github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #121606 from saschagrunert/user-namespaces-serial-test

Browse Source 
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
This commit is contained in:
Kubernetes Prow Robot 2024-02-28 13:54:25 -08:00 committed by GitHub
commit 7ec1e1a55e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
test/e2e/common/node/security_context.go
View File

@ -35,6 +35,7 @@ import (
imageutils "k8s.io/kubernetes/test/utils/image" imageutils "k8s.io/kubernetes/test/utils/image"
admissionapi "k8s.io/pod-security-admission/api" admissionapi "k8s.io/pod-security-admission/api"
"k8s.io/utils/pointer" "k8s.io/utils/pointer"
"k8s.io/utils/ptr"
"github.com/onsi/ginkgo/v2" "github.com/onsi/ginkgo/v2"
"github.com/onsi/gomega" "github.com/onsi/gomega"
@ -635,6 +636,39 @@ var _ = SIGDescribe("Security Context", func() {
}) })
}) })
var _ = SIGDescribe("User Namespaces for Pod Security Standards [LinuxOnly]", func() {
f := framework.NewDefaultFramework("user-namespaces-pss-test")
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelRestricted
ginkgo.Context("with UserNamespacesSupport and UserNamespacesPodSecurityStandards enabled", func() {
f.It("should allow pod", feature.UserNamespacesPodSecurityStandards, func(ctx context.Context) {
name := "pod-user-namespaces-pss-" + string(uuid.NewUUID())
pod := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{Name: name},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
HostUsers: ptr.To(false),
SecurityContext: &v1.PodSecurityContext{},
Containers: []v1.Container{
{
Name: name,
Image: imageutils.GetE2EImage(imageutils.BusyBox),
Command: []string{"whoami"},
SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(false),
Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
},
},
},
},
}
e2epodoutput.TestContainerOutput(ctx, f, "RunAsUser-RunAsNonRoot", pod, 0, []string{"root"})
})
})
})
// waitForFailure waits for pod to fail. // waitForFailure waits for pod to fail.
func waitForFailure(ctx context.Context, f *framework.Framework, name string, timeout time.Duration) { func waitForFailure(ctx context.Context, f *framework.Framework, name string, timeout time.Duration) {
gomega.Expect(e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, name, fmt.Sprintf("%s or %s", v1.PodSucceeded, v1.PodFailed), timeout, gomega.Expect(e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, name, fmt.Sprintf("%s or %s", v1.PodSucceeded, v1.PodFailed), timeout,

6
test/e2e/feature/feature.go
View File

@ -328,6 +328,12 @@ var (
// TODO: document the feature (owning SIG, when to use this feature for a test) // TODO: document the feature (owning SIG, when to use this feature for a test)
UserNamespacesSupport = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesSupport")) UserNamespacesSupport = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesSupport"))
// Owned by SIG Node
// Can be used when the UserNamespacesPodSecurityStandards kubelet feature
// gate is enabled to relax the application of Pod Security Standards in a
// controlled way.
UserNamespacesPodSecurityStandards = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesPodSecurityStandards"))
// TODO: document the feature (owning SIG, when to use this feature for a test) // TODO: document the feature (owning SIG, when to use this feature for a test)
ValidatingAdmissionPolicy = framework.WithFeature(framework.ValidFeatures.Add("ValidatingAdmissionPolicy")) ValidatingAdmissionPolicy = framework.WithFeature(framework.ValidFeatures.Add("ValidatingAdmissionPolicy"))