tests: k8s-policy-rc: add unexpected UID test

Change pod runAsUser value of a Replication Controller after generating the RC's policy, and verify that the RC pods get rejected due to this change. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-08-30 14:25:43 +00:00 · 2024-09-13 03:06:03 +00:00 · 2024-09-13 03:06:03 +00:00 · 5777869cf4
commit 5777869cf4
parent 6773f14667
2 changed files with 26 additions and 14 deletions
--- a/tests/integration/kubernetes/k8s-policy-rc.bats
+++ b/tests/integration/kubernetes/k8s-policy-rc.bats
@ -61,17 +61,18 @@ test_rc_policy() {
        --output=jsonpath='{.spec.replicas}')
    [ "${number_of_replicas}" -gt 0 ]

-    # The replicas pods can be in running, waiting, succeeded or failed
-    # status. We need them all on running state before proceeding.
-    cmd="kubectl describe rc ${replication_name}"
-    cmd+=" | grep \"Pods Status\" | grep \"${number_of_replicas} Running\""
-    info "Waiting for: ${cmd}"
-    waitForProcess "$wait_time" "$sleep_time" "$cmd"
+    # Wait for all the expected pods to be created.
+    local count=0
+    local launched_pods=()
+    while [ $count -lt 6 ] && [ "${#launched_pods[@]}" -ne "${number_of_replicas}" ]; do
+        count=$((count + 1))
+        sleep 10
+        launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
+            --output=jsonpath={.items..metadata.name}))
+    done

    # Check that the number of pods created for the replication controller
    # is equal to the number of replicas that we defined.
-    launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
-        --output=jsonpath={.items..metadata.name}))
    [ "${#launched_pods[@]}" -eq "${number_of_replicas}" ]

    # Check pod creation
@ -110,13 +111,13 @@ test_rc_policy() {

@test "Policy failure: unexpected host device mapping" {
    # Changing the template spec after generating its policy will cause CreateContainer to be denied.
-  yq -i \
-      '.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
-      "${incorrect_yaml}"
+    yq -i \
+        '.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
+        "${incorrect_yaml}"

-  yq -i \
-      '.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
-      "${incorrect_yaml}"
+    yq -i \
+        '.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
+        "${incorrect_yaml}"

    test_rc_policy true
 }
@ -139,6 +140,15 @@ test_rc_policy() {
    test_rc_policy true
 }

+@test "Policy failure: unexpected UID = 1000" {
+    # Changing the template spec after generating its policy will cause CreateContainer to be denied.
+    yq -i \
+      '.spec.template.spec.securityContext.runAsUser = 1000' \
+      "${incorrect_yaml}"
+
+    test_rc_policy true
+}
+
 teardown() {
    auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."

--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
@ -17,6 +17,8 @@ spec:
      labels:
        app: policy-nginx-rc
    spec:
+      securityContext:
+        runAsUser: 123
      terminationGracePeriodSeconds: 0
      runtimeClassName: kata
      containers: