github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-21 18:11:22 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #111009 from marosset/runasnonroot-windows-fix

Browse Source 
Windows: ensure runAsNonRoot does case-insensitive comparison on username
This commit is contained in:
Kubernetes Prow Robot
2022-07-28 17:55:22 -07:00
committed by GitHub
parent cc69f8f65d 588ff515bc
commit 73b3be3082
3 changed files with 85 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
test/e2e/windows/security_context.go
View File

@@ -153,6 +153,42 @@ var _ = SIGDescribe("[Feature:Windows] SecurityContext", func() {
framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(f.ClientSet, windowsPodWithSELinux.Name,
f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name)
})
ginkgo.It("should not be able to create pods with containers running as ContainerAdministrator when runAsNonRoot is true", func() {
ginkgo.By("Creating a pod")
p := runAsUserNamePod(toPtr("ContainerAdministrator"))
p.Spec.SecurityContext.RunAsNonRoot = &trueVar
podInvalid, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(context.TODO(), p, metav1.CreateOptions{})
framework.ExpectNoError(err, "Error creating pod")
ginkgo.By("Waiting for pod to finish")
event, err := f.PodClient().WaitForErrorEventOrSuccess(podInvalid)
framework.ExpectNoError(err)
framework.ExpectNotEqual(event, nil, "event should not be empty")
framework.Logf("Got event: %v", event)
expectedEventError := "container's runAsUserName (ContainerAdministrator) which will be regarded as root identity and will break non-root policy"
framework.ExpectEqual(true, strings.Contains(event.Message, expectedEventError), "Event error should indicate non-root policy caused container to not start")
})
ginkgo.It("should not be able to create pods with containers running as CONTAINERADMINISTRATOR when runAsNonRoot is true", func() {
ginkgo.By("Creating a pod")
p := runAsUserNamePod(toPtr("CONTAINERADMINISTRATOR"))
p.Spec.SecurityContext.RunAsNonRoot = &trueVar
podInvalid, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(context.TODO(), p, metav1.CreateOptions{})
framework.ExpectNoError(err, "Error creating pod")
ginkgo.By("Waiting for pod to finish")
event, err := f.PodClient().WaitForErrorEventOrSuccess(podInvalid)
framework.ExpectNoError(err)
framework.ExpectNotEqual(event, nil, "event should not be empty")
framework.Logf("Got event: %v", event)
expectedEventError := "container's runAsUserName (CONTAINERADMINISTRATOR) which will be regarded as root identity and will break non-root policy"
framework.ExpectEqual(true, strings.Contains(event.Message, expectedEventError), "Event error should indicate non-root policy caused container to not start")
})
})
func runAsUserNamePod(username *string) *v1.Pod {