mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #70639 from mgdevstack/promote-security-context
Promote security context NodeConformance tests to Conformance suite
This commit is contained in:
commit
62eae8d058
4
test/conformance/testdata/conformance.txt
vendored
4
test/conformance/testdata/conformance.txt
vendored
@ -166,6 +166,10 @@ test/e2e/common/secrets_volume.go: "should be consumable from pods in volume wit
|
||||
test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace"
|
||||
test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod"
|
||||
test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume"
|
||||
test/e2e/common/security_context.go: "should run the container with uid 65534"
|
||||
test/e2e/common/security_context.go: "should run the container with writable rootfs when readOnlyRootFilesystem=false"
|
||||
test/e2e/common/security_context.go: "should run the container as unprivileged when false"
|
||||
test/e2e/common/security_context.go: "should not allow privilege escalation when false"
|
||||
test/e2e/kubectl/kubectl.go: "should create and stop a replication controller"
|
||||
test/e2e/kubectl/kubectl.go: "should scale a replication controller"
|
||||
test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller"
|
||||
|
@ -73,22 +73,21 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
}
|
||||
|
||||
/*
|
||||
Release : v1.12
|
||||
Testname: Security Context: runAsUser (id:65534)
|
||||
Description: Container created with runAsUser option, passing an id (id:65534) uses that
|
||||
given id when running the container.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
Release : v1.15
|
||||
Testname: Security Context, runAsUser=65534
|
||||
Description: Container is created with runAsUser option by passing uid 65534 to run as unpriviledged user. Pod MUST be in Succeeded phase.
|
||||
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
It("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() {
|
||||
framework.ConformanceIt("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() {
|
||||
createAndWaitUserPod(65534)
|
||||
})
|
||||
|
||||
/*
|
||||
Release : v1.12
|
||||
Testname: Security Context: runAsUser (id:0)
|
||||
Description: Container created with runAsUser option, passing an id (id:0) uses that
|
||||
given id when running the container.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
Release : v1.15
|
||||
Testname: Security Context, runAsUser=0
|
||||
Description: Container is created with runAsUser option by passing uid 0 to run as root priviledged user. Pod MUST be in Succeeded phase.
|
||||
This e2e can not be promoted to Conformance because a Conformant platform may not allow to run containers with 'uid 0' or running privileged operations.
|
||||
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() {
|
||||
createAndWaitUserPod(0)
|
||||
@ -197,21 +196,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
}
|
||||
|
||||
/*
|
||||
Release : v1.12
|
||||
Testname: Security Context: readOnlyRootFilesystem=true.
|
||||
Description: when a container has configured readOnlyRootFilesystem to true, write operations are not allowed.
|
||||
This test is marked LinuxOnly since Windows does not support creating containers with read-only access.
|
||||
Release : v1.15
|
||||
Testname: Security Context, readOnlyRootFilesystem=true.
|
||||
Description: Container is configured to run with readOnlyRootFilesystem to true which will force containers to run with a read only root file system.
|
||||
Write operation MUST NOT be allowed and Pod MUST be in Failed state.
|
||||
At this moment we are not considering this test for Conformance due to use of SecurityContext.
|
||||
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support creating containers with read-only access.
|
||||
*/
|
||||
It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() {
|
||||
createAndWaitUserPod(true)
|
||||
})
|
||||
|
||||
/*
|
||||
Release : v1.12
|
||||
Testname: Security Context: readOnlyRootFilesystem=false.
|
||||
Description: when a container has configured readOnlyRootFilesystem to false, write operations are allowed.
|
||||
Release : v1.15
|
||||
Testname: Security Context, readOnlyRootFilesystem=false.
|
||||
Description: Container is configured to run with readOnlyRootFilesystem to false.
|
||||
Write operation MUST be allowed and Pod MUST be in Succeeded state.
|
||||
*/
|
||||
It("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() {
|
||||
framework.ConformanceIt("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() {
|
||||
createAndWaitUserPod(false)
|
||||
})
|
||||
})
|
||||
@ -247,9 +249,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
|
||||
return podName
|
||||
}
|
||||
|
||||
It("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() {
|
||||
// This test is marked LinuxOnly since it runs a Linux-specific command, and Windows does not support Windows escalation.
|
||||
/*
|
||||
Release : v1.15
|
||||
Testname: Security Context, privileged=false.
|
||||
Description: Create a container to run in unprivileged mode by setting pod's SecurityContext Privileged option as false. Pod MUST be in Succeeded phase.
|
||||
[LinuxOnly]: This test is marked as LinuxOnly since it runs a Linux-specific command.
|
||||
*/
|
||||
framework.ConformanceIt("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := createAndWaitUserPod(false)
|
||||
logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
|
||||
if err != nil {
|
||||
@ -294,11 +300,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
}
|
||||
|
||||
/*
|
||||
Testname: allowPrivilegeEscalation unset and uid != 0.
|
||||
Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0.
|
||||
When the container is run, the container is run using uid=0.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
|
||||
Release : v1.15
|
||||
Testname: Security Context, allowPrivilegeEscalation unset, uid != 0.
|
||||
Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0.
|
||||
When the container is run, container's output MUST match with expected output verifying container ran with uid=0.
|
||||
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and not all conformant platforms will require this behavior.
|
||||
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
|
||||
*/
|
||||
It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
|
||||
@ -308,13 +316,14 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
})
|
||||
|
||||
/*
|
||||
Testname: allowPrivilegeEscalation=false.
|
||||
Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0.
|
||||
When the container is run, the container is run using uid=1000.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
|
||||
Release : v1.15
|
||||
Testname: Security Context, allowPrivilegeEscalation=false.
|
||||
Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0.
|
||||
When the container is run, container's output MUST match with expected output verifying container ran with given uid i.e. uid=1000.
|
||||
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
|
||||
*/
|
||||
It("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
|
||||
framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-false-" + string(uuid.NewUUID())
|
||||
apeFalse := false
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
|
||||
@ -323,11 +332,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
})
|
||||
|
||||
/*
|
||||
Testname: allowPrivilegeEscalation=true.
|
||||
Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0.
|
||||
When the container is run, the container is run using uid=0 (making use of the privilege escalation).
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
Release : v1.15
|
||||
Testname: Security Context, allowPrivilegeEscalation=true.
|
||||
Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation.
|
||||
A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0.
|
||||
When the container is run, container's output MUST match with expected output verifying container ran with uid=0 (making use of the privilege escalation).
|
||||
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and runtime may not allow to run.
|
||||
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-true-" + string(uuid.NewUUID())
|
||||
|
Loading…
Reference in New Issue
Block a user