mirror of https://github.com/k3s-io/k3s
Kubernetes Prow Robot
GitHub
commit
51336deb4a
|
|
@ -23,11 +23,14 @@ import (
|
|||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/kubelet/events"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
|
||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||
"k8s.io/utils/pointer"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var _ = framework.KubeDescribe("Security Context", func() {
|
||||
|
|
@ -92,6 +95,69 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
|||
})
|
||||
})
|
||||
|
||||
Context("When creating a container with runAsNonRoot", func() {
|
||||
rootImage := imageutils.GetE2EImage(imageutils.BusyBox)
|
||||
nonRootImage := imageutils.GetE2EImage(imageutils.NonRoot)
|
||||
makeNonRootPod := func(podName, image string, userid *int64) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: podName,
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
RestartPolicy: v1.RestartPolicyNever,
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Image: image,
|
||||
Name: podName,
|
||||
Command: []string{"id", "-u"}, // Print UID and exit
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsNonRoot: pointer.BoolPtr(true),
|
||||
RunAsUser: userid,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
It("should run with an explicit non-root user ID", func() {
|
||||
name := "explicit-nonroot-uid"
|
||||
pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(1234))
|
||||
pod = podClient.Create(pod)
|
||||
|
||||
podClient.WaitForSuccess(name, framework.PodStartTimeout)
|
||||
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234"))
|
||||
})
|
||||
It("should not run with an explicit root user ID", func() {
|
||||
name := "explicit-root-uid"
|
||||
pod := makeNonRootPod(name, nonRootImage, pointer.Int64Ptr(0))
|
||||
pod = podClient.Create(pod)
|
||||
|
||||
ev, err := podClient.WaitForErrorEventOrSuccess(pod)
|
||||
framework.ExpectNoError(err)
|
||||
Expect(ev).NotTo(BeNil())
|
||||
Expect(ev.Reason).To(Equal(events.FailedToCreateContainer))
|
||||
})
|
||||
It("should run with an image specified user ID", func() {
|
||||
name := "implicit-nonroot-uid"
|
||||
pod := makeNonRootPod(name, nonRootImage, nil)
|
||||
pod = podClient.Create(pod)
|
||||
|
||||
podClient.WaitForSuccess(name, framework.PodStartTimeout)
|
||||
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234"))
|
||||
})
|
||||
It("should not run without a specified user ID", func() {
|
||||
name := "implicit-root-uid"
|
||||
pod := makeNonRootPod(name, rootImage, nil)
|
||||
pod = podClient.Create(pod)
|
||||
|
||||
ev, err := podClient.WaitForErrorEventOrSuccess(pod)
|
||||
framework.ExpectNoError(err)
|
||||
Expect(ev).NotTo(BeNil())
|
||||
Expect(ev.Reason).To(Equal(events.FailedToCreateContainer))
|
||||
})
|
||||
})
|
||||
|
||||
Context("When creating a pod with readOnlyRootFilesystem", func() {
|
||||
makeUserPod := func(podName, image string, command []string, readOnlyRootFilesystem bool) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
# Copyright 2019 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
FROM k8s.gcr.io/debian-base:v1.0.0
|
||||
|
||||
USER 1234
|
||||
|
|
@ -0,0 +1 @@
|
|||
1.0
|
||||
|
|
@ -162,6 +162,8 @@ const (
|
|||
NginxNew
|
||||
// Nonewprivs image
|
||||
Nonewprivs
|
||||
// NonRoot runs with a default user of 1234
|
||||
NonRoot
|
||||
// NoSnatTest image
|
||||
NoSnatTest
|
||||
// NoSnatTestProxy image
|
||||
|
|
@ -229,6 +231,7 @@ func initImageConfigs() map[int]Config {
|
|||
configs[Nginx] = Config{dockerLibraryRegistry, "nginx", "1.14-alpine"}
|
||||
configs[NginxNew] = Config{dockerLibraryRegistry, "nginx", "1.15-alpine"}
|
||||
configs[Nonewprivs] = Config{e2eRegistry, "nonewprivs", "1.0"}
|
||||
configs[NonRoot] = Config{e2eRegistry, "nonroot", "1.0"}
|
||||
configs[NoSnatTest] = Config{e2eRegistry, "no-snat-test", "1.0"}
|
||||
configs[NoSnatTestProxy] = Config{e2eRegistry, "no-snat-test-proxy", "1.0"}
|
||||
// Pause - when these values are updated, also update cmd/kubelet/app/options/container_runtime.go
|
||||
|
|
|
|||
Loading…
Reference in New Issue