From c4e0ede58bce5d17076f4c13c6c08a509d1fd8e1 Mon Sep 17 00:00:00 2001
From: Mayank Kumar <mayank.kumar@salesforce.com>
Date: Fri, 8 Mar 2019 00:10:35 -0800
Subject: [PATCH] add missing psp e2e tests for runasgroup

---
 test/e2e/auth/pod_security_policy.go | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/test/e2e/auth/pod_security_policy.go b/test/e2e/auth/pod_security_policy.go
index 326fc33852..0423e2bad3 100644
--- a/test/e2e/auth/pod_security_policy.go
+++ b/test/e2e/auth/pod_security_policy.go
@@ -40,6 +40,8 @@ import (
 	. "github.com/onsi/gomega"
 )
 
+const nobodyUser = int64(65534)
+
 var _ = SIGDescribe("PodSecurityPolicy", func() {
 	f := framework.NewDefaultFramework("podsecuritypolicy")
 	f.SkipPrivilegedPSPBinding = true
@@ -186,6 +188,21 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
 		sysadmin.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
 		tester(sysadmin)
 	})
+
+	By("Running a RunAsGroup pod", func() {
+		sysadmin := restrictedPod("runasgroup")
+		gid := int64(0)
+		sysadmin.Spec.Containers[0].SecurityContext.RunAsGroup = &gid
+		tester(sysadmin)
+	})
+
+	By("Running a RunAsUser pod", func() {
+		sysadmin := restrictedPod("runasuser")
+		uid := int64(0)
+		sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
+		tester(sysadmin)
+	})
+
 }
 
 // createAndBindPSP creates a PSP in the policy API group.
@@ -244,7 +261,8 @@ func restrictedPod(name string) *v1.Pod {
 				Image: imageutils.GetPauseImageName(),
 				SecurityContext: &v1.SecurityContext{
 					AllowPrivilegeEscalation: boolPtr(false),
-					RunAsUser:                utilpointer.Int64Ptr(65534),
+					RunAsUser:                utilpointer.Int64Ptr(nobodyUser),
+					RunAsGroup:               utilpointer.Int64Ptr(nobodyUser),
 				},
 			}},
 		},
@@ -270,6 +288,9 @@ func privilegedPSP(name string) *policy.PodSecurityPolicy {
 			RunAsUser: policy.RunAsUserStrategyOptions{
 				Rule: policy.RunAsUserStrategyRunAsAny,
 			},
+			RunAsGroup: &policy.RunAsGroupStrategyOptions{
+				Rule: policy.RunAsGroupStrategyRunAsAny,
+			},
 			SELinux: policy.SELinuxStrategyOptions{
 				Rule: policy.SELinuxStrategyRunAsAny,
 			},
@@ -325,6 +346,11 @@ func restrictedPSP(name string) *policy.PodSecurityPolicy {
 			RunAsUser: policy.RunAsUserStrategyOptions{
 				Rule: policy.RunAsUserStrategyMustRunAsNonRoot,
 			},
+			RunAsGroup: &policy.RunAsGroupStrategyOptions{
+				Rule: policy.RunAsGroupStrategyMustRunAs,
+				Ranges: []policy.IDRange{
+					{Min: nobodyUser, Max: nobodyUser}},
+			},
 			SELinux: policy.SELinuxStrategyOptions{
 				Rule: policy.SELinuxStrategyRunAsAny,
 			},