diff --git a/test/e2e/common/configmap_volume.go b/test/e2e/common/configmap_volume.go index a417c670f2d..0d4ce4f3f8c 100644 --- a/test/e2e/common/configmap_volume.go +++ b/test/e2e/common/configmap_volume.go @@ -39,7 +39,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { Description: Create a ConfigMap, create a Pod that mounts a volume and populates the volume with data stored in the ConfigMap. The ConfigMap that is created MUST be accessible to read from the newly created Pod using the volume mount. The data content of the file MUST be readable and verified and file modes MUST default to 0x644. */ framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() { - doConfigMapE2EWithoutMappings(f, 0, 0, nil) + doConfigMapE2EWithoutMappings(f, false, 0, nil) }) /* @@ -50,14 +50,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { */ framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [LinuxOnly] [NodeConformance]", func() { defaultMode := int32(0400) - doConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode) + doConfigMapE2EWithoutMappings(f, false, 0, &defaultMode) }) ginkgo.It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions. framework.SkipIfNodeOSDistroIs("windows") defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */ - doConfigMapE2EWithoutMappings(f, 1000, 1001, &defaultMode) + doConfigMapE2EWithoutMappings(f, true, 1001, &defaultMode) }) /* @@ -67,13 +67,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { This test is marked LinuxOnly since Windows does not support running as UID / GID. */ framework.ConformanceIt("should be consumable from pods in volume as non-root [LinuxOnly] [NodeConformance]", func() { - doConfigMapE2EWithoutMappings(f, 1000, 0, nil) + // TODO(claudiub): Remove [LinuxOnly] tag when the WindowsRunAsUserName feature gate is enabled by default. + doConfigMapE2EWithoutMappings(f, true, 0, nil) }) ginkgo.It("should be consumable from pods in volume as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") - doConfigMapE2EWithoutMappings(f, 1000, 1001, nil) + doConfigMapE2EWithoutMappings(f, true, 1001, nil) }) /* @@ -82,7 +83,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { Description: Create a ConfigMap, create a Pod that mounts a volume and populates the volume with data stored in the ConfigMap. Files are mapped to a path in the volume. The ConfigMap that is created MUST be accessible to read from the newly created Pod using the volume mount. The data content of the file MUST be readable and verified and file modes MUST default to 0x644. */ framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() { - doConfigMapE2EWithMappings(f, 0, 0, nil) + doConfigMapE2EWithMappings(f, false, 0, nil) }) /* @@ -93,7 +94,7 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { */ framework.ConformanceIt("should be consumable from pods in volume with mappings and Item mode set [LinuxOnly] [NodeConformance]", func() { mode := int32(0400) - doConfigMapE2EWithMappings(f, 0, 0, &mode) + doConfigMapE2EWithMappings(f, false, 0, &mode) }) /* @@ -103,13 +104,14 @@ var _ = ginkgo.Describe("[sig-storage] ConfigMap", func() { This test is marked LinuxOnly since Windows does not support running as UID / GID. */ framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [LinuxOnly] [NodeConformance]", func() { - doConfigMapE2EWithMappings(f, 1000, 0, nil) + // TODO(claudiub): Remove [LinuxOnly] tag when the WindowsRunAsUserName feature gate is enabled by default. + doConfigMapE2EWithMappings(f, true, 0, nil) }) ginkgo.It("should be consumable from pods in volume with mappings as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") - doConfigMapE2EWithMappings(f, 1000, 1001, nil) + doConfigMapE2EWithMappings(f, true, 1001, nil) }) /* @@ -586,8 +588,7 @@ func newConfigMap(f *framework.Framework, name string) *v1.ConfigMap { } } -func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) { - userID := int64(uid) +func doConfigMapE2EWithoutMappings(f *framework.Framework, asUser