Merge pull request #10008 from microsoft/danmihai1/runAsUser

genpolicy: add support for runAsUser fields
2025-09-11 21:59:10 +00:00 · 2024-07-15 12:08:50 -07:00
parent 648265d80e dded329d26
commit bcaf7fc3b4
8 changed files with 71 additions and 19 deletions
--- a/tests/integration/kubernetes/k8s-policy-pod.bats
+++ b/tests/integration/kubernetes/k8s-policy-pod.bats
@@ -174,6 +174,24 @@ test_pod_policy_error() {
 	run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}"
 }

+@test "Successful pod due to runAsUser workaround from rules.rego" {
+	# This test case should fail, but it passes due to these lines being commented out in rules.rego:
+	#
+	# allow_user(p_process, i_process) {
+	#     #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+	#     #p_user.UID == i_user.UID
+	#
+	# So this test case should be converted to use test_pod_policy_error when that workaround will
+	# be removed.
+	yq -i \
+		'.spec.containers[0].securityContext.runAsUser = 101' \
+		"${incorrect_pod_yaml}"
+
+	kubectl create -f "${correct_configmap_yaml}"
+	kubectl create -f "${incorrect_pod_yaml}"
+	kubectl wait --for=condition=Ready "--timeout=${timeout}" pod "${pod_name}"
+}
+
 teardown() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."

--- a/tests/integration/kubernetes/k8s-security-context.bats
+++ b/tests/integration/kubernetes/k8s-security-context.bats
@@ -12,7 +12,14 @@ setup() {
 	get_pod_config_dir

 	yaml_file="${pod_config_dir}/pod-security-context.yaml"
-	add_allow_all_policy_to_yaml "${yaml_file}"
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	cmd="ps --user 1000 -f"
+	exec_command="sh -c ${cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }

@test "Security context" {
@@ -25,7 +32,6 @@ setup() {
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

 	# Check user
-	cmd="ps --user 1000 -f"
 	process="tail -f /dev/null"
 	kubectl exec $pod_name -- sh -c $cmd | grep "$process"
 }
@@ -35,4 +41,5 @@ teardown() {
 	kubectl describe "pod/$pod_name"

 	kubectl delete pod "$pod_name"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
@@ -25,6 +25,7 @@ spec:
              name: policy-configmap
              key: data-2
      securityContext:
+        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
  topologySpreadConstraints: