github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add RunAsNonRoot test

k3s-v1.15.3
Tim Allclair 2019-05-23 12:23:04 -07:00
parent 1fba88884b
commit 6e78c5bdde
5 changed files with 92 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
test/e2e/common/security_context.go
View File

@ -23,11 +23,14 @@ import (
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/pkg/kubelet/events"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
e2elog "k8s.io/kubernetes/test/e2e/framework/log" e2elog "k8s.io/kubernetes/test/e2e/framework/log"
imageutils "k8s.io/kubernetes/test/utils/image" imageutils "k8s.io/kubernetes/test/utils/image"
"k8s.io/utils/pointer"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
) )
var _ = framework.KubeDescribe("Security Context", func() { var _ = framework.KubeDescribe("Security Context", func() {
@ -92,6 +95,69 @@ var _ = framework.KubeDescribe("Security Context", func() {
}) })
}) })
Context("When creating a container with runAsNonRoot", func() {
rootImage := imageutils.GetE2EImage(imageutils.BusyBox)
nonRootImage := imageutils.GetE2EImage(imageutils.BusyBoxUser)
makeNonRootPod := func(podName, image string, userid *int64) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
Containers: []v1.Container{
{
Image: image,
Name: podName,
Command: []string{"id", "-u"}, // Print UID and exit
SecurityContext: &v1.SecurityContext{
RunAsNonRoot: pointer.BoolPtr(true),
RunAsUser: userid,
},
},
},
},
}
}
It("should run with an explicit non-root user ID", func() {
name := "explicit-nonroot-uid"
pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(1234))
pod = podClient.Create(pod)
podClient.WaitForSuccess(name, framework.PodStartTimeout)
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234"))
})
It("should not run with an explicit root user ID", func() {
name := "explicit-root-uid"
pod := makeNonRootPod(name, nonRootImage, pointer.Int64Ptr(0))
pod = podClient.Create(pod)
ev, err := podClient.WaitForErrorEventOrSuccess(pod)
framework.ExpectNoError(err)
Expect(ev).NotTo(BeNil())
Expect(ev.Reason).To(Equal(events.FailedToCreateContainer))
})
It("should run with an image specified user ID", func() {
name := "implicit-nonroot-uid"
pod := makeNonRootPod(name, nonRootImage, nil)
pod = podClient.Create(pod)
podClient.WaitForSuccess(name, framework.PodStartTimeout)
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234"))
})
It("should not run without a specified user ID", func() {
name := "implicit-root-uid"
pod := makeNonRootPod(name, rootImage, nil)
pod = podClient.Create(pod)
ev, err := podClient.WaitForErrorEventOrSuccess(pod)
framework.ExpectNoError(err)
Expect(ev).NotTo(BeNil())
Expect(ev.Reason).To(Equal(events.FailedToCreateContainer))
})
})
Context("When creating a pod with readOnlyRootFilesystem", func() { Context("When creating a pod with readOnlyRootFilesystem", func() {
makeUserPod := func(podName, image string, command []string, readOnlyRootFilesystem bool) *v1.Pod { makeUserPod := func(podName, image string, command []string, readOnlyRootFilesystem bool) *v1.Pod {
return &v1.Pod{ return &v1.Pod{

5
test/images/busybox-user/BASEIMAGE Normal file
View File

@ -0,0 +1,5 @@
amd64=busybox
arm=arm32v6/busybox
arm64=arm64v8/busybox
ppc64le=ppc64le/busybox
s390x=s390x/busybox

17
test/images/busybox-user/Dockerfile Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM BASEIMAGE
USER 1234

1
test/images/busybox-user/VERSION Normal file
View File

@ -0,0 +1 @@
1.0

3
test/utils/image/manifest.go
View File

@ -108,6 +108,8 @@ const (
AuditProxy AuditProxy
// BusyBox image // BusyBox image
BusyBox BusyBox
// BusyBox image with default user 1234
BusyBoxUser
// CheckMetadataConcealment image // CheckMetadataConcealment image
CheckMetadataConcealment CheckMetadataConcealment
// CudaVectorAdd image // CudaVectorAdd image
@ -202,6 +204,7 @@ func initImageConfigs() map[int]Config {
configs[AppArmorLoader] = Config{e2eRegistry, "apparmor-loader", "1.0"} configs[AppArmorLoader] = Config{e2eRegistry, "apparmor-loader", "1.0"}
configs[AuditProxy] = Config{e2eRegistry, "audit-proxy", "1.0"} configs[AuditProxy] = Config{e2eRegistry, "audit-proxy", "1.0"}
configs[BusyBox] = Config{dockerLibraryRegistry, "busybox", "1.29"} configs[BusyBox] = Config{dockerLibraryRegistry, "busybox", "1.29"}
configs[BusyBoxUser] = Config{e2eRegistry, "busybox-user", "1.0"}
configs[CheckMetadataConcealment] = Config{e2eRegistry, "metadata-concealment", "1.2"} configs[CheckMetadataConcealment] = Config{e2eRegistry, "metadata-concealment", "1.2"}
configs[CudaVectorAdd] = Config{e2eRegistry, "cuda-vector-add", "1.0"} configs[CudaVectorAdd] = Config{e2eRegistry, "cuda-vector-add", "1.0"}
configs[CudaVectorAdd2] = Config{e2eRegistry, "cuda-vector-add", "2.0"} configs[CudaVectorAdd2] = Config{e2eRegistry, "cuda-vector-add", "2.0"}