mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
tests: Fixes tests for Windows (containerd, RunAsUserName)
Since we've added support for RunAsUserName, we can now run some new tests. However, the [LinuxOnly] tag will have to remain until the WindowsRunAsUserName feature becomes enabled by default. Additionally, Containerd supports file mounting on Windows, and some tests will be able to pass on Windows with Containerd instead of Docker.
This commit is contained in:
Claudiu Belu
parent
ef479c1a6f
commit
f0e6d8ed09
@ -39,7 +39,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
Description: Create a ConfigMap, create a Pod that mounts a volume and populates the volume with data stored in the ConfigMap. The ConfigMap that is created MUST be accessible to read from the newly created Pod using the volume mount. The data content of the file MUST be readable and verified and file modes MUST default to 0x644.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() {
|
||||
doConfigMapE2EWithoutMappings(f, 0, 0, nil)
|
||||
doConfigMapE2EWithoutMappings(f, false, 0, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -50,14 +50,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [LinuxOnly] [NodeConformance]", func() {
|
||||
defaultMode := int32(0400)
|
||||
doConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode)
|
||||
doConfigMapE2EWithoutMappings(f, false, 0, &defaultMode)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
doConfigMapE2EWithoutMappings(f, 1000, 1001, &defaultMode)
|
||||
doConfigMapE2EWithoutMappings(f, true, 1001, &defaultMode)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -67,13 +67,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume as non-root [LinuxOnly] [NodeConformance]", func() {
|
||||
doConfigMapE2EWithoutMappings(f, 1000, 0, nil)
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag when the WindowsRunAsUserName feature gate is enabled by default.
|
||||
doConfigMapE2EWithoutMappings(f, true, 0, nil)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
doConfigMapE2EWithoutMappings(f, 1000, 1001, nil)
|
||||
doConfigMapE2EWithoutMappings(f, true, 1001, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -82,7 +83,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
Description: Create a ConfigMap, create a Pod that mounts a volume and populates the volume with data stored in the ConfigMap. Files are mapped to a path in the volume. The ConfigMap that is created MUST be accessible to read from the newly created Pod using the volume mount. The data content of the file MUST be readable and verified and file modes MUST default to 0x644.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() {
|
||||
doConfigMapE2EWithMappings(f, 0, 0, nil)
|
||||
doConfigMapE2EWithMappings(f, false, 0, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -93,7 +94,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings and Item mode set [LinuxOnly] [NodeConformance]", func() {
|
||||
mode := int32(0400)
|
||||
doConfigMapE2EWithMappings(f, 0, 0, &mode)
|
||||
doConfigMapE2EWithMappings(f, false, 0, &mode)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -103,13 +104,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() {
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [LinuxOnly] [NodeConformance]", func() {
|
||||
doConfigMapE2EWithMappings(f, 1000, 0, nil)
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag when the WindowsRunAsUserName feature gate is enabled by default.
|
||||
doConfigMapE2EWithMappings(f, true, 0, nil)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume with mappings as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
doConfigMapE2EWithMappings(f, 1000, 1001, nil)
|
||||
doConfigMapE2EWithMappings(f, true, 1001, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -586,8 +588,7 @@ func newConfigMap(f *framework.Framework, name string) *v1.ConfigMap {
|
||||
}
|
||||
}
|
||||
|
||||
func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) {
|
||||
userID := int64(uid)
|
||||
func doConfigMapE2EWithoutMappings(f *framework.Framework, asUser bool, fsGroup int64, defaultMode *int32) {
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
@ -642,8 +643,8 @@ func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, d
|
||||
},
|
||||
}
|
||||
|
||||
if userID != 0 {
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
if asUser {
|
||||
setPodNonRootUser(pod)
|
||||
}
|
||||
|
||||
if groupID != 0 {
|
||||
@ -662,8 +663,7 @@ func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, d
|
||||
f.TestContainerOutputRegexp("consume configMaps", pod, 0, output)
|
||||
}
|
||||
|
||||
func doConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) {
|
||||
userID := int64(uid)
|
||||
func doConfigMapE2EWithMappings(f *framework.Framework, asUser bool, fsGroup int64, itemMode *int32) {
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
@ -725,8 +725,8 @@ func doConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, item
|
||||
},
|
||||
}
|
||||
|
||||
if userID != 0 {
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
if asUser {
|
||||
setPodNonRootUser(pod)
|
||||
}
|
||||
|
||||
if groupID != 0 {
|
||||
|
||||
@ -91,13 +91,12 @@ var _ = ginkgo.Describe("[sig-storage] Downward API volume", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname")
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
FSGroup: &gid,
|
||||
FSGroup: &gid,
|
||||
}
|
||||
setPodNonRootUser(pod)
|
||||
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
||||
fmt.Sprintf("%s\n", podName),
|
||||
})
|
||||
@ -107,14 +106,13 @@ var _ = ginkgo.Describe("[sig-storage] Downward API volume", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
mode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
pod := downwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil)
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
FSGroup: &gid,
|
||||
FSGroup: &gid,
|
||||
}
|
||||
setPodNonRootUser(pod)
|
||||
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
||||
"mode of file \"/etc/podinfo/podname\": -r--r-----",
|
||||
})
|
||||
|
||||
@ -40,7 +40,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() {
|
||||
Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap with default permission mode. Pod MUST be able to read the content of the ConfigMap successfully and the mode on the volume MUST be -rw-r—-r—-.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithoutMappings(f, 0, 0, nil)
|
||||
doProjectedConfigMapE2EWithoutMappings(f, false, 0, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -51,30 +51,29 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() {
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [LinuxOnly] [NodeConformance]", func() {
|
||||
defaultMode := int32(0400)
|
||||
doProjectedConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode)
|
||||
doProjectedConfigMapE2EWithoutMappings(f, false, 0, &defaultMode)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, &defaultMode)
|
||||
doProjectedConfigMapE2EWithoutMappings(f, true, 1001, &defaultMode)
|
||||
})
|
||||
|
||||
/*
|
||||
Release : v1.9
|
||||
Testname: Projected Volume, ConfigMap, non-root user
|
||||
Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap as non-root user with uid 1000. Pod MUST be able to read the content of the ConfigMap successfully and the mode on the volume MUST be -rw—r——r—-.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume as non-root [LinuxOnly] [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithoutMappings(f, 1000, 0, nil)
|
||||
framework.ConformanceIt("should be consumable from pods in volume as non-root [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithoutMappings(f, true, 0, nil)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, nil)
|
||||
doProjectedConfigMapE2EWithoutMappings(f, true, 1001, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -83,7 +82,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() {
|
||||
Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap with default permission mode. The ConfigMap is also mapped to a custom path. Pod MUST be able to read the content of the ConfigMap from the custom location successfully and the mode on the volume MUST be -rw—r——r—-.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithMappings(f, 0, 0, nil)
|
||||
doProjectedConfigMapE2EWithMappings(f, false, 0, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -94,23 +93,22 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() {
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings and Item mode set [LinuxOnly] [NodeConformance]", func() {
|
||||
mode := int32(0400)
|
||||
doProjectedConfigMapE2EWithMappings(f, 0, 0, &mode)
|
||||
doProjectedConfigMapE2EWithMappings(f, false, 0, &mode)
|
||||
})
|
||||
|
||||
/*
|
||||
Release : v1.9
|
||||
Testname: Projected Volume, ConfigMap, mapped, non-root user
|
||||
Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap as non-root user with uid 1000. The ConfigMap is also mapped to a custom path. Pod MUST be able to read the content of the ConfigMap from the custom location successfully and the mode on the volume MUST be -r-—r——r—-.
|
||||
This test is marked LinuxOnly since Windows does not support running as UID / GID.
|
||||
*/
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [LinuxOnly] [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithMappings(f, 1000, 0, nil)
|
||||
framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [NodeConformance]", func() {
|
||||
doProjectedConfigMapE2EWithMappings(f, true, 0, nil)
|
||||
})
|
||||
|
||||
ginkgo.It("should be consumable from pods in volume with mappings as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
doProjectedConfigMapE2EWithMappings(f, 1000, 1001, nil)
|
||||
doProjectedConfigMapE2EWithMappings(f, true, 1001, nil)
|
||||
})
|
||||
|
||||
/*
|
||||
@ -513,8 +511,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() {
|
||||
})
|
||||
})
|
||||
|
||||
func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) {
|
||||
userID := int64(uid)
|
||||
func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, asUser bool, fsGroup int64, defaultMode *int32) {
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
@ -573,8 +570,8 @@ func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup
|
||||
},
|
||||
}
|
||||
|
||||
if userID != 0 {
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
if asUser {
|
||||
setPodNonRootUser(pod)
|
||||
}
|
||||
|
||||
if groupID != 0 {
|
||||
@ -594,8 +591,7 @@ func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup
|
||||
f.TestContainerOutputRegexp("consume configMaps", pod, 0, output)
|
||||
}
|
||||
|
||||
func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) {
|
||||
userID := int64(uid)
|
||||
func doProjectedConfigMapE2EWithMappings(f *framework.Framework, asUser bool, fsGroup int64, itemMode *int32) {
|
||||
groupID := int64(fsGroup)
|
||||
|
||||
var (
|
||||
@ -661,8 +657,8 @@ func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup in
|
||||
},
|
||||
}
|
||||
|
||||
if userID != 0 {
|
||||
pod.Spec.SecurityContext.RunAsUser = &userID
|
||||
if asUser {
|
||||
setPodNonRootUser(pod)
|
||||
}
|
||||
|
||||
if groupID != 0 {
|
||||
|
||||
@ -91,13 +91,12 @@ var _ = ginkgo.Describe("[sig-storage] Projected downwardAPI", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname")
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
FSGroup: &gid,
|
||||
FSGroup: &gid,
|
||||
}
|
||||
setPodNonRootUser(pod)
|
||||
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
||||
fmt.Sprintf("%s\n", podName),
|
||||
})
|
||||
@ -107,14 +106,13 @@ var _ = ginkgo.Describe("[sig-storage] Projected downwardAPI", func() {
|
||||
// Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
podName := "metadata-volume-" + string(uuid.NewUUID())
|
||||
uid := int64(1001)
|
||||
gid := int64(1234)
|
||||
mode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil)
|
||||
pod.Spec.SecurityContext = &v1.PodSecurityContext{
|
||||
RunAsUser: &uid,
|
||||
FSGroup: &gid,
|
||||
FSGroup: &gid,
|
||||
}
|
||||
setPodNonRootUser(pod)
|
||||
f.TestContainerOutput("downward API volume plugin", pod, 0, []string{
|
||||
"mode of file \"/etc/podinfo/podname\": -r--r-----",
|
||||
})
|
||||
|
||||
@ -63,8 +63,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected secret", func() {
|
||||
framework.ConformanceIt("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeConformance]", func() {
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
fsGroup := int64(1001)
|
||||
uid := int64(1000)
|
||||
doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid)
|
||||
doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &nonRootTestUserID)
|
||||
})
|
||||
|
||||
/*
|
||||
|
||||
@ -131,6 +131,8 @@ while true; do sleep 1; done
|
||||
ginkgo.Context("on terminated container", func() {
|
||||
rootUser := int64(0)
|
||||
nonRootUser := int64(10000)
|
||||
adminUserName := "ContainerAdministrator"
|
||||
nonAdminUserName := "ContainerUser"
|
||||
|
||||
// Create and then terminate the container under defined PodPhase to verify if termination message matches the expected output. Lastly delete the created container.
|
||||
matchTerminationMessage := func(container v1.Container, expectedPhase v1.PodPhase, expectedMsg gomegatypes.GomegaMatcher) {
|
||||
@ -165,14 +167,19 @@ while true; do sleep 1; done
|
||||
|
||||
ginkgo.It("should report termination message [LinuxOnly] if TerminationMessagePath is set [NodeConformance]", func() {
|
||||
// Cannot mount files in Windows Containers.
