github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-07 20:39:22 +00:00
Code Issues Projects Releases Wiki Activity

ci: Add CI tests for runAsGroup, GID policy

Browse Source 
Introduce tests to check for policy correctness on a redis deployment
with 1. a pod-level securityContext 2. a container-level securityContext
which shadows the pod-level securityContext 3. a pod-level
securityContext which selects an existing user (nobody), causing a new GID to be selected.

Redis is an interesting container image to test with because it includes
a /etc/passwd file with existing user/group configuration of 1000:1000 baked in.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
This commit is contained in:
Cameron Baird 2025-04-04 23:12:17 +00:00
parent 938ddeaf1e
commit fc75aee13a
5 changed files with 222 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
tests/integration/kubernetes/k8s-policy-deployment-sc.bats Normal file
View File

@ -0,0 +1,103 @@
#!/usr/bin/env bats
#
# Copyright (c) 2024 Microsoft.
#
# SPDX-License-Identifier: Apache-2.0
#
load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() {
auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
get_pod_config_dir
deployment_name="policy-redis-deployment"
pod_sc_deployment_yaml="${pod_config_dir}/k8s-pod-sc-deployment.yaml"
pod_sc_nobodyupdate_deployment_yaml="${pod_config_dir}/k8s-pod-sc-nobodyupdate-deployment.yaml"
pod_sc_layered_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment.yaml"
# Save some time by executing genpolicy a single time.
if [ "${BATS_TEST_NUMBER}" == "1" ]; then
# Add an appropriate policy to the correct YAML file.
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
auto_generate_policy "${policy_settings_dir}" "${pod_sc_deployment_yaml}"
auto_generate_policy "${policy_settings_dir}" "${pod_sc_nobodyupdate_deployment_yaml}"
auto_generate_policy "${policy_settings_dir}" "${pod_sc_layered_deployment_yaml}"
fi
# Start each test case with a copy of the correct yaml file.
incorrect_deployment_yaml="${pod_config_dir}/k8s-layered-sc-deployment-incorrect.yaml"
cp "${pod_sc_layered_deployment_yaml}" "${incorrect_deployment_yaml}"
}
@test "Successful sc deployment with auto-generated policy and container image volumes" {
# Initiate deployment
kubectl apply -f "${pod_sc_deployment_yaml}"
# Wait for the deployment to be created
cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
info "Waiting for: ${cmd}"
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
}
@test "Successful sc deployment with security context choosing another valid user" {
# Initiate deployment
kubectl apply -f "${pod_sc_nobodyupdate_deployment_yaml}"
# Wait for the deployment to be created
cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
info "Waiting for: ${cmd}"
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
}
@test "Successful layered sc deployment with auto-generated policy and container image volumes" {
# Initiate deployment
kubectl apply -f "${pod_sc_layered_deployment_yaml}"
# Wait for the deployment to be created
cmd="kubectl rollout status --timeout=1s deployment/${deployment_name} | grep 'successfully rolled out'"
info "Waiting for: ${cmd}"
waitForProcess "${wait_time}" "${sleep_time}" "${cmd}"
}
test_deployment_policy_error() {
# Initiate deployment
kubectl apply -f "${incorrect_deployment_yaml}"
# Wait for the deployment pod to fail
wait_for_blocked_request "CreateContainerRequest" "${deployment_name}"
}
@test "Policy failure: unexpected GID = 0 for layered securityContext deployment" {
# Change the pod GID to 0 after the policy has been generated using a different
# runAsGroup value. The policy would use GID = 0 by default, if there weren't
# a different runAsGroup value in the YAML file.
yq -i \
'.spec.template.spec.securityContext.runAsGroup = 0' \
"${incorrect_deployment_yaml}"
test_deployment_policy_error
}
teardown() {
auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
# Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log.
info "Pod ${deployment_name}:"
kubectl describe pod "${deployment_name}" | grep -v "Message:"
# Deployment debugging information. The --watch=false argument makes "kubectl rollout status"
# return instead of waiting for a possibly failed deployment to complete.
info "Deployment ${deployment_name}:"
kubectl describe deployment "${deployment_name}"
kubectl rollout status deployment/${deployment_name} --watch=false
# Clean-up
kubectl delete deployment "${deployment_name}"
delete_tmp_policy_settings_dir "${policy_settings_dir}"
rm -f "${incorrect_deployment_yaml}"
}

1
tests/integration/kubernetes/run_kubernetes_tests.sh
View File

@ -73,6 +73,7 @@ else
"k8s-pod-quota.bats" \
"k8s-policy-hard-coded.bats" \
"k8s-policy-deployment.bats" \
"k8s-policy-deployment-sc.bats" \
"k8s-policy-job.bats" \
"k8s-policy-logs.bats" \
"k8s-policy-pod.bats" \

41
tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml Normal file
View File

@ -0,0 +1,41 @@
#
# Copyright (c) 2024 Microsoft
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: policy-redis-deployment
labels:
app: policyredis
spec:
selector:
matchLabels:
app: policyredis
role: master
tier: backend
replicas: 1
template:
metadata:
labels:
app: policyredis
role: master
tier: backend
spec:
terminationGracePeriodSeconds: 0
runtimeClassName: kata
securityContext:
runAsUser: 2000
runAsGroup: 2000
containers:
- name: master
image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
securityContext:
runAsUser: 3000
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 6379

39
tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml Normal file
View File

@ -0,0 +1,39 @@
#
# Copyright (c) 2024 Microsoft
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: policy-redis-deployment
labels:
app: policyredis
spec:
selector:
matchLabels:
app: policyredis
role: master
tier: backend
replicas: 1
template:
metadata:
labels:
app: policyredis
role: master
tier: backend
spec:
terminationGracePeriodSeconds: 0
runtimeClassName: kata
securityContext:
runAsUser: 2000
runAsGroup: 2000
containers:
- name: master
image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 6379

38
tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml Normal file
View File

@ -0,0 +1,38 @@
#
# Copyright (c) 2024 Microsoft
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: policy-redis-deployment
labels:
app: policyredis
spec:
selector:
matchLabels:
app: policyredis
role: master
tier: backend
replicas: 1
template:
metadata:
labels:
app: policyredis
role: master
tier: backend
spec:
terminationGracePeriodSeconds: 0
runtimeClassName: kata
securityContext:
runAsUser: 65534
containers:
- name: master
image: quay.io/opstree/redis@sha256:2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48
resources:
requests:
cpu: 100m
memory: 100Mi
ports:
- containerPort: 6379