mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-07-05 11:36:56 +00:00
ci: Add test cases for fsGroup and supplementalGroup fields
Introduce new test case to the security context bats file which verifies that policy works properly for a deployment yaml containing fsGroup and supplementalGroup configuration. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
This commit is contained in:
Cameron Baird
parent
d3cd1af593
commit
19d502de76
@ -15,6 +15,7 @@ setup() {
|
|||||||
|
|
||||||
deployment_name="policy-redis-deployment"
|
deployment_name="policy-redis-deployment"
|
||||||
pod_sc_deployment_yaml="${pod_config_dir}/k8s-pod-sc-deployment.yaml"
|
pod_sc_deployment_yaml="${pod_config_dir}/k8s-pod-sc-deployment.yaml"
|
||||||
|
pod_sc_deployment_supplementalgroups_yaml="${pod_config_dir}/k8s-pod-sc-supplementalgroups-deployment.yaml"
|
||||||
pod_sc_nobodyupdate_deployment_yaml="${pod_config_dir}/k8s-pod-sc-nobodyupdate-deployment.yaml"
|
pod_sc_nobodyupdate_deployment_yaml="${pod_config_dir}/k8s-pod-sc-nobodyupdate-deployment.yaml"
|
||||||
pod_sc_layered_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment.yaml"
|
pod_sc_layered_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment.yaml"
|
||||||
|
|
||||||
@ -24,13 +25,16 @@ setup() {
|
|||||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||||
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
|
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
|
||||||
auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_yaml}"
|
auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_yaml}"
|
||||||
|
auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_supplementalgroups_yaml}"
|
||||||
auto_generate_policy "${policy_settings_dir}" "${pod_sc_nobodyupdate_deployment_yaml}"
|
auto_generate_policy "${policy_settings_dir}" "${pod_sc_nobodyupdate_deployment_yaml}"
|
||||||
auto_generate_policy "${policy_settings_dir}" "${pod_sc_layered_deployment_yaml}"
|
auto_generate_policy "${policy_settings_dir}" "${pod_sc_layered_deployment_yaml}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Start each test case with a copy of the correct yaml file.
|
# Start each test case with a copy of the correct yaml file.
|
||||||
incorrect_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment-incorrect.yaml"
|
incorrect_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment-incorrect.yaml"
|
||||||
|
incorrect_deployment_yaml_supplementalgroups="${pod_config_dir}/k8s-layered-sc-deployment-incorrect-supplementalgroups.yaml"
|
||||||
cp "${pod_sc_layered_deployment_yaml}" "${incorrect_deployment_yaml}"
|
cp "${pod_sc_layered_deployment_yaml}" "${incorrect_deployment_yaml}"
|
||||||
|
cp "${pod_sc_deployment_supplementalgroups_yaml}" "${incorrect_deployment_yaml_supplementalgroups}"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "Successful sc deployment with auto-generated policy and container image volumes" {
|
@test "Successful sc deployment with auto-generated policy and container image volumes" {
|
||||||
@ -43,6 +47,16 @@ setup() {
|
|||||||
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
|
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "Successful sc with fsGroup/supplementalGroup deployment with auto-generated policy and container image volumes" {
|
||||||
|
# Initiate deployment
|
||||||
|
kubectl apply -f "${pod_sc_deployment_supplementalgroups_yaml}"
|
||||||
|
|
||||||
|
# Wait for the deployment to be created
|
||||||
|
cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
|
||||||
|
info "Waiting for: ${cmd}"
|
||||||
|
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
|
||||||
|
}
|
||||||
|
|
||||||
@test "Successful sc deployment with security context choosing another valid user" {
|
@test "Successful sc deployment with security context choosing another valid user" {
|
||||||
# Initiate deployment
|
# Initiate deployment
|
||||||
kubectl apply -f "${pod_sc_nobodyupdate_deployment_yaml}"
|
kubectl apply -f "${pod_sc_nobodyupdate_deployment_yaml}"
|
||||||
@ -64,8 +78,10 @@ setup() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
test_deployment_policy_error() {
|
test_deployment_policy_error() {
|
||||||
|
local yaml=$1
|
||||||
|
|
||||||
# Initiate deployment
|
# Initiate deployment
|
||||||
kubectl apply -f "${incorrect_deployment_yaml}"
|
kubectl apply -f "${yaml}"
|
||||||
|
|
||||||
# Wait for the deployment pod to fail
|
# Wait for the deployment pod to fail
|
||||||
wait_for_blocked_request "CreateContainerRequest" "${deployment_name}"
|
wait_for_blocked_request "CreateContainerRequest" "${deployment_name}"
|
||||||
@ -79,7 +95,16 @@ test_deployment_policy_error() {
|
|||||||
'.spec.template.spec.securityContext.runAsGroup = 0' \
|
'.spec.template.spec.securityContext.runAsGroup = 0' \
|
||||||
"${incorrect_deployment_yaml}"
|
"${incorrect_deployment_yaml}"
|
||||||
|
|
||||||
test_deployment_policy_error
|
test_deployment_policy_error "${incorrect_deployment_yaml}"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Policy failure: malicious root group added via supplementalGroups deployment" {
|
||||||
|
# Inject a supplementalGroup of 0 (root) after the policy has been generated
|
||||||
|
yq -i \
|
||||||
|
'.spec.template.spec.securityContext.supplementalGroups += 0' \
|
||||||
|
"${incorrect_deployment_yaml_supplementalgroups}"
|
||||||
|
|
||||||
|
test_deployment_policy_error "${incorrect_deployment_yaml_supplementalgroups}"
|
||||||
}
|
}
|
||||||
|
|
||||||
teardown() {
|
teardown() {
|
||||||
|
|||||||
@ -0,0 +1,43 @@
|
|||||||
|
#
|
||||||
|
# Copyright (c) 2024 Microsoft
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: policy-redis-deployment
|
||||||
|
labels:
|
||||||
|
app: policyredis
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: policyredis
|
||||||
|
role: master
|
||||||
|
tier: backend
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: policyredis
|
||||||
|
role: master
|
||||||
|
tier: backend
|
||||||
|
spec:
|
||||||
|
terminationGracePeriodSeconds: 0
|
||||||
|
runtimeClassName: kata
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 2000
|
||||||
|
runAsGroup: 2000
|
||||||
|
fsGroup: 997
|
||||||
|
supplementalGroups:
|
||||||
|
- 998
|
||||||
|
- 999
|
||||||
|
containers:
|
||||||
|
- name: master
|
||||||
|
image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 100Mi
|
||||||
|
ports:
|
||||||
|
- containerPort: 6379
|
||||||
Loading…
Reference in New Issue
Block a user