From f7d8771dfe09addeb32fc7e8ae7129af87bd2c1a Mon Sep 17 00:00:00 2001 From: Mayank Gaikwad <8110509+mgdevstack@users.noreply.github.com> Date: Fri, 12 Apr 2019 10:22:06 +0530 Subject: [PATCH] Promote security context NodeConformance tests to Conformance suite --- test/conformance/testdata/conformance.txt | 4 ++ test/e2e/common/security_context.go | 87 +++++++++++++---------- 2 files changed, 53 insertions(+), 38 deletions(-) diff --git a/test/conformance/testdata/conformance.txt b/test/conformance/testdata/conformance.txt index 8ce92e5ef19..98635fd4dc3 100644 --- a/test/conformance/testdata/conformance.txt +++ b/test/conformance/testdata/conformance.txt @@ -157,6 +157,10 @@ test/e2e/common/secrets_volume.go: "should be consumable from pods in volume wit test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace" test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod" test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume" +test/e2e/common/security_context.go: "should run the container with uid 65534" +test/e2e/common/security_context.go: "should run the container with writable rootfs when readOnlyRootFilesystem=false" +test/e2e/common/security_context.go: "should run the container as unprivileged when false" +test/e2e/common/security_context.go: "should not allow privilege escalation when false" test/e2e/kubectl/kubectl.go: "should create and stop a replication controller" test/e2e/kubectl/kubectl.go: "should scale a replication controller" test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller" diff --git a/test/e2e/common/security_context.go b/test/e2e/common/security_context.go index 5f8d3833d80..1fa1ea2b2c2 100644 --- a/test/e2e/common/security_context.go +++ b/test/e2e/common/security_context.go @@ -69,22 +69,21 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Release : v1.12 - Testname: Security Context: runAsUser (id:65534) - Description: Container created with runAsUser option, passing an id (id:65534) uses that - given id when running the container. - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, runAsUser=65534 + Description: Container is created with runAsUser option by passing uid 65534 to run as unpriviledged user. Pod MUST be in Succeeded phase. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID. */ - It("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() { + framework.ConformanceIt("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(65534) }) /* - Release : v1.12 - Testname: Security Context: runAsUser (id:0) - Description: Container created with runAsUser option, passing an id (id:0) uses that - given id when running the container. - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, runAsUser=0 + Description: Container is created with runAsUser option by passing uid 0 to run as root priviledged user. Pod MUST be in Succeeded phase. + This e2e can not be promoted to Conformance because a Conformant platform may not allow to run containers with 'uid 0' or running privileged operations. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID. */ It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(0) @@ -130,21 +129,24 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Release : v1.12 - Testname: Security Context: readOnlyRootFilesystem=true. - Description: when a container has configured readOnlyRootFilesystem to true, write operations are not allowed. - This test is marked LinuxOnly since Windows does not support creating containers with read-only access. + Release : v1.15 + Testname: Security Context, readOnlyRootFilesystem=true. + Description: Container is configured to run with readOnlyRootFilesystem to true which will force containers to run with a read only root file system. + Write operation MUST NOT be allowed and Pod MUST be in Failed state. + At this moment we are not considering this test for Conformance due to use of SecurityContext. + [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support creating containers with read-only access. */ It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() { createAndWaitUserPod(true) }) /* - Release : v1.12 - Testname: Security Context: readOnlyRootFilesystem=false. - Description: when a container has configured readOnlyRootFilesystem to false, write operations are allowed. + Release : v1.15 + Testname: Security Context, readOnlyRootFilesystem=false. + Description: Container is configured to run with readOnlyRootFilesystem to false. + Write operation MUST be allowed and Pod MUST be in Succeeded state. */ - It("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() { + framework.ConformanceIt("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() { createAndWaitUserPod(false) }) }) @@ -180,9 +182,13 @@ var _ = framework.KubeDescribe("Security Context", func() { podClient.WaitForSuccess(podName, framework.PodStartTimeout) return podName } - - It("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() { - // This test is marked LinuxOnly since it runs a Linux-specific command, and Windows does not support Windows escalation. + /* + Release : v1.15 + Testname: Security Context, privileged=false. + Description: Create a container to run in unprivileged mode by setting pod's SecurityContext Privileged option as false. Pod MUST be in Succeeded phase. + [LinuxOnly]: This test is marked as LinuxOnly since it runs a Linux-specific command. + */ + framework.ConformanceIt("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() { podName := createAndWaitUserPod(false) logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) if err != nil { @@ -227,11 +233,13 @@ var _ = framework.KubeDescribe("Security Context", func() { } /* - Testname: allowPrivilegeEscalation unset and uid != 0. - Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation. - A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0. - When the container is run, the container is run using uid=0. - This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation unset, uid != 0. + Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation. + A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with uid=0. + This e2e Can not be promoted to Conformance as it is Container Runtime dependent and not all conformant platforms will require this behavior. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. */ It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-nil-" + string(uuid.NewUUID()) @@ -241,13 +249,14 @@ var _ = framework.KubeDescribe("Security Context", func() { }) /* - Testname: allowPrivilegeEscalation=false. - Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation. - A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0. - When the container is run, the container is run using uid=1000. - This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation=false. + Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation. + A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with given uid i.e. uid=1000. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. */ - It("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { + framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-false-" + string(uuid.NewUUID()) apeFalse := false if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil { @@ -256,11 +265,13 @@ var _ = framework.KubeDescribe("Security Context", func() { }) /* - Testname: allowPrivilegeEscalation=true. - Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation. - A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0. - When the container is run, the container is run using uid=0 (making use of the privilege escalation). - This test is marked LinuxOnly since Windows does not support running as UID / GID. + Release : v1.15 + Testname: Security Context, allowPrivilegeEscalation=true. + Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation. + A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0. + When the container is run, container's output MUST match with expected output verifying container ran with uid=0 (making use of the privilege escalation). + This e2e Can not be promoted to Conformance as it is Container Runtime dependent and runtime may not allow to run. + [LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID. */ It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-true-" + string(uuid.NewUUID())