github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

test/e2e: add test to ensure proc mount is stripped from windows pods

Browse Source 
Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
Peter Hunt 2024-02-14 11:49:15 -05:00 committed by Sohan Kunkerkar
parent d6ee9ca860
commit 4f57a1448d
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
test/e2e/windows/security_context.go
View File

@ -136,7 +136,7 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func()
e2eoutput.TestContainerOutput(ctx, f, "check pod SecurityContext username", pod, 1, []string{"ContainerAdministrator"})
})
ginkgo.It("should ignore Linux Specific SecurityContext if set", func(ctx context.Context) {
ginkgo.It("should ignore SELinux Specific SecurityContext if set", func(ctx context.Context) {
ginkgo.By("Creating a pod with SELinux options")
// It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux
// security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the
@ -160,6 +160,30 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func()
f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name)
})
ginkgo.It("should ignore ProcMount Specific SecurityContext if set", func(ctx context.Context) {
ginkgo.By("Creating a pod with ProcMount options")
// It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux
// security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the
// pod object to not have those security contexts. However the pod coming to running state is a sufficient
// enough condition for us to validate since prior to https://github.com/kubernetes/kubernetes/pull/93475
// the pod would have failed to come up.
windowsPodWithSELinux := createTestPod(f, imageutils.GetE2EImage(imageutils.Agnhost), windowsOS)
windowsPodWithSELinux.Spec.Containers[0].Args = []string{"test-webserver-with-selinux"}
windowsPodWithSELinux.Spec.SecurityContext = &v1.PodSecurityContext{}
pmt := v1.UnmaskedProcMount
containerUserName := "ContainerAdministrator"
windowsPodWithSELinux.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
ProcMount: &pmt,
WindowsOptions: &v1.WindowsSecurityContextOptions{RunAsUserName: &containerUserName}}
windowsPodWithSELinux.Spec.Tolerations = []v1.Toleration{{Key: "os", Value: "Windows"}}
windowsPodWithSELinux, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx,
windowsPodWithSELinux, metav1.CreateOptions{})
framework.ExpectNoError(err)
framework.Logf("Created pod %v", windowsPodWithSELinux)
framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(ctx, f.ClientSet, windowsPodWithSELinux.Name,
f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name)
})
ginkgo.It("should not be able to create pods with containers running as ContainerAdministrator when runAsNonRoot is true", func(ctx context.Context) {
ginkgo.By("Creating a pod")