Merge pull request #11077 from microsoft/cameronbaird/address-gid-mismatch

genpolicy: Align GID behavior with CRI and enable GID policy checks.
2025-09-26 03:03:52 +00:00 · 2025-04-29 22:23:23 +01:00
parent 19371e2d3b 70ef0376fb
commit 46af7cf817
27 changed files with 1424 additions and 126 deletions
--- a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats
+++ b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats
@@ -0,0 +1,103 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2024 Microsoft.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+
+    get_pod_config_dir
+
+    deployment_name="policy-redis-deployment"
+    pod_sc_deployment_yaml="${pod_config_dir}/k8s-pod-sc-deployment.yaml"
+    pod_sc_nobodyupdate_deployment_yaml="${pod_config_dir}/k8s-pod-sc-nobodyupdate-deployment.yaml"
+    pod_sc_layered_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment.yaml"
+
+    # Save some time by executing genpolicy a single time.
+    if [ "${BATS_TEST_NUMBER}" == "1" ]; then
+        # Add an appropriate policy to the correct YAML file.
+        policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+        add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+        auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_yaml}"
+        auto_generate_policy "${policy_settings_dir}" "${pod_sc_nobodyupdate_deployment_yaml}"
+        auto_generate_policy "${policy_settings_dir}" "${pod_sc_layered_deployment_yaml}"
+    fi
+
+    # Start each test case with a copy of the correct yaml file.
+    incorrect_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment-incorrect.yaml"
+    cp "${pod_sc_layered_deployment_yaml}" "${incorrect_deployment_yaml}"
+}
+
+@test "Successful sc deployment with auto-generated policy and container image volumes" {
+    # Initiate deployment
+    kubectl apply -f "${pod_sc_deployment_yaml}"
+
+    # Wait for the deployment to be created
+    cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
+    info "Waiting for: ${cmd}"
+    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
+}
+
+@test "Successful sc deployment with security context choosing another valid user" {
+    # Initiate deployment
+    kubectl apply -f "${pod_sc_nobodyupdate_deployment_yaml}"
+
+    # Wait for the deployment to be created
+    cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
+    info "Waiting for: ${cmd}"
+    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
+}
+
+@test "Successful layered sc deployment with auto-generated policy and container image volumes" {
+    # Initiate deployment
+    kubectl apply -f "${pod_sc_layered_deployment_yaml}"
+
+    # Wait for the deployment to be created
+    cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
+    info "Waiting for: ${cmd}"
+    waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
+}
+
+test_deployment_policy_error() {
+    # Initiate deployment
+    kubectl apply -f "${incorrect_deployment_yaml}"
+
+    # Wait for the deployment pod to fail
+    wait_for_blocked_request "CreateContainerRequest" "${deployment_name}"
+}
+
+@test "Policy failure: unexpected GID = 0 for layered securityContext deployment" {
+    # Change the pod GID to 0 after the policy has been generated using a different
+    # runAsGroup value. The policy would use GID = 0 by default, if there weren't
+    # a different runAsGroup value in the YAML file.
+    yq -i \
+        '.spec.template.spec.securityContext.runAsGroup = 0' \
+        "${incorrect_deployment_yaml}"
+
+    test_deployment_policy_error
+}
+
+teardown() {
+    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+
+    # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log.
+    info "Pod ${deployment_name}:"
+    kubectl describe pod "${deployment_name}" | grep -v "Message:"
+
+    # Deployment debugging information. The --watch=false argument makes "kubectl rollout status"
+    # return instead of waiting for a possibly failed deployment to complete.
+    info "Deployment ${deployment_name}:"
+    kubectl describe deployment "${deployment_name}"
+    kubectl rollout status deployment/${deployment_name} --watch=false
+
+    # Clean-up
+    kubectl delete deployment "${deployment_name}"
+
+    delete_tmp_policy_settings_dir "${policy_settings_dir}"
+    rm -f "${incorrect_deployment_yaml}"
+}
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -74,6 +74,7 @@ else
 		"k8s-pod-quota.bats" \
 		"k8s-policy-hard-coded.bats" \
 		"k8s-policy-deployment.bats" \
+		"k8s-policy-deployment-sc.bats" \
 		"k8s-policy-job.bats" \
 		"k8s-policy-logs.bats" \
 		"k8s-policy-pod.bats" \
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml
@@ -0,0 +1,41 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-redis-deployment
+  labels:
+    app: policyredis
+spec:
+  selector:
+    matchLabels:
+      app: policyredis
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: policyredis
+        role: master
+        tier: backend
+    spec:
+      terminationGracePeriodSeconds: 0
+      runtimeClassName: kata
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+      containers:
+      - name: master
+        image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
+        securityContext:
+          runAsUser: 3000
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml
@@ -0,0 +1,39 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-redis-deployment
+  labels:
+    app: policyredis
+spec:
+  selector:
+    matchLabels:
+      app: policyredis
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: policyredis
+        role: master
+        tier: backend
+    spec:
+      terminationGracePeriodSeconds: 0
+      runtimeClassName: kata
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+      containers:
+      - name: master
+        image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml
@@ -0,0 +1,38 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-redis-deployment
+  labels:
+    app: policyredis
+spec:
+  selector:
+    matchLabels:
+      app: policyredis
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: policyredis
+        role: master
+        tier: backend
+    spec:
+      terminationGracePeriodSeconds: 0
+      runtimeClassName: kata
+      securityContext:
+        runAsUser: 65534
+      containers:
+      - name: master
+        image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -116,6 +116,15 @@ adapt_common_policy_settings_for_cbl_mariner() {
 	true
 }

+# adapt common policy settings for guest-pull Hosts
+# see issue https://github.com/kata-containers/kata-containers/issues/11162
+adapt_common_policy_settings_for_guest_pull() {
+	local settings_dir=$1
+
+	info "Adapting common policy settings for guest-pull environment"
+	jq '.cluster_config.guest_pull = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
+}
+
 # adapt common policy settings for various platforms
 adapt_common_policy_settings() {
 	local settings_dir=$1
@@ -143,6 +152,12 @@ adapt_common_policy_settings() {
 			adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
 			;;
 	esac
+
+	case "${PULL_TYPE}" in
+		"guest-pull")
+			adapt_common_policy_settings_for_guest_pull "${settings_dir}"
+			;;
+	esac
 }

 # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,