Merge pull request #70639 from mgdevstack/promote-security-context

Promote security context NodeConformance tests to Conformance suite
This commit is contained in:
Kubernetes Prow Robot 2019-06-13 17:48:20 -07:00 committed by GitHub
commit 62eae8d058
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 38 deletions

View File

@ -166,6 +166,10 @@ test/e2e/common/secrets_volume.go: "should be consumable from pods in volume wit
test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace" test/e2e/common/secrets_volume.go: "should be able to mount in a volume regardless of a different secret existing with same name in different namespace"
test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod" test/e2e/common/secrets_volume.go: "should be consumable in multiple volumes in a pod"
test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume" test/e2e/common/secrets_volume.go: "optional updates should be reflected in volume"
test/e2e/common/security_context.go: "should run the container with uid 65534"
test/e2e/common/security_context.go: "should run the container with writable rootfs when readOnlyRootFilesystem=false"
test/e2e/common/security_context.go: "should run the container as unprivileged when false"
test/e2e/common/security_context.go: "should not allow privilege escalation when false"
test/e2e/kubectl/kubectl.go: "should create and stop a replication controller" test/e2e/kubectl/kubectl.go: "should create and stop a replication controller"
test/e2e/kubectl/kubectl.go: "should scale a replication controller" test/e2e/kubectl/kubectl.go: "should scale a replication controller"
test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller" test/e2e/kubectl/kubectl.go: "should do a rolling update of a replication controller"

