github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #75164 from krmayankk/runasgroup

Browse Source 
add missing psp e2e tests for runasgroup
This commit is contained in:
Kubernetes Prow Robot 2019-03-13 18:02:25 -07:00 committed by GitHub
commit 897d62ace7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
test/e2e/auth/pod_security_policy.go
View File

@ -40,6 +40,8 @@ import (
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
) )
const nobodyUser = int64(65534)
var _ = SIGDescribe("PodSecurityPolicy", func() { var _ = SIGDescribe("PodSecurityPolicy", func() {
f := framework.NewDefaultFramework("podsecuritypolicy") f := framework.NewDefaultFramework("podsecuritypolicy")
f.SkipPrivilegedPSPBinding = true f.SkipPrivilegedPSPBinding = true
@ -186,6 +188,21 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
sysadmin.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil sysadmin.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
tester(sysadmin) tester(sysadmin)
}) })
By("Running a RunAsGroup pod", func() {
sysadmin := restrictedPod("runasgroup")
gid := int64(0)
sysadmin.Spec.Containers[0].SecurityContext.RunAsGroup = &gid
tester(sysadmin)
})
By("Running a RunAsUser pod", func() {
sysadmin := restrictedPod("runasuser")
uid := int64(0)
sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
tester(sysadmin)
})
} }
// createAndBindPSP creates a PSP in the policy API group. // createAndBindPSP creates a PSP in the policy API group.
@ -244,7 +261,8 @@ func restrictedPod(name string) *v1.Pod {
Image: imageutils.GetPauseImageName(), Image: imageutils.GetPauseImageName(),
SecurityContext: &v1.SecurityContext{ SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: boolPtr(false), AllowPrivilegeEscalation: boolPtr(false),
RunAsUser: utilpointer.Int64Ptr(65534), RunAsUser: utilpointer.Int64Ptr(nobodyUser),
RunAsGroup: utilpointer.Int64Ptr(nobodyUser),
}, },
}}, }},
}, },
@ -270,6 +288,9 @@ func privilegedPSP(name string) *policy.PodSecurityPolicy {
RunAsUser: policy.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny, Rule: policy.RunAsUserStrategyRunAsAny,
}, },
RunAsGroup: &policy.RunAsGroupStrategyOptions{
Rule: policy.RunAsGroupStrategyRunAsAny,
},
SELinux: policy.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },
@ -325,6 +346,11 @@ func restrictedPSP(name string) *policy.PodSecurityPolicy {
RunAsUser: policy.RunAsUserStrategyOptions{ RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAsNonRoot, Rule: policy.RunAsUserStrategyMustRunAsNonRoot,
}, },
RunAsGroup: &policy.RunAsGroupStrategyOptions{
Rule: policy.RunAsGroupStrategyMustRunAs,
Ranges: []policy.IDRange{
{Min: nobodyUser, Max: nobodyUser}},
},
SELinux: policy.SELinuxStrategyOptions{ SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny, Rule: policy.SELinuxStrategyRunAsAny,
}, },