ci: Add test cases for fsGroup and supplementalGroup fields

Introduce new test case to the security context bats file which verifies that policy works properly for a deployment yaml containing fsGroup and supplementalGroup configuration. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-07-05 11:36:56 +00:00 · 2025-05-12 23:30:41 +00:00 · 2025-05-12 23:30:41 +00:00 · 19d502de76
commit 19d502de76
parent d3cd1af593
2 changed files with 70 additions and 2 deletions
--- a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats
+++ b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats
@ -15,6 +15,7 @@ setup() {

    deployment_name="policy-redis-deployment"
    pod_sc_deployment_yaml="${pod_config_dir}/k8s-pod-sc-deployment.yaml"
+    pod_sc_deployment_supplementalgroups_yaml="${pod_config_dir}/k8s-pod-sc-supplementalgroups-deployment.yaml"
    pod_sc_nobodyupdate_deployment_yaml="${pod_config_dir}/k8s-pod-sc-nobodyupdate-deployment.yaml"
    pod_sc_layered_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment.yaml"

@ -24,13 +25,16 @@ setup() {
        policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
        add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
        auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_yaml}"
+        auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_supplementalgroups_yaml}"
        auto_generate_policy "${policy_settings_dir}" "${pod_sc_nobodyupdate_deployment_yaml}"
        auto_generate_policy "${policy_settings_dir}" "${pod_sc_layered_deployment_yaml}"
    fi

    # Start each test case with a copy of the correct yaml file.
    incorrect_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment-incorrect.yaml"
+    incorrect_deployment_yaml_supplementalgroups="${pod_config_dir}/k8s-layered-sc-deployment-incorrect-supplementalgroups.yaml"
    cp "${pod_sc_layered_deployment_yaml}" "${incorrect_deployment_yaml}"
+    cp "${pod_sc_deployment_supplementalgroups_yaml}" "${incorrect_deployment_yaml_supplementalgroups}"
 }

@test "Successful sc deployment with auto-generated policy and container image volumes" {
@ -43,6 +47,16 @@ setup() {
    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
 }

+@test "Successful sc with fsGroup/supplementalGroup deployment with auto-generated policy and container image volumes" {
+    # Initiate deployment
+    kubectl apply -f "${pod_sc_deployment_supplementalgroups_yaml}"
+
+    # Wait for the deployment to be created
+    cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
+    info "Waiting for: ${cmd}"
+    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
+}
+
@test "Successful sc deployment with security context choosing another valid user" {
    # Initiate deployment
    kubectl apply -f "${pod_sc_nobodyupdate_deployment_yaml}"
@ -64,8 +78,10 @@ setup() {
 }

 test_deployment_policy_error() {
+    local yaml=$1
+
    # Initiate deployment
-    kubectl apply -f "${incorrect_deployment_yaml}"
+    kubectl apply -f "${yaml}"

    # Wait for the deployment pod to fail
    wait_for_blocked_request "CreateContainerRequest" "${deployment_name}"
@ -79,7 +95,16 @@ test_deployment_policy_error() {
        '.spec.template.spec.securityContext.runAsGroup = 0' \
        "${incorrect_deployment_yaml}"

-    test_deployment_policy_error
+    test_deployment_policy_error "${incorrect_deployment_yaml}"
+}
+
+@test "Policy failure: malicious root group added via supplementalGroups deployment" {
+    # Inject a supplementalGroup of 0 (root) after the policy has been generated
+    yq -i \
+        '.spec.template.spec.securityContext.supplementalGroups += 0' \
+        "${incorrect_deployment_yaml_supplementalgroups}"
+
+    test_deployment_policy_error "${incorrect_deployment_yaml_supplementalgroups}"
 }

 teardown() {
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml
@ -0,0 +1,43 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-redis-deployment
+  labels:
+    app: policyredis
+spec:
+  selector:
+    matchLabels:
+      app: policyredis
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: policyredis
+        role: master
+        tier: backend
+    spec:
+      terminationGracePeriodSeconds: 0
+      runtimeClassName: kata
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+        fsGroup: 997
+        supplementalGroups:
+          - 998
+          - 999
+      containers:
+      - name: master
+        image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379