diff --git a/test/e2e/windows/security_context.go b/test/e2e/windows/security_context.go index ebb62dbbaa0..a793859fa72 100644 --- a/test/e2e/windows/security_context.go +++ b/test/e2e/windows/security_context.go @@ -136,7 +136,7 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func() e2eoutput.TestContainerOutput(ctx, f, "check pod SecurityContext username", pod, 1, []string{"ContainerAdministrator"}) }) - ginkgo.It("should ignore Linux Specific SecurityContext if set", func(ctx context.Context) { + ginkgo.It("should ignore SELinux Specific SecurityContext if set", func(ctx context.Context) { ginkgo.By("Creating a pod with SELinux options") // It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux // security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the @@ -160,6 +160,30 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func() f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name) }) + ginkgo.It("should ignore ProcMount Specific SecurityContext if set", func(ctx context.Context) { + ginkgo.By("Creating a pod with ProcMount options") + // It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux + // security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the + // pod object to not have those security contexts. However the pod coming to running state is a sufficient + // enough condition for us to validate since prior to https://github.com/kubernetes/kubernetes/pull/93475 + // the pod would have failed to come up. + windowsPodWithSELinux := createTestPod(f, imageutils.GetE2EImage(imageutils.Agnhost), windowsOS) + windowsPodWithSELinux.Spec.Containers[0].Args = []string{"test-webserver-with-selinux"} + windowsPodWithSELinux.Spec.SecurityContext = &v1.PodSecurityContext{} + pmt := v1.UnmaskedProcMount + containerUserName := "ContainerAdministrator" + windowsPodWithSELinux.Spec.Containers[0].SecurityContext = &v1.SecurityContext{ + ProcMount: &pmt, + WindowsOptions: &v1.WindowsSecurityContextOptions{RunAsUserName: &containerUserName}} + windowsPodWithSELinux.Spec.Tolerations = []v1.Toleration{{Key: "os", Value: "Windows"}} + windowsPodWithSELinux, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, + windowsPodWithSELinux, metav1.CreateOptions{}) + framework.ExpectNoError(err) + framework.Logf("Created pod %v", windowsPodWithSELinux) + framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(ctx, f.ClientSet, windowsPodWithSELinux.Name, + f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name) + }) + ginkgo.It("should not be able to create pods with containers running as ContainerAdministrator when runAsNonRoot is true", func(ctx context.Context) { ginkgo.By("Creating a pod")