bool, fsGroup int64, defaultMode *int32) { groupID := int64(fsGroup) var ( @@ -642,8 +643,8 @@ func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, d }, } - if userID != 0 { - pod.Spec.SecurityContext.RunAsUser = &userID + if asUser { + setPodNonRootUser(pod) } if groupID != 0 { @@ -662,8 +663,7 @@ func doConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, d f.TestContainerOutputRegexp("consume configMaps", pod, 0, output) } -func doConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) { - userID := int64(uid) +func doConfigMapE2EWithMappings(f *framework.Framework, asUser bool, fsGroup int64, itemMode *int32) { groupID := int64(fsGroup) var ( @@ -725,8 +725,8 @@ func doConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, item }, } - if userID != 0 { - pod.Spec.SecurityContext.RunAsUser = &userID + if asUser { + setPodNonRootUser(pod) } if groupID != 0 { diff --git a/test/e2e/common/downwardapi_volume.go b/test/e2e/common/downwardapi_volume.go index 7570cd4d53a..b380545bde7 100644 --- a/test/e2e/common/downwardapi_volume.go +++ b/test/e2e/common/downwardapi_volume.go @@ -91,13 +91,12 @@ var _ = ginkgo.Describe("[sig-storage] Downward API volume", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") podName := "metadata-volume-" + string(uuid.NewUUID()) - uid := int64(1001) gid := int64(1234) pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname") pod.Spec.SecurityContext = &v1.PodSecurityContext{ - RunAsUser: &uid, - FSGroup: &gid, + FSGroup: &gid, } + setPodNonRootUser(pod) f.TestContainerOutput("downward API volume plugin", pod, 0, []string{ fmt.Sprintf("%s\n", podName), }) @@ -107,14 +106,13 @@ var _ = ginkgo.Describe("[sig-storage] Downward API volume", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions. framework.SkipIfNodeOSDistroIs("windows") podName := "metadata-volume-" + string(uuid.NewUUID()) - uid := int64(1001) gid := int64(1234) mode := int32(0440) /* setting fsGroup sets mode to at least 440 */ pod := downwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil) pod.Spec.SecurityContext = &v1.PodSecurityContext{ - RunAsUser: &uid, - FSGroup: &gid, + FSGroup: &gid, } + setPodNonRootUser(pod) f.TestContainerOutput("downward API volume plugin", pod, 0, []string{ "mode of file \"/etc/podinfo/podname\": -r--r-----", }) diff --git a/test/e2e/common/projected_configmap.go b/test/e2e/common/projected_configmap.go index 9c895d589b4..919792ca2f3 100644 --- a/test/e2e/common/projected_configmap.go +++ b/test/e2e/common/projected_configmap.go @@ -40,7 +40,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() { Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap with default permission mode. Pod MUST be able to read the content of the ConfigMap successfully and the mode on the volume MUST be -rw-r—-r—-. */ framework.ConformanceIt("should be consumable from pods in volume [NodeConformance]", func() { - doProjectedConfigMapE2EWithoutMappings(f, 0, 0, nil) + doProjectedConfigMapE2EWithoutMappings(f, false, 0, nil) }) /* @@ -51,30 +51,29 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() { */ framework.ConformanceIt("should be consumable from pods in volume with defaultMode set [LinuxOnly] [NodeConformance]", func() { defaultMode := int32(0400) - doProjectedConfigMapE2EWithoutMappings(f, 0, 0, &defaultMode) + doProjectedConfigMapE2EWithoutMappings(f, false, 0, &defaultMode) }) ginkgo.It("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions. framework.SkipIfNodeOSDistroIs("windows") defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */ - doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, &defaultMode) + doProjectedConfigMapE2EWithoutMappings(f, true, 1001, &defaultMode) }) /* Release : v1.9 Testname: Projected Volume, ConfigMap, non-root user Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap as non-root user with uid 1000. Pod MUST be able to read the content of the ConfigMap successfully and the mode on the volume MUST be -rw—r——r—-. - This test is marked