View File

@ -73,22 +73,21 @@ var _ = framework.KubeDescribe("Security Context", func() {
} }
/* /*
Release : v1.12 Release : v1.15
Testname: Security Context: runAsUser (id:65534) Testname: Security Context, runAsUser=65534
Description: Container created with runAsUser option, passing an id (id:65534) uses that Description: Container is created with runAsUser option by passing uid 65534 to run as unpriviledged user. Pod MUST be in Succeeded phase.
given id when running the container. [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
This test is marked LinuxOnly since Windows does not support running as UID / GID.
*/ */
It("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() { framework.ConformanceIt("should run the container with uid 65534 [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(65534) createAndWaitUserPod(65534)
}) })
/* /*
Release : v1.12 Release : v1.15
Testname: Security Context: runAsUser (id:0) Testname: Security Context, runAsUser=0
Description: Container created with runAsUser option, passing an id (id:0) uses that Description: Container is created with runAsUser option by passing uid 0 to run as root priviledged user. Pod MUST be in Succeeded phase.
given id when running the container. This e2e can not be promoted to Conformance because a Conformant platform may not allow to run containers with 'uid 0' or running privileged operations.
This test is marked LinuxOnly since Windows does not support running as UID / GID. [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support running as UID / GID.
*/ */
It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() { It("should run the container with uid 0 [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(0) createAndWaitUserPod(0)
@ -197,21 +196,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
} }
/* /*
Release : v1.12 Release : v1.15
Testname: Security Context: readOnlyRootFilesystem=true. Testname: Security Context, readOnlyRootFilesystem=true.
Description: when a container has configured readOnlyRootFilesystem to true, write operations are not allowed. Description: Container is configured to run with readOnlyRootFilesystem to true which will force containers to run with a read only root file system.
This test is marked LinuxOnly since Windows does not support creating containers with read-only access. Write operation MUST NOT be allowed and Pod MUST be in Failed state.
At this moment we are not considering this test for Conformance due to use of SecurityContext.
[LinuxOnly]: This test is marked as LinuxOnly since Windows does not support creating containers with read-only access.
*/ */
It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() { It("should run the container with readonly rootfs when readOnlyRootFilesystem=true [LinuxOnly] [NodeConformance]", func() {
createAndWaitUserPod(true) createAndWaitUserPod(true)
}) })
/* /*
Release : v1.12 Release : v1.15
Testname: Security Context: readOnlyRootFilesystem=false. Testname: Security Context, readOnlyRootFilesystem=false.
Description: when a container has configured readOnlyRootFilesystem to false, write operations are allowed. Description: Container is configured to run with readOnlyRootFilesystem to false.
Write operation MUST be allowed and Pod MUST be in Succeeded state.
*/ */
It("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() { framework.ConformanceIt("should run the container with writable rootfs when readOnlyRootFilesystem=false [NodeConformance]", func() {
createAndWaitUserPod(false) createAndWaitUserPod(false)
}) })
}) })
@ -247,9 +249,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
podClient.WaitForSuccess(podName, framework.PodStartTimeout) podClient.WaitForSuccess(podName, framework.PodStartTimeout)
return podName return podName
} }
/*
It("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() { Release : v1.15
// This test is marked LinuxOnly since it runs a Linux-specific command, and Windows does not support Windows escalation. Testname: Security Context, privileged=false.
Description: Create a container to run in unprivileged mode by setting pod's SecurityContext Privileged option as false. Pod MUST be in Succeeded phase.
[LinuxOnly]: This test is marked as LinuxOnly since it runs a Linux-specific command.
*/
framework.ConformanceIt("should run the container as unprivileged when false [LinuxOnly] [NodeConformance]", func() {
podName := createAndWaitUserPod(false) podName := createAndWaitUserPod(false)
logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
if err != nil { if err != nil {
@ -294,11 +300,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
} }
/* /*
Testname: allowPrivilegeEscalation unset and uid != 0. Release : v1.15
Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation. Testname: Security Context, allowPrivilegeEscalation unset, uid != 0.
A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0. Description: Configuring the allowPrivilegeEscalation unset, allows the privilege escalation operation.
When the container is run, the container is run using uid=0. A container is configured with allowPrivilegeEscalation not specified (nil) and a given uid which is not 0.
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. When the container is run, container's output MUST match with expected output verifying container ran with uid=0.
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and not all conformant platforms will require this behavior.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
*/ */
It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() { It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-nil-" + string(uuid.NewUUID()) podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
@ -308,13 +316,14 @@ var _ = framework.KubeDescribe("Security Context", func() {
}) })
/* /*
Testname: allowPrivilegeEscalation=false. Release : v1.15
Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation. Testname: Security Context, allowPrivilegeEscalation=false.
A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0. Description: Configuring the allowPrivilegeEscalation to false, does not allow the privilege escalation operation.
When the container is run, the container is run using uid=1000. A container is configured with allowPrivilegeEscalation=false and a given uid (1000) which is not 0.
This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation. When the container is run, container's output MUST match with expected output verifying container ran with given uid i.e. uid=1000.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID, or privilege escalation.
*/ */
It("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-false-" + string(uuid.NewUUID()) podName := "alpine-nnp-false-" + string(uuid.NewUUID())
apeFalse := false apeFalse := false
if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil { if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
@ -323,11 +332,13 @@ var _ = framework.KubeDescribe("Security Context", func() {
}) })
/* /*
Testname: allowPrivilegeEscalation=true. Release : v1.15
Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation. Testname: Security Context, allowPrivilegeEscalation=true.
A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0. Description: Configuring the allowPrivilegeEscalation to true, allows the privilege escalation operation.
When the container is run, the container is run using uid=0 (making use of the privilege escalation). A container is configured with allowPrivilegeEscalation=true and a given uid (1000) which is not 0.
This test is marked LinuxOnly since Windows does not support running as UID / GID. When the container is run, container's output MUST match with expected output verifying container ran with uid=0 (making use of the privilege escalation).
This e2e Can not be promoted to Conformance as it is Container Runtime dependent and runtime may not allow to run.
[LinuxOnly]: This test is marked LinuxOnly since Windows does not support running as UID / GID.
*/ */
It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() { It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() {
podName := "alpine-nnp-true-" + string(uuid.NewUUID()) podName := "alpine-nnp-true-" + string(uuid.NewUUID())