mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-27 05:27:21 +00:00
Apply PSP container tests to EphemeralContainers
This commit is contained in:
Lee Verberne
parent
aff49ca684
commit
babebf76d3
@ -104,6 +104,8 @@ func TestMutatePodNonmutating(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestMutateContainerNonmutating(t *testing.T) {
|
func TestMutateContainerNonmutating(t *testing.T) {
|
||||||
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
|
||||||
|
|
||||||
untrue := false
|
untrue := false
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
security *api.SecurityContext
|
security *api.SecurityContext
|
||||||
@ -120,6 +122,11 @@ func TestMutateContainerNonmutating(t *testing.T) {
|
|||||||
Containers: []api.Container{{
|
Containers: []api.Container{{
|
||||||
SecurityContext: tc.security,
|
SecurityContext: tc.security,
|
||||||
}},
|
}},
|
||||||
|
EphemeralContainers: []api.EphemeralContainer{{
|
||||||
|
EphemeralContainerCommon: api.EphemeralContainerCommon{
|
||||||
|
SecurityContext: tc.security,
|
||||||
|
},
|
||||||
|
}},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -546,6 +553,8 @@ func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *policy.PodS
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestValidateContainerFailures(t *testing.T) {
|
func TestValidateContainerFailures(t *testing.T) {
|
||||||
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
|
||||||
|
|
||||||
// fail user strategy
|
// fail user strategy
|
||||||
failUserPSP := defaultPSP()
|
failUserPSP := defaultPSP()
|
||||||
uid := int64(999)
|
uid := int64(999)
|
||||||
@ -689,6 +698,13 @@ func TestValidateContainerFailures(t *testing.T) {
|
|||||||
errs := provider.ValidatePod(test.pod)
|
errs := provider.ValidatePod(test.pod)
|
||||||
require.NotEmpty(t, errs, "expected validation failure but did not receive errors")
|
require.NotEmpty(t, errs, "expected validation failure but did not receive errors")
|
||||||
assert.Contains(t, errs[0].Error(), test.expectedError, "unexpected error")
|
assert.Contains(t, errs[0].Error(), test.expectedError, "unexpected error")
|
||||||
|
|
||||||
|
// We want EphemeralContainers to behave the same as regular containers, so move the
|
||||||
|
// containers to ephemeralContainers and validate again.
|
||||||
|
ecPod := moveContainersToEphemeral(test.pod)
|
||||||
|
errs = provider.ValidatePod(ecPod)
|
||||||
|
require.NotEmpty(t, errs, "expected validation failure for ephemeral containers but did not receive errors")
|
||||||
|
assert.Contains(t, errs[0].Error(), test.expectedError, "unexpected error")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1062,6 +1078,8 @@ func TestValidatePodSuccess(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestValidateContainerSuccess(t *testing.T) {
|
func TestValidateContainerSuccess(t *testing.T) {
|
||||||
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
|
||||||
|
|
||||||
// success user strategy
|
// success user strategy
|
||||||
userPSP := defaultPSP()
|
userPSP := defaultPSP()
|
||||||
uid := int64(999)
|
uid := int64(999)
|
||||||
@ -1221,6 +1239,12 @@ func TestValidateContainerSuccess(t *testing.T) {
|
|||||||
require.NoError(t, err, "unable to create provider")
|
require.NoError(t, err, "unable to create provider")
|
||||||
errs := provider.ValidatePod(test.pod)
|
errs := provider.ValidatePod(test.pod)
|
||||||
assert.Empty(t, errs, "expected validation pass but received errors")
|
assert.Empty(t, errs, "expected validation pass but received errors")
|
||||||
|
|
||||||
|
// We want EphemeralContainers to behave the same as regular containers, so move the
|
||||||
|
// containers to ephemeralContainers and validate again.
|
||||||
|
ecPod := moveContainersToEphemeral(test.pod)
|
||||||
|
errs = provider.ValidatePod(ecPod)
|
||||||
|
assert.Empty(t, errs, "expected validation pass for ephemeral containers but received errors")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1377,6 +1401,17 @@ func defaultV1Pod() *v1.Pod {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func moveContainersToEphemeral(in *api.Pod) *api.Pod {
|
||||||
|
out := in.DeepCopy()
|
||||||
|
for _, c := range out.Spec.Containers {
|
||||||
|
out.Spec.EphemeralContainers = append(out.Spec.EphemeralContainers, api.EphemeralContainer{
|
||||||
|
EphemeralContainerCommon: api.EphemeralContainerCommon(c),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
out.Spec.Containers = nil
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// TestValidateAllowedVolumes will test that for every field of VolumeSource we can create
|
// TestValidateAllowedVolumes will test that for every field of VolumeSource we can create
|
||||||
// a pod with that type of volume and deny it, accept it explicitly, or accept it with
|
// a pod with that type of volume and deny it, accept it explicitly, or accept it with
|
||||||
// the FSTypeAll wildcard.
|
// the FSTypeAll wildcard.
|
||||||
@ -1490,6 +1525,8 @@ func TestValidateProjectedVolume(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestAllowPrivilegeEscalation(t *testing.T) {
|
func TestAllowPrivilegeEscalation(t *testing.T) {
|
||||||
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
|
||||||
|
|
||||||
ptr := pointer.BoolPtr
|
ptr := pointer.BoolPtr
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
pspAPE bool // PSP AllowPrivilegeEscalation
|
pspAPE bool // PSP AllowPrivilegeEscalation
|
||||||
@ -1528,6 +1565,7 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
|
|||||||
t.Run(fmt.Sprintf("pspAPE:%t_pspDAPE:%s_podAPE:%s", test.pspAPE, fmtPtr(test.pspDAPE), fmtPtr(test.podAPE)), func(t *testing.T) {
|
t.Run(fmt.Sprintf("pspAPE:%t_pspDAPE:%s_podAPE:%s", test.pspAPE, fmtPtr(test.pspDAPE), fmtPtr(test.podAPE)), func(t *testing.T) {
|
||||||
pod := defaultPod()
|
pod := defaultPod()
|
||||||
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
|
pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
|
||||||
|
ecPod := moveContainersToEphemeral(pod)
|
||||||
|
|
||||||
psp := defaultPSP()
|
psp := defaultPSP()
|
||||||
psp.Spec.AllowPrivilegeEscalation = &test.pspAPE
|
psp.Spec.AllowPrivilegeEscalation = &test.pspAPE
|
||||||
@ -1547,6 +1585,18 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
|
|||||||
ape := pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation
|
ape := pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation
|
||||||
assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation")
|
assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = provider.MutatePod(ecPod)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
errs = provider.ValidatePod(ecPod)
|
||||||
|
if test.expectErr {
|
||||||
|
assert.NotEmpty(t, errs, "expected validation error for ephemeral containers")
|
||||||
|
} else {
|
||||||
|
assert.Empty(t, errs, "expected no validation errors for ephemeral containers")
|
||||||
|
ape := ecPod.Spec.EphemeralContainers[0].SecurityContext.AllowPrivilegeEscalation
|
||||||
|
assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation for ephemeral container")
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user