LinuxOnly since Windows does not support running as UID / GID. */ - framework.ConformanceIt("should be consumable from pods in volume as non-root [LinuxOnly] [NodeConformance]", func() { - doProjectedConfigMapE2EWithoutMappings(f, 1000, 0, nil) + framework.ConformanceIt("should be consumable from pods in volume as non-root [NodeConformance]", func() { + doProjectedConfigMapE2EWithoutMappings(f, true, 0, nil) }) ginkgo.It("should be consumable from pods in volume as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") - doProjectedConfigMapE2EWithoutMappings(f, 1000, 1001, nil) + doProjectedConfigMapE2EWithoutMappings(f, true, 1001, nil) }) /* @@ -83,7 +82,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() { Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap with default permission mode. The ConfigMap is also mapped to a custom path. Pod MUST be able to read the content of the ConfigMap from the custom location successfully and the mode on the volume MUST be -rw—r——r—-. */ framework.ConformanceIt("should be consumable from pods in volume with mappings [NodeConformance]", func() { - doProjectedConfigMapE2EWithMappings(f, 0, 0, nil) + doProjectedConfigMapE2EWithMappings(f, false, 0, nil) }) /* @@ -94,23 +93,22 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() { */ framework.ConformanceIt("should be consumable from pods in volume with mappings and Item mode set [LinuxOnly] [NodeConformance]", func() { mode := int32(0400) - doProjectedConfigMapE2EWithMappings(f, 0, 0, &mode) + doProjectedConfigMapE2EWithMappings(f, false, 0, &mode) }) /* Release : v1.9 Testname: Projected Volume, ConfigMap, mapped, non-root user Description: A Pod is created with projected volume source ‘ConfigMap’ to store a configMap as non-root user with uid 1000. The ConfigMap is also mapped to a custom path. Pod MUST be able to read the content of the ConfigMap from the custom location successfully and the mode on the volume MUST be -r-—r——r—-. - This test is marked LinuxOnly since Windows does not support running as UID / GID. */ - framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [LinuxOnly] [NodeConformance]", func() { - doProjectedConfigMapE2EWithMappings(f, 1000, 0, nil) + framework.ConformanceIt("should be consumable from pods in volume with mappings as non-root [NodeConformance]", func() { + doProjectedConfigMapE2EWithMappings(f, true, 0, nil) }) ginkgo.It("should be consumable from pods in volume with mappings as non-root with FSGroup [LinuxOnly] [NodeFeature:FSGroup]", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") - doProjectedConfigMapE2EWithMappings(f, 1000, 1001, nil) + doProjectedConfigMapE2EWithMappings(f, true, 1001, nil) }) /* @@ -513,8 +511,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected configMap", func() { }) }) -func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup int64, defaultMode *int32) { - userID := int64(uid) +func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, asUser bool, fsGroup int64, defaultMode *int32) { groupID := int64(fsGroup) var ( @@ -573,8 +570,8 @@ func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup }, } - if userID != 0 { - pod.Spec.SecurityContext.RunAsUser = &userID + if asUser { + setPodNonRootUser(pod) } if groupID != 0 { @@ -594,8 +591,7 @@ func doProjectedConfigMapE2EWithoutMappings(f *framework.Framework, uid, fsGroup f.TestContainerOutputRegexp("consume configMaps", pod, 0, output) } -func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup int64, itemMode *int32) { - userID := int64(uid) +func doProjectedConfigMapE2EWithMappings(f *framework.Framework, asUser bool, fsGroup int64, itemMode *int32) { groupID := int64(fsGroup) var ( @@ -661,8 +657,8 @@ func doProjectedConfigMapE2EWithMappings(f *framework.Framework, uid, fsGroup in }, } - if userID != 0 { - pod.Spec.SecurityContext.RunAsUser = &userID + if asUser { + setPodNonRootUser(pod) } if groupID != 0 { diff --git a/test/e2e/common/projected_downwardapi.go b/test/e2e/common/projected_downwardapi.go