...

Source file src/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context_others_test.go

Documentation: k8s.io/kubernetes/pkg/kubelet/kuberuntime 

     1  //go:build !windows
     2  // +build !windows
     3  
     4  /*
     5  Copyright 2020 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package kuberuntime
    21  
    22  import (
    23  	"testing"
    24  
    25  	"github.com/stretchr/testify/assert"
    26  
    27  	v1 "k8s.io/api/core/v1"
    28  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29  )
    30  
    31  func TestVerifyRunAsNonRoot(t *testing.T) {
    32  	pod := &v1.Pod{
    33  		ObjectMeta: metav1.ObjectMeta{
    34  			UID:       "12345678",
    35  			Name:      "bar",
    36  			Namespace: "new",
    37  		},
    38  		Spec: v1.PodSpec{
    39  			Containers: []v1.Container{
    40  				{
    41  					Name:            "foo",
    42  					Image:           "busybox",
    43  					ImagePullPolicy: v1.PullIfNotPresent,
    44  					Command:         []string{"testCommand"},
    45  					WorkingDir:      "testWorkingDir",
    46  				},
    47  			},
    48  		},
    49  	}
    50  
    51  	rootUser := int64(0)
    52  	anyUser := int64(1000)
    53  	runAsNonRootTrue := true
    54  	runAsNonRootFalse := false
    55  	for _, test := range []struct {
    56  		desc     string
    57  		sc       *v1.SecurityContext
    58  		uid      *int64
    59  		username string
    60  		fail     bool
    61  	}{
    62  		{
    63  			desc: "Pass if SecurityContext is not set",
    64  			sc:   nil,
    65  			uid:  &rootUser,
    66  			fail: false,
    67  		},
    68  		{
    69  			desc: "Pass if RunAsUser is non-root and RunAsNonRoot is true",
    70  			sc: &v1.SecurityContext{
    71  				RunAsNonRoot: &runAsNonRootTrue,
    72  				RunAsUser:    &anyUser,
    73  			},
    74  			fail: false,
    75  		},
    76  		{
    77  			desc: "Pass if RunAsNonRoot is not set",
    78  			sc: &v1.SecurityContext{
    79  				RunAsUser: &rootUser,
    80  			},
    81  			uid:  &rootUser,
    82  			fail: false,
    83  		},
    84  		{
    85  			desc: "Pass if RunAsNonRoot is false (image user is root)",
    86  			sc: &v1.SecurityContext{
    87  				RunAsNonRoot: &runAsNonRootFalse,
    88  			},
    89  			uid:  &rootUser,
    90  			fail: false,
    91  		},
    92  		{
    93  			desc: "Pass if RunAsNonRoot is false (RunAsUser is root)",
    94  			sc: &v1.SecurityContext{
    95  				RunAsNonRoot: &runAsNonRootFalse,
    96  				RunAsUser:    &rootUser,
    97  			},
    98  			uid:  &rootUser,
    99  			fail: false,
   100  		},
   101  		{
   102  			desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true",
   103  			sc: &v1.SecurityContext{
   104  				RunAsNonRoot: &runAsNonRootTrue,
   105  				RunAsUser:    &rootUser,
   106  			},
   107  			uid:  &rootUser,
   108  			fail: true,
   109  		},
   110  		{
   111  			desc: "Fail if image's user is root and RunAsNonRoot is true",
   112  			sc: &v1.SecurityContext{
   113  				RunAsNonRoot: &runAsNonRootTrue,
   114  			},
   115  			uid:  &rootUser,
   116  			fail: true,
   117  		},
   118  		{
   119  			desc: "Fail if image's username is set and RunAsNonRoot is true",
   120  			sc: &v1.SecurityContext{
   121  				RunAsNonRoot: &runAsNonRootTrue,
   122  			},
   123  			username: "test",
   124  			fail:     true,
   125  		},
   126  		{
   127  			desc: "Pass if image's user is non-root and RunAsNonRoot is true",
   128  			sc: &v1.SecurityContext{
   129  				RunAsNonRoot: &runAsNonRootTrue,
   130  			},
   131  			uid:  &anyUser,
   132  			fail: false,
   133  		},
   134  		{
   135  			desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
   136  			sc: &v1.SecurityContext{
   137  				RunAsNonRoot: &runAsNonRootTrue,
   138  			},
   139  			fail: false,
   140  		},
   141  	} {
   142  		pod.Spec.Containers[0].SecurityContext = test.sc
   143  		err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username)
   144  		if test.fail {
   145  			assert.Error(t, err, test.desc)
   146  		} else {
   147  			assert.NoError(t, err, test.desc)
   148  		}
   149  	}
   150  }
   151  

View as plain text