mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-05 07:27:21 +00:00
allowPrivilegeEscalation: modify api types & add functionality
Signed-off-by: Jess Frazelle <acidburn@google.com>
This commit is contained in:
Jess Frazelle
@@ -920,6 +920,7 @@ func defaultPSP() *extensions.PodSecurityPolicy {
|
||||
SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
|
||||
Rule: extensions.SupplementalGroupsStrategyRunAsAny,
|
||||
},
|
||||
AllowPrivilegeEscalation: true,
|
||||
},
|
||||
}
|
||||
}
|
||||
@@ -1033,3 +1034,111 @@ func TestValidateAllowedVolumes(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestValidateAllowPrivilegeEscalation will test that when the podSecurityPolicy
|
||||
// AllowPrivilegeEscalation is false we cannot set a container's securityContext
|
||||
// to allowPrivilegeEscalation, but when it is true we can.
|
||||
func TestValidateAllowPrivilegeEscalation(t *testing.T) {
|
||||
pod := defaultPod()
|
||||
pe := true
|
||||
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
|
||||
|
||||
// create a PSP that does not allow privilege escalation
|
||||
psp := defaultPSP()
|
||||
psp.Spec.AllowPrivilegeEscalation = false
|
||||
|
||||
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
|
||||
if err != nil {
|
||||
t.Errorf("error creating provider: %v", err.Error())
|
||||
}
|
||||
|
||||
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
|
||||
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 1 {
|
||||
t.Errorf("expected exactly 1 error but got %v", errs)
|
||||
} else {
|
||||
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
|
||||
t.Errorf("did not find the expected error, received: %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
// now add allowPrivilegeEscalation to the podSecurityPolicy
|
||||
psp.Spec.AllowPrivilegeEscalation = true
|
||||
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 0 {
|
||||
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
// TestValidateDefaultAllowPrivilegeEscalation will test that when the podSecurityPolicy
|
||||
// DefaultAllowPrivilegeEscalation is false we cannot set a container's
|
||||
// securityContext to allowPrivilegeEscalation but when it is true we can.
|
||||
func TestValidateDefaultAllowPrivilegeEscalation(t *testing.T) {
|
||||
pod := defaultPod()
|
||||
pe := true
|
||||
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &pe
|
||||
|
||||
// create a PSP that does not allow privilege escalation
|
||||
psp := defaultPSP()
|
||||
dpe := false
|
||||
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
|
||||
psp.Spec.AllowPrivilegeEscalation = false
|
||||
|
||||
provider, err := NewSimpleProvider(psp, "namespace", NewSimpleStrategyFactory())
|
||||
if err != nil {
|
||||
t.Errorf("error creating provider: %v", err.Error())
|
||||
}
|
||||
|
||||
// expect a denial for this PSP and test the error message to ensure it's related to allowPrivilegeEscalation
|
||||
errs := provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 1 {
|
||||
t.Errorf("expected exactly 1 error but got %v", errs)
|
||||
} else {
|
||||
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
|
||||
t.Errorf("did not find the expected error, received: %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
// now add DefaultAllowPrivilegeEscalation to the podSecurityPolicy
|
||||
dpe = true
|
||||
psp.Spec.DefaultAllowPrivilegeEscalation = &dpe
|
||||
psp.Spec.AllowPrivilegeEscalation = false
|
||||
|
||||
// expect a denial for this PSP because we did not allowPrivilege Escalation via the PodSecurityPolicy
|
||||
// and test the error message to ensure it's related to allowPrivilegeEscalation
|
||||
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 1 {
|
||||
t.Errorf("expected exactly 1 error but got %v", errs)
|
||||
} else {
|
||||
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
|
||||
t.Errorf("did not find the expected error, received: %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
// Now set AllowPrivilegeEscalation
|
||||
psp.Spec.AllowPrivilegeEscalation = true
|
||||
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 0 {
|
||||
t.Errorf("directly allowing privilege escalation expected no errors but got %v", errs)
|
||||
}
|
||||
|
||||
// Now set the psp spec to false and reset AllowPrivilegeEscalation
|
||||
psp.Spec.AllowPrivilegeEscalation = false
|
||||
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
|
||||
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 1 {
|
||||
t.Errorf("expected exactly 1 error but got %v", errs)
|
||||
} else {
|
||||
if !strings.Contains(errs.ToAggregate().Error(), "Allowing privilege escalation for containers is not allowed") {
|
||||
t.Errorf("did not find the expected error, received: %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
// Now unset both AllowPrivilegeEscalation
|
||||
psp.Spec.AllowPrivilegeEscalation = true
|
||||
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
|
||||
errs = provider.ValidateContainerSecurityContext(pod, &pod.Spec.Containers[0], field.NewPath(""))
|
||||
if len(errs) != 0 {
|
||||
t.Errorf("resetting allowing privilege escalation expected no errors but got %v", errs)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user