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default
|
||||
// container runtime on Windows, and when the WindowsRunAsUserName feature becomes available by default.
|
||||
container := v1.Container{
|
||||
Image: framework.BusyBoxImage,
|
||||
Command: []string{"/bin/sh", "-c"},
|
||||
Args: []string{"/bin/echo -n DONE > /dev/termination-log"},
|
||||
TerminationMessagePath: "/dev/termination-log",
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: &rootUser,
|
||||
},
|
||||
SecurityContext: &v1.SecurityContext{},
|
||||
}
|
||||
if framework.NodeOSDistroIs("windows") {
|
||||
container.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &adminUserName}
|
||||
} else {
|
||||
container.SecurityContext.RunAsUser = &rootUser
|
||||
}
|
||||
matchTerminationMessage(container, v1.PodSucceeded, gomega.Equal("DONE"))
|
||||
})
|
||||
@ -184,14 +191,19 @@ while true; do sleep 1; done
|
||||
[LinuxOnly]: Tagged LinuxOnly due to use of 'uid' and unable to mount files in Windows Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should report termination message [LinuxOnly] if TerminationMessagePath is set as non-root user and at a non-default path [NodeConformance]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default
|
||||
// container runtime on Windows, and when the WindowsRunAsUserName feature becomes available by default.
|
||||
container := v1.Container{
|
||||
Image: framework.BusyBoxImage,
|
||||
Command: []string{"/bin/sh", "-c"},
|
||||
Args: []string{"/bin/echo -n DONE > /dev/termination-custom-log"},
|
||||
TerminationMessagePath: "/dev/termination-custom-log",
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
RunAsUser: &nonRootUser,
|
||||
},
|
||||
SecurityContext: &v1.SecurityContext{},
|
||||
}
|
||||
if framework.NodeOSDistroIs("windows") {
|
||||
container.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &nonAdminUserName}
|
||||
} else {
|
||||
container.SecurityContext.RunAsUser = &nonRootUser
|
||||
}
|
||||
matchTerminationMessage(container, v1.PodSucceeded, gomega.Equal("DONE"))
|
||||
})
|
||||
|
||||
@ -63,8 +63,7 @@ var _ = ginkgo.Describe("[sig-storage] Secrets", func() {
|
||||
framework.ConformanceIt("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeConformance]", func() {
|
||||
defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */
|
||||
fsGroup := int64(1001)
|
||||
uid := int64(1000)
|
||||
doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid)
|
||||
doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), &fsGroup, &nonRootTestUserID)
|
||||
})
|
||||
|
||||
/*
|
||||
|
||||
@ -123,11 +123,11 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
// creates a pod with RunAsUser, which is not supported on Windows.
|
||||
framework.SkipIfNodeOSDistroIs("windows")
|
||||
name := "explicit-nonroot-uid"
|
||||
pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(1234))
|
||||
pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(nonRootTestUserID))
|
||||
podClient.Create(pod)
|
||||
|
||||
podClient.WaitForSuccess(name, framework.PodStartTimeout)
|
||||
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234"))
|
||||
framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1000"))
|
||||
})
|
||||
ginkgo.It("should not run with an explicit root user ID [LinuxOnly]", func() {
|
||||
// creates a pod with RunAsUser, which is not supported on Windows.