index 87788045123..3f01d004c2d 100644 --- a/test/e2e/common/projected_downwardapi.go +++ b/test/e2e/common/projected_downwardapi.go @@ -91,13 +91,12 @@ var _ = ginkgo.Describe("[sig-storage] Projected downwardAPI", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options. framework.SkipIfNodeOSDistroIs("windows") podName := "metadata-volume-" + string(uuid.NewUUID()) - uid := int64(1001) gid := int64(1234) pod := downwardAPIVolumePodForSimpleTest(podName, "/etc/podinfo/podname") pod.Spec.SecurityContext = &v1.PodSecurityContext{ - RunAsUser: &uid, - FSGroup: &gid, + FSGroup: &gid, } + setPodNonRootUser(pod) f.TestContainerOutput("downward API volume plugin", pod, 0, []string{ fmt.Sprintf("%s\n", podName), }) @@ -107,14 +106,13 @@ var _ = ginkgo.Describe("[sig-storage] Projected downwardAPI", func() { // Windows does not support RunAsUser / FSGroup SecurityContext options, and it does not support setting file permissions. framework.SkipIfNodeOSDistroIs("windows") podName := "metadata-volume-" + string(uuid.NewUUID()) - uid := int64(1001) gid := int64(1234) mode := int32(0440) /* setting fsGroup sets mode to at least 440 */ pod := projectedDownwardAPIVolumePodForModeTest(podName, "/etc/podinfo/podname", &mode, nil) pod.Spec.SecurityContext = &v1.PodSecurityContext{ - RunAsUser: &uid, - FSGroup: &gid, + FSGroup: &gid, } + setPodNonRootUser(pod) f.TestContainerOutput("downward API volume plugin", pod, 0, []string{ "mode of file \"/etc/podinfo/podname\": -r--r-----", }) diff --git a/test/e2e/common/projected_secret.go b/test/e2e/common/projected_secret.go index 416b6c8ce93..bceb70e7806 100644 --- a/test/e2e/common/projected_secret.go +++ b/test/e2e/common/projected_secret.go @@ -63,8 +63,7 @@ var _ = ginkgo.Describe("[sig-storage] Projected secret", func() { framework.ConformanceIt("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeConformance]", func() { defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */ fsGroup := int64(1001) - uid := int64(1000) - doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid) + doProjectedSecretE2EWithoutMapping(f, &defaultMode, "projected-secret-test-"+string(uuid.NewUUID()), &fsGroup, &nonRootTestUserID) }) /* diff --git a/test/e2e/common/runtime.go b/test/e2e/common/runtime.go index 32aa7d1011c..3fe418c6cae 100644 --- a/test/e2e/common/runtime.go +++ b/test/e2e/common/runtime.go @@ -131,6 +131,8 @@ while true; do sleep 1; done ginkgo.Context("on terminated container", func() { rootUser := int64(0) nonRootUser := int64(10000) + adminUserName := "ContainerAdministrator" + nonAdminUserName := "ContainerUser" // Create and then terminate the container under defined PodPhase to verify if termination message matches the expected output. Lastly delete the created container. matchTerminationMessage := func(container v1.Container, expectedPhase v1.PodPhase, expectedMsg gomegatypes.GomegaMatcher) { @@ -165,14 +167,19 @@ while true; do sleep 1; done ginkgo.It("should report termination message [LinuxOnly] if TerminationMessagePath is set [NodeConformance]", func() { // Cannot mount files in Windows Containers. + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default + // container runtime on Windows, and when the WindowsRunAsUserName feature becomes available by default. container := v1.Container{ Image: framework.BusyBoxImage, Command: []string{"/bin/sh", "-c"}, Args: []string{"/bin/echo -n DONE > /dev/termination-log"}, TerminationMessagePath: "/dev/termination-log", - SecurityContext: &v1.SecurityContext{ - RunAsUser: &rootUser, - }, + SecurityContext: &v1.SecurityContext{}, + } + if framework.NodeOSDistroIs("windows") { + container.