From ce70619a4798b9d82d40670e6b29b579ef2b9a5c Mon Sep 17 00:00:00 2001 From: Jess Frazelle Date: Tue, 6 Jun 2017 02:11:29 -0400 Subject: [PATCH] allowPrivilegeEscalation: add integration test with setuid binary Signed-off-by: Jess Frazelle --- test/e2e_node/BUILD | 1 + test/e2e_node/image_list.go | 1 + test/e2e_node/security_context_test.go | 84 ++++++++++++++++++++++++++ 3 files changed, 86 insertions(+) diff --git a/test/e2e_node/BUILD b/test/e2e_node/BUILD index 849d571b19b..187accfa20b 100644 --- a/test/e2e_node/BUILD +++ b/test/e2e_node/BUILD @@ -117,6 +117,7 @@ go_test( "//test/e2e_node/services:go_default_library", "//test/e2e_node/system:go_default_library", "//test/utils:go_default_library", + "//vendor/github.com/blang/semver:go_default_library", "//vendor/github.com/coreos/go-systemd/util:go_default_library", "//vendor/github.com/davecgh/go-spew/spew:go_default_library", "//vendor/github.com/golang/glog:go_default_library", diff --git a/test/e2e_node/image_list.go b/test/e2e_node/image_list.go index c6e3cbe9b5a..41c3daafb8f 100644 --- a/test/e2e_node/image_list.go +++ b/test/e2e_node/image_list.go @@ -53,6 +53,7 @@ var NodeImageWhiteList = sets.NewString( "gcr.io/google_containers/nginx-slim:0.7", "gcr.io/google_containers/serve_hostname:v1.4", "gcr.io/google_containers/netexec:1.7", + "gcr.io/google_containers/nonewprivs:1.2", framework.GetPauseImageNameForHostArch(), ) diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index d79830f4754..2f4c1c74ead 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -28,6 +28,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/framework" + "github.com/blang/semver" . "github.com/onsi/ginkgo" ) @@ -315,4 +316,87 @@ var _ = framework.KubeDescribe("Security Context", func() { }) }) + + Context("when creating containers with AllowPrivilegeEscalation", func() { + + BeforeEach(func() { + if framework.TestContext.ContainerRuntime == "docker" { + // parse the docker version + out, err := exec.Command("docker", "-v").CombinedOutput() + if err != nil { + framework.Failf("checking docker version failed output %s: %v", string(out), err) + } + parts := strings.Split(string(out), ",") + parts = strings.Split(parts[0], " ") + dversion := parts[len(parts)-1] + version, err := semver.New(dversion) + if err != nil { + framework.Failf("parsing docker version %q failed: %v", dversion, err) + } + if version.LT(semver.Version{Major: 1, Minor: 11}) { + // make sure its >= 1.11 thats when "no-new-privileges" was added + framework.Skipf("Skipping no_new_privs tests, docker version is < 1.11 it is %s", version.String()) + } + } + }) + + makeAllowPrivilegeEscalationPod := func(podName string, allowPrivilegeEscalation *bool, uid int64) *v1.Pod { + return &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + }, + Spec: v1.PodSpec{ + RestartPolicy: v1.RestartPolicyNever, + Containers: []v1.Container{ + { + Image: "gcr.io/google_containers/nonewprivs:1.2", + Name: podName, + SecurityContext: &v1.SecurityContext{ + AllowPrivilegeEscalation: allowPrivilegeEscalation, + RunAsUser: &uid, + }, + }, + }, + }, + } + } + createAndMatchOutput := func(podName, output string, allowPrivilegeEscalation *bool, uid int64) error { + podClient.Create(makeAllowPrivilegeEscalationPod(podName, + allowPrivilegeEscalation, + uid, + )) + + podClient.WaitForSuccess(podName, framework.PodStartTimeout) + + if err := podClient.MatchContainerOutput(podName, podName, output); err != nil { + return err + } + + return nil + } + + It("should allow privilege escalation when not explicitly set and uid != 0", func() { + podName := "alpine-nnp-nil-" + string(uuid.NewUUID()) + if err := createAndMatchOutput(podName, "Effective uid: 0", nil, 1000); err != nil { + framework.Failf("Match output for pod %q failed: %v", podName, err) + } + }) + + It("should not allow privilege escalation when false", func() { + podName := "alpine-nnp-false-" + string(uuid.NewUUID()) + apeFalse := false + if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil { + framework.Failf("Match output for pod %q failed: %v", podName, err) + } + }) + + It("should allow privilege escalation when true", func() { + podName := "alpine-nnp-true-" + string(uuid.NewUUID()) + apeTrue := true + if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, 1000); err != nil { + framework.Failf("Match output for pod %q failed: %v", podName, err) + } + }) + }) + })