github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 19:31:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #70639 from mgdevstack/promote-security-context

Browse Source 
Promote security context NodeConformance tests to Conformance suite
This commit is contained in:
Kubernetes Prow Robot 2019-06-13 17:48:20 -07:00 committed by GitHub
commit 62eae8d058
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
test/conformance/testdata/conformance.txt vendored
View File

@ -166,6 +166,10 @@ test/e2e/common/secrets_volume.go: "should be consumable from pods in volume wit
test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace"
test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod"
test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume"
test/e2e/common/security_context.go: "should run the container with uid 65534"
test/e2e/common/security_context.go: "should run the container with writable rootfs when readOnlyRootFilesystem=false"
test/e2e/common/security_context.go: "should run the container as unprivileged when false"
test/e2e/common/security_context.go: "should not allow privilege escalation when false"
test/e2e/kubectl/kubectl.go: "should create and stop a replication controller"
test/e2e/kubectl/kubectl.go: "should scale a replication controller"
test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller"

87
test/e2e/common/security_context.go
View File

@ -73,22 +73,21 @@ var _ = framework.KubeDescribe("Security Context", func() {
}
/*
Release : v1.12
Testname: Security Context: runAsUser (id:65534)
Description: Container created with runAsUser option, passing an id (id:65534) uses that
given id when running the container.
This test is marked LinuxOnly since Windows does not support running as UID / GID.
Release : v1.15
Testname: Security Context, runAsUser=65534
Description: Container is created with runAsUser option by passing uid 65534 to run as unpriviledged user. Pod MUST be in Succeeded phase.
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
*/
It("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() {
framework.ConformanceIt("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(65534)
})
/*
Release : v1.12
Testname: Security Context: runAsUser (id:0)
Description: Container created with runAsUser option, passing an id (id:0) uses that
given id when running the container.
This test is marked LinuxOnly since Windows does not support running as UID / GID.
Release : v1.15
Testname: Security Context, runAsUser=0
Description: Container is created with runAsUser option by passing uid 0 to run as root priviledged user. Pod MUST be in Succeeded phase.
This e2e can not be promoted to Conformance because a Conformant platform may not allow to run containers with 'uid 0' or running privileged operations.
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
*/
It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(0)
@ -197,21 +196,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
}
/*
Release : v1.12
Testname: Security Context: readOnlyRootFilesystem=true.
Description: when a container has configured readOnlyRootFilesystem to true, write operations are not allowed.
This test is marked LinuxOnly since Windows does not support creating containers with read-only access.
Release : v1.15
Testname: Security Context, readOnlyRootFilesystem=true.
Description: Container is configured to run with readOnlyRootFilesystem to true which will force containers to run with a read only root file system.
Write operation MUST NOT be allowed and Pod MUST be in Failed state.
At this moment we are not considering this test for Conformance due to use of SecurityContext.
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support creating containers with read-only access.
*/
It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(true)
})
/*
Release : v1.12
Testname: Security Context: readOnlyRootFilesystem=false.
Description: when a container has configured readOnlyRootFilesystem to false, write operations are allowed.
Release : v1.15
Testname: Security Context, readOnlyRootFilesystem=false.
Description: Container is configured to run with readOnlyRootFilesystem to false.
Write operation MUST be allowed and Pod MUST be in Succeeded state.
*/
It("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() {
framework.ConformanceIt("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() {
createAndWaitUserPod(false)
})
})
@ -247,9 +249,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
return podName
}
It("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() {
// This test is marked LinuxOnly since it runs a Linux-specific command, and Windows does not support Windows escalation.
/*
Release : v1.15
Testname: Security Context, privileged=false.
Description: Create a container to run in unprivileged mode by setting pod's SecurityContext Privileged option as false. Pod MUST be in Succeeded phase.
[LinuxOnly]: This test is marked as LinuxOnly since it runs a Linux-specific command.
*/
framework.ConformanceIt("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() {
podName := createAndWaitUserPod(false)
logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
if err != nil {
@ -294,11 +300,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
}
/*
Testname: allowPrivilegeEscalation unset and uid != 0.
Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation.
A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0.
When the container is run, the container is run using uid=0.
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
Release : v1.15
Testname: Security Context, allowPrivilegeEscalation unset, uid != 0.
Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation.
A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0.
When the container is run, container's output MUST match with expected output verifying container ran with uid=0.
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and not all conformant platforms will require this behavior.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
*/
It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
@ -308,13 +316,14 @@ var _ = framework.KubeDescribe("Security Context", func() {
})
/*
Testname: allowPrivilegeEscalation=false.
Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation.
A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0.
When the container is run, the container is run using uid=1000.
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
Release : v1.15
Testname: Security Context, allowPrivilegeEscalation=false.
Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation.
A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0.
When the container is run, container's output MUST match with expected output verifying container ran with given uid i.e. uid=1000.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
*/
It("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-false-" + string(uuid.NewUUID())
apeFalse := false
if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
@ -323,11 +332,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
})
/*
Testname: allowPrivilegeEscalation=true.
Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation.
A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0.
When the container is run, the container is run using uid=0 (making use of the privilege escalation).
This test is marked LinuxOnly since Windows does not support running as UID / GID.
Release : v1.15
Testname: Security Context, allowPrivilegeEscalation=true.
Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation.
A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0.
When the container is run, container's output MUST match with expected output verifying container ran with uid=0 (making use of the privilege escalation).
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and runtime may not allow to run.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID.
*/
It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-true-" + string(uuid.NewUUID())