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &adminUserName} + } else { + container.SecurityContext.RunAsUser = &rootUser } matchTerminationMessage(container, v1.PodSucceeded, gomega.Equal("DONE")) }) @@ -184,14 +191,19 @@ while true; do sleep 1; done [LinuxOnly]: Tagged LinuxOnly due to use of 'uid' and unable to mount files in Windows Containers. */ framework.ConformanceIt("should report termination message [LinuxOnly] if TerminationMessagePath is set as non-root user and at a non-default path [NodeConformance]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default + // container runtime on Windows, and when the WindowsRunAsUserName feature becomes available by default. container := v1.Container{ Image: framework.BusyBoxImage, Command: []string{"/bin/sh", "-c"}, Args: []string{"/bin/echo -n DONE > /dev/termination-custom-log"}, TerminationMessagePath: "/dev/termination-custom-log", - SecurityContext: &v1.SecurityContext{ - RunAsUser: &nonRootUser, - }, + SecurityContext: &v1.SecurityContext{}, + } + if framework.NodeOSDistroIs("windows") { + container.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &nonAdminUserName} + } else { + container.SecurityContext.RunAsUser = &nonRootUser } matchTerminationMessage(container, v1.PodSucceeded, gomega.Equal("DONE")) }) diff --git a/test/e2e/common/secrets_volume.go b/test/e2e/common/secrets_volume.go index b355812cc58..c0318c9d8b3 100644 --- a/test/e2e/common/secrets_volume.go +++ b/test/e2e/common/secrets_volume.go @@ -63,8 +63,7 @@ var _ = ginkgo.Describe("[sig-storage] Secrets", func() { framework.ConformanceIt("should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeConformance]", func() { defaultMode := int32(0440) /* setting fsGroup sets mode to at least 440 */ fsGroup := int64(1001) - uid := int64(1000) - doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), &fsGroup, &uid) + doSecretE2EWithoutMapping(f, &defaultMode, "secret-test-"+string(uuid.NewUUID()), &fsGroup, &nonRootTestUserID) }) /* diff --git a/test/e2e/common/security_context.go b/test/e2e/common/security_context.go index 4084136e908..88bf9e77e38 100644 --- a/test/e2e/common/security_context.go +++ b/test/e2e/common/security_context.go @@ -123,11 +123,11 @@ var _ = framework.KubeDescribe("Security Context", func() { // creates a pod with RunAsUser, which is not supported on Windows. framework.SkipIfNodeOSDistroIs("windows") name := "explicit-nonroot-uid" - pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(1234)) + pod := makeNonRootPod(name, rootImage, pointer.Int64Ptr(nonRootTestUserID)) podClient.Create(pod) podClient.WaitForSuccess(name, framework.PodStartTimeout) - framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1234")) + framework.ExpectNoError(podClient.MatchContainerOutput(name, name, "1000")) }) ginkgo.It("should not run with an explicit root user ID [LinuxOnly]", func() { // creates a pod with RunAsUser, which is not supported on Windows. @@ -327,7 +327,7 @@ var _ = framework.KubeDescribe("Security Context", func() { */ ginkgo.It("should allow privilege escalation when not explicitly set and uid != 0 [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-nil-" + string(uuid.NewUUID()) - if err := createAndMatchOutput(podName, "Effective uid: 0", nil, 1000); err != nil { + if err := createAndMatchOutput(podName, "Effective uid: 0", nil, nonRootTestUserID); err != nil { framework.Failf("Match output for pod %q failed: %v", podName, err) } }) @@ -343,7 +343,7 @@ var _ = framework.KubeDescribe("Security Context", func() { framework.ConformanceIt("should not allow privilege escalation when false [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-false-" + string(uuid.NewUUID()) apeFalse := false - if err := createAndMatchOutput(podName, "Effective uid: 1000", &apeFalse, 1000); err != nil { + if err := createAndMatchOutput(podName, fmt.Sprintf("Effective uid: %d", nonRootTestUserID), &apeFalse, nonRootTestUserID); err != nil { framework.Failf("Match output for pod %q failed: %v", podName, err) } }) @@ -360,7 +360,7 @@ var _ = framework.KubeDescribe("Security Context", func() { ginkgo.It("should allow privilege escalation when true [LinuxOnly] [NodeConformance]", func() { podName := "alpine-nnp-true-" + string(uuid.NewUUID()) apeTrue := true - if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, 1000); err != nil { + if err := createAndMatchOutput(podName, "Effective uid: 0", &apeTrue, nonRootTestUserID); err != nil { framework.Failf("Match output for pod %q failed: %v", podName, err) } }) diff --git a/test/e2e/common/util.go b/test/e2e/common/util.go index 55b0b574d29..c83246c688a 100644 --- a/test/e2e/common/util.go +++ b/test/e2e/common/util.go @@ -44,6 +44,13 @@ const ( NodeE2E Suite = "node e2e" ) +var ( + // non-Administrator Windows user used in tests. This is the Windows equivalent of the Linux non-root UID usage. + nonAdminTestUserName = "ContainerUser" + // non-root UID used in tests. + nonRootTestUserID = int64(1000) +) + // CurrentSuite represents current test suite. var CurrentSuite Suite @@ -206,3 +213,13 @@ func rcByNamePort(name string, replicas int32, image string, containerArgs []str Ports: []v1.ContainerPort{{ContainerPort: int32(port), Protocol: protocol}}, }, gracePeriod) } + +// setPodNonRootUser configures the Pod to run as a non-root user. +// For Windows, it sets the RunAsUserName field to ContainerUser, and for Linux, it sets the RunAsUser field to 1000. +func setPodNonRootUser(pod *v1.Pod) { + if framework.NodeOSDistroIs("windows") { + pod.Spec.SecurityContext.WindowsOptions = &v1.WindowsSecurityContextOptions{RunAsUserName: &nonAdminTestUserName} + } else { + pod.Spec.SecurityContext.RunAsUser = &nonRootTestUserID + } +} diff --git a/test/e2e/storage/subpath.go b/test/e2e/storage/subpath.go index e68a7a9c3ea..5a4e477575a 100644 --- a/test/e2e/storage/subpath.go +++ b/test/e2e/storage/subpath.go @@ -57,6 +57,7 @@ var _ = utils.SIGDescribe("Subpath", func() { This test is marked LinuxOnly since Windows cannot mount individual files in Containers. */ framework.ConformanceIt("should support subpaths with secret pod [LinuxOnly]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows. pod := testsuites.SubpathTestPod(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}}, privilegedSecurityContext) testsuites.TestBasicSubpath(f, "secret-value", pod) }) @@ -68,6 +69,7 @@ var _ = utils.SIGDescribe("Subpath", func() { This test is marked LinuxOnly since Windows cannot mount individual files in Containers. */ framework.ConformanceIt("should support subpaths with configmap pod [LinuxOnly]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows. pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext) testsuites.TestBasicSubpath(f, "configmap-value", pod) }) @@ -79,6 +81,7 @@ var _ = utils.SIGDescribe("Subpath", func() { This test is marked LinuxOnly since Windows cannot mount individual files in Containers. */ framework.ConformanceIt("should support subpaths with configmap pod with mountPath of existing file [LinuxOnly]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows. pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext) file := "/etc/resolv.conf" pod.Spec.Containers[0].VolumeMounts[0].MountPath = file @@ -92,6 +95,7 @@ var _ = utils.SIGDescribe("Subpath", func() { This test is marked LinuxOnly since Windows cannot mount individual files in Containers. */ framework.ConformanceIt("should support subpaths with downward pod [LinuxOnly]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows. pod := testsuites.SubpathTestPod(f, "downward/podname", "downwardAPI", &v1.VolumeSource{ DownwardAPI: &v1.DownwardAPIVolumeSource{ Items: []v1.DownwardAPIVolumeFile{{Path: "downward/podname", FieldRef: &v1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}}, @@ -107,6 +111,7 @@ var _ = utils.SIGDescribe("Subpath", func() { This test is marked LinuxOnly since Windows cannot mount individual files in Containers. */ framework.ConformanceIt("should support subpaths with projected pod [LinuxOnly]", func() { + // TODO(claudiub): Remove [LinuxOnly] tag once Containerd becomes the default container runtime on Windows. pod := testsuites.SubpathTestPod(f, "projected/configmap-key", "projected", &v1.VolumeSource{ Projected: &v1.ProjectedVolumeSource{ Sources: []v1.VolumeProjection{