|
||||
@ -327,7 +327,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
*/
|
||||
ginkgo.It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-nil-" + string(uuid.NewUUID())
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 0", nil, 1000); err != nil {
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 0", nil, nonRootTestUserID); err != nil {
|
||||
framework.Failf("Match output for pod %q failed: %v", podName, err)
|
||||
}
|
||||
})
|
||||
@ -343,7 +343,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-false-" + string(uuid.NewUUID())
|
||||
apeFalse := false
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil {
|
||||
if err := createAndMatchOutput(podName, fmt.Sprintf("Effective uid: %d", nonRootTestUserID), &apeFalse, nonRootTestUserID); err != nil {
|
||||
framework.Failf("Match output for pod %q failed: %v", podName, err)
|
||||
}
|
||||
})
|
||||
@ -360,7 +360,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
ginkgo.It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() {
|
||||
podName := "alpine-nnp-true-" + string(uuid.NewUUID())
|
||||
apeTrue := true
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, 1000); err != nil {
|
||||
if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, nonRootTestUserID); err != nil {
|
||||
framework.Failf("Match output for pod %q failed: %v", podName, err)
|
||||
}
|
||||
})
|
||||
|
||||
@ -44,6 +44,13 @@ const (
|
||||
NodeE2E Suite = "node e2e"
|
||||
)
|
||||
|
||||
var (
|
||||
// non-Administrator Windows user used in tests. This is the Windows equivalent of the Linux non-root UID usage.
|
||||
nonAdminTestUserName = "ContainerUser"
|
||||
// non-root UID used in tests.
|
||||
nonRootTestUserID = int64(1000)
|
||||
)
|
||||
|
||||
// CurrentSuite represents current test suite.
|
||||
var CurrentSuite Suite
|
||||
|
||||
@ -206,3 +213,13 @@ func rcByNamePort(name string, replicas int32, image string, containerArgs []str
|
||||
Ports: []v1.ContainerPort{{ContainerPort: int32(port), Protocol: protocol}},
|
||||
}, gracePeriod)
|
||||
}
|
||||
|
||||
// setPodNonRootUser configures the Pod to run as a non-root user.
|
||||
// For Windows, it sets the RunAsUserName field to ContainerUser, and for Linux, it sets the RunAsUser field to 1000.
|
||||
func setPodNonRootUser(pod *v1.Pod) {
|
||||
if framework.NodeOSDistroIs("windows") {
|
||||
pod.Spec.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &nonAdminTestUserName}
|
||||
} else {
|
||||
pod.Spec.SecurityContext.RunAsUser = &nonRootTestUserID
|
||||
}
|
||||
}
|
||||
|
||||
@ -57,6 +57,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
|
||||
This test is marked LinuxOnly since Windows cannot mount individual files in Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should support subpaths with secret pod [LinuxOnly]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows.
|
||||
pod := testsuites.SubpathTestPod(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}}, privilegedSecurityContext)
|
||||
testsuites.TestBasicSubpath(f, "secret-value", pod)
|
||||
})
|
||||
@ -68,6 +69,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
|
||||
This test is marked LinuxOnly since Windows cannot mount individual files in Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should support subpaths with configmap pod [LinuxOnly]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows.
|
||||
pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
|
||||
testsuites.TestBasicSubpath(f, "configmap-value", pod)
|
||||
})
|
||||
@ -79,6 +81,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
|
||||
This test is marked LinuxOnly since Windows cannot mount individual files in Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should support subpaths with configmap pod with mountPath of existing file [LinuxOnly]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows.
|
||||
pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
|
||||
file := "/etc/resolv.conf"
|
||||
pod.Spec.Containers[0].VolumeMounts[0].MountPath = file
|
||||
@ -92,6 +95,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
|
||||
This test is marked LinuxOnly since Windows cannot mount individual files in Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should support subpaths with downward pod [LinuxOnly]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows.
|
||||
pod := testsuites.SubpathTestPod(f, "downward/podname", "downwardAPI", &v1.VolumeSource{
|
||||
DownwardAPI: &v1.DownwardAPIVolumeSource{
|
||||
Items: []v1.DownwardAPIVolumeFile{{Path: "downward/podname", FieldRef: &v1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}},
|
||||
@ -107,6 +111,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
|
||||
This test is marked LinuxOnly since Windows cannot mount individual files in Containers.
|
||||
*/
|
||||
framework.ConformanceIt("should support subpaths with projected pod [LinuxOnly]", func() {
|
||||
// TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows.
|
||||
pod := testsuites.SubpathTestPod(f, "projected/configmap-key", "projected", &v1.VolumeSource{
|
||||
Projected: &v1.ProjectedVolumeSource{
|
||||
Sources: []v1.VolumeProjection{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user