github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-17 15:38:00 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: enable create container UID verification

Browse Source 
Disabling the UID Policy rule was a workaround for #9928. Re-enable
that rule here and add a new test/CI temporary workaround for this
issue. This new test workaround will be removed after fixing #9928.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-09-11 18:28:23 +00:00
parent 71ede4ea3f
commit eb7f747df1
3 changed files with 11 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/tools/genpolicy/rules.rego
View File

@ -540,9 +540,8 @@ allow_user(p_process, i_process) {
p_user := p_process.User p_user := p_process.User
i_user := i_process.User i_user := i_process.User
# TODO: remove this workaround when fixing https://github.com/kata-containers/kata-containers/issues/9928. print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
#print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) p_user.UID == i_user.UID
#p_user.UID == i_user.UID
# TODO: track down the reason for registry.k8s.io/pause:3.9 being # TODO: track down the reason for registry.k8s.io/pause:3.9 being
# executed with gid = 0 despite having "65535:65535" in its container image # executed with gid = 0 despite having "65535:65535" in its container image

27
tests/integration/kubernetes/k8s-policy-pod.bats
View File

@ -35,6 +35,15 @@ setup() {
kubectl create -f "${priority_class_yaml}" kubectl create -f "${priority_class_yaml}"
# This container image specifies user = "nobody", that corresponds to UID = 65534.
# genpolicy doesn't know yet how to convert the user name to UID (as described by
# https://github.com/kata-containers/kata-containers/issues/9928), so temporarily
# work around that limitation of the tool by explicitly settings runAsUser = 65534
# in the YAML file.
yq -i \
'.spec.containers[0].securityContext.runAsUser = 65534' \
"${correct_pod_yaml}"
# Save some time by executing genpolicy a single time. # Save some time by executing genpolicy a single time.
if [ "${BATS_TEST_NUMBER}" == "1" ]; then if [ "${BATS_TEST_NUMBER}" == "1" ]; then
# Save pre-generated yaml files # Save pre-generated yaml files
@ -193,24 +202,6 @@ test_pod_policy_error() {
run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}" run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}"
} }
@test "Successful pod due to runAsUser workaround from rules.rego" {
# This test case should fail, but it passes due to these lines being commented out in rules.rego:
#
# allow_user(p_process, i_process) {
# #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
# #p_user.UID == i_user.UID
#
# So this test case should be converted to use test_pod_policy_error when that workaround will
# be removed.
yq -i \
'.spec.containers[0].securityContext.runAsUser = 101' \
"${incorrect_pod_yaml}"
kubectl create -f "${correct_configmap_yaml}"
kubectl create -f "${incorrect_pod_yaml}"
kubectl wait --for=condition=Ready "--timeout=${timeout}" pod "${pod_name}"
}
@test "ExecProcessRequest tests" { @test "ExecProcessRequest tests" {
wait_for_pod_ready wait_for_pod_ready

1
tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
View File

@ -27,7 +27,6 @@ spec:
name: policy-configmap name: policy-configmap
key: data-2 key: data-2
securityContext: securityContext:
runAsUser: 1000
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
livenessProbe: livenessProbe: