tests: k8s-policy-rc: add unexpected UID test

Change pod runAsUser value of a Replication Controller after generating
the RC's policy, and verify that the RC pods get rejected due to this
change.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-09-13 03:06:03 +00:00
parent 6773f14667
commit 5777869cf4
2 changed files with 26 additions and 14 deletions

View File

@ -61,17 +61,18 @@ test_rc_policy() {
--output=jsonpath='{.spec.replicas}')
[ "${number_of_replicas}" -gt 0 ]
# The replicas pods can be in running, waiting, succeeded or failed
# status. We need them all on running state before proceeding.
cmd="kubectl describe rc ${replication_name}"
cmd+=" | grep \"Pods Status\" | grep \"${number_of_replicas} Running\""
info "Waiting for: ${cmd}"
waitForProcess "$wait_time" "$sleep_time" "$cmd"
# Wait for all the expected pods to be created.
local count=0
local launched_pods=()
while [ $count -lt 6 ] && [ "${#launched_pods[@]}" -ne "${number_of_replicas}" ]; do
count=$((count + 1))
sleep 10
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
--output=jsonpath={.items..metadata.name}))
done
# Check that the number of pods created for the replication controller
# is equal to the number of replicas that we defined.
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
--output=jsonpath={.items..metadata.name}))
[ "${#launched_pods[@]}" -eq "${number_of_replicas}" ]
# Check pod creation
@ -110,13 +111,13 @@ test_rc_policy() {
@test "Policy failure: unexpected host device mapping" {
# Changing the template spec after generating its policy will cause CreateContainer to be denied.
yq -i \
'.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
"${incorrect_yaml}"
yq -i \
'.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
"${incorrect_yaml}"
yq -i \
'.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
"${incorrect_yaml}"
yq -i \
'.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
"${incorrect_yaml}"
test_rc_policy true
}
@ -139,6 +140,15 @@ test_rc_policy() {
test_rc_policy true
}
@test "Policy failure: unexpected UID = 1000" {
# Changing the template spec after generating its policy will cause CreateContainer to be denied.
yq -i \
'.spec.template.spec.securityContext.runAsUser = 1000' \
"${incorrect_yaml}"
test_rc_policy true
}
teardown() {
auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."

View File

@ -17,6 +17,8 @@ spec:
labels:
app: policy-nginx-rc
spec:
securityContext:
runAsUser: 123
terminationGracePeriodSeconds: 0
runtimeClassName: kata
containers: