diff --git a/test/conformance/testdata/conformance.txt b/test/conformance/testdata/conformance.txt index 278c8ff71fb..d9f57067879 100644 --- a/test/conformance/testdata/conformance.txt +++ b/test/conformance/testdata/conformance.txt @@ -166,6 +166,10 @@ test/e2e/common/secrets_volume.go: "should be consumable from pods in volume wit test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace" test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod" test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume" +test/e2e/common/security_context.go: "should run the container with uid 65534" +test/e2e/common/security_context.go: "should run the container with writable rootfs when readOnlyRootFilesystem=false" +test/e2e/common/security_context.go: "should run the container as unprivileged when false" +test/e2e/common/security_context.go: "should not allow privilege escalation when false" test/e2e/kubectl/kubectl.go: "should create and stop a replication controller" test/e2e/kubectl/kubectl.go: "should scale a replication controller" test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller" diff --git a/test/e2e/common/security_context.go b/test/e2e/common/security_context.go index e3c94908dbe..81893f218b9 100644 --- a/test/e2e/common/security_context.go +++ b/test/e2e/common/security_context.go @@ -73,22 +73,21 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Release : v1.12 - Testname: Security Context: runAsUser (id:65534) - Description: Container created with runAsUser option, passing an id (id:65534) uses that - given id when running the container. - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, runAsUser=65534 + Description: Container is created with runAsUser option by passing uid 65534 to run as unpriviledged user. Pod MUST be in Succeeded phase. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID. */ - It("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() { + framework.ConformanceIt("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(65534) }) /* - Release : v1.12 - Testname: Security Context: runAsUser (id:0) - Description: Container created with runAsUser option, passing an id (id:0) uses that - given id when running the container. - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, runAsUser=0 + Description: Container is created with runAsUser option by passing uid 0 to run as root priviledged user. Pod MUST be in Succeeded phase. + This e2e can not be promoted to Conformance because a Conformant platform may not allow to run containers with 'uid 0' or running privileged operations. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID. */ It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(0) @@ -197,21 +196,24 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Release : v1.12 - Testname: Security Context: readOnlyRootFilesystem=true. - Description: when a container has configured readOnlyRootFilesystem to true, write operations are not allowed. - This test is marked LinuxOnly since Windows does not support creating containers with read-only access. + Release : v1.15 + Testname: Security Context, readOnlyRootFilesystem=true. + Description: Container is configured to run with readOnlyRootFilesystem to true which will force containers to run with a read only root file system. + Write operation MUST NOT be allowed and Pod MUST be in Failed state. + At this moment we are not considering this test for Conformance due to use of SecurityContext. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support creating containers with read-only access. */ It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(true) }) /* - Release : v1.12 - Testname: Security Context: readOnlyRootFilesystem=false. - Description: when a container has configured readOnlyRootFilesystem to false, write operations are allowed. + Release : v1.15 + Testname: Security Context, readOnlyRootFilesystem=false. + Description: Container is configured to run with readOnlyRootFilesystem to false. + Write operation MUST be allowed and Pod MUST be in Succeeded state. */ - It("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() { + framework.ConformanceIt("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() { createAndWaitUserPod(false) }) }) @@ -247,9 +249,13 @@ var _ = framework.KubeDescribe("Security Context", func() { podClient.WaitForSuccess(podName, framework.PodStartTimeout) return podName } - - It("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() { - // This test is marked LinuxOnly since it runs a Linux-specific command, and Windows does not support Windows escalation. + /* + Release : v1.15 + Testname: Security Context, privileged=false. + Description: Create a container to run in unprivileged mode by setting pod's SecurityContext Privileged option as false. Pod MUST be in Succeeded phase. + [LinuxOnly]: This test is marked as LinuxOnly since it runs a Linux-specific command. + */ + framework.ConformanceIt("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() { podName := createAndWaitUserPod(false) logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) if err != nil { @@ -294,11 +300,13 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Testname: allowPrivilegeEscalation unset and uid != 0. - Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation. - A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0. - When the container is run, the container is run using uid=0. - This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation unset, uid != 0. + Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation. + A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with uid=0. + This e2e Can not be promoted to Conformance as it is Container Runtime dependent and not all conformant platforms will require this behavior. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. */ It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-nil-" + string(uuid.NewUUID()) @@ -308,13 +316,14 @@ var _ = framework.KubeDescribe("Security Context", func() { }) /* - Testname: allowPrivilegeEscalation=false. - Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation. - A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0. - When the container is run, the container is run using uid=1000. - This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation=false. + Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation. + A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with given uid i.e. uid=1000. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. */ - It("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { + framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-false-" + string(uuid.NewUUID()) apeFalse := false if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil { @@ -323,11 +332,13 @@ var _ = framework.KubeDescribe("Security Context", func() { }) /* - Testname: allowPrivilegeEscalation=true. - Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation. - A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0. - When the container is run, the container is run using uid=0 (making use of the privilege escalation). - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation=true. + Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation. + A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with uid=0 (making use of the privilege escalation). + This e2e Can not be promoted to Conformance as it is Container Runtime dependent and runtime may not allow to run. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID. */ It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-true-" + string(uuid.NewUUID())