": {`
			`shouldAccept: true,`
			`pod: validPod("nonPrivileged"),`
			`},`
			`}`

			`// use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to`
			`// inject the client`
			`handler := &denyExec{`
			`Handler: admission.NewHandler(admission.Connect),`
			`hostIPC: false,`
			`hostPID: false,`
			`privileged: true,`
			`}`
			`for _, tc := range testCases {`
			`testAdmission(t, tc.pod, handler, tc.shouldAccept)`
			`}`
Add init container support to other admission controllers 2016-05-19 02:32:08 +00:00
			`// test init containers`
			`for _, tc := range testCases {`
			`tc.pod.Spec.InitContainers = tc.pod.Spec.Containers`
			`tc.pod.Spec.Containers = nil`
			`testAdmission(t, tc.pod, handler, tc.shouldAccept)`
			`}`
pid mode 2015-09-15 16:43:59 +00:00			`}`

			`func validPod(name string) *api.Pod {`
			`return &api.Pod{`
			`ObjectMeta: api.ObjectMeta{Name: name, Namespace: "test"},`
			`Spec: api.PodSpec{`
			`Containers: []api.Container{`
			`{Name: "ctr1", Image: "image"},`
			`{Name: "ctr2", Image: "image2"},`
			`},`
			`},`
			`}`
			`}`