...

Source file src/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context_windows_test.go

Documentation: k8s.io/kubernetes/pkg/kubelet/kuberuntime 

     1  //go:build windows
     2  // +build windows
     3  
     4  /*
     5  Copyright 2020 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package kuberuntime
    21  
    22  import (
    23  	"k8s.io/api/core/v1"
    24  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25  
    26  	"github.com/stretchr/testify/assert"
    27  	"testing"
    28  )
    29  
    30  func TestVerifyRunAsNonRoot(t *testing.T) {
    31  	pod := &v1.Pod{
    32  		ObjectMeta: metav1.ObjectMeta{
    33  			UID:       "12345678",
    34  			Name:      "bar",
    35  			Namespace: "new",
    36  		},
    37  		Spec: v1.PodSpec{
    38  			Containers: []v1.Container{
    39  				{
    40  					Name:            "foo",
    41  					Image:           "windows",
    42  					ImagePullPolicy: v1.PullIfNotPresent,
    43  					Command:         []string{"testCommand"},
    44  					WorkingDir:      "testWorkingDir",
    45  				},
    46  			},
    47  		},
    48  	}
    49  	rootUser := "ContainerAdministrator"
    50  	rootUserUppercase := "CONTAINERADMINISTRATOR"
    51  	anyUser := "anyone"
    52  	runAsNonRootTrue := true
    53  	runAsNonRootFalse := false
    54  	uid := int64(0)
    55  	for _, test := range []struct {
    56  		desc     string
    57  		sc       *v1.SecurityContext
    58  		uid      *int64
    59  		username string
    60  		fail     bool
    61  	}{
    62  		{
    63  			desc:     "Pass if SecurityContext is not set",
    64  			sc:       nil,
    65  			username: rootUser,
    66  			fail:     false,
    67  		},
    68  		{
    69  			desc: "Pass if RunAsNonRoot is not set",
    70  			sc: &v1.SecurityContext{
    71  				RunAsNonRoot: nil,
    72  			},
    73  			username: rootUser,
    74  			fail:     false,
    75  		},
    76  		{
    77  			desc: "Pass if RunAsNonRoot is false (image user is root)",
    78  			sc: &v1.SecurityContext{
    79  				RunAsNonRoot: &runAsNonRootFalse,
    80  			},
    81  			username: rootUser,
    82  			fail:     false,
    83  		},
    84  		{
    85  			desc: "Pass if RunAsNonRoot is false (WindowsOptions RunAsUserName is root)",
    86  			sc: &v1.SecurityContext{
    87  				RunAsNonRoot: &runAsNonRootFalse,
    88  				WindowsOptions: &v1.WindowsSecurityContextOptions{
    89  					RunAsUserName: &rootUser,
    90  				},
    91  			},
    92  			username: rootUser,
    93  			fail:     false,
    94  		},
    95  		{
    96  			desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true",
    97  			sc: &v1.SecurityContext{
    98  				RunAsNonRoot: &runAsNonRootTrue,
    99  				WindowsOptions: &v1.WindowsSecurityContextOptions{
   100  					RunAsUserName: &rootUser,
   101  				},
   102  			},
   103  			username: rootUser,
   104  			fail:     true,
   105  		},
   106  		{
   107  			desc: "Fail if container's RunAsUser is root (case-insensitive) and RunAsNonRoot is true",
   108  			sc: &v1.SecurityContext{
   109  				RunAsNonRoot: &runAsNonRootTrue,
   110  				WindowsOptions: &v1.WindowsSecurityContextOptions{
   111  					RunAsUserName: &rootUserUppercase,
   112  				},
   113  			},
   114  			username: anyUser,
   115  			fail:     true,
   116  		},
   117  		{
   118  			desc: "Fail if image's user is root and RunAsNonRoot is true",
   119  			sc: &v1.SecurityContext{
   120  				RunAsNonRoot: &runAsNonRootTrue,
   121  			},
   122  			username: rootUser,
   123  			fail:     true,
   124  		},
   125  		{
   126  			desc: "Fail if image's user is root (case-insensitive) and RunAsNonRoot is true",
   127  			sc: &v1.SecurityContext{
   128  				RunAsNonRoot: &runAsNonRootTrue,
   129  			},
   130  			username: rootUserUppercase,
   131  			fail:     true,
   132  		},
   133  		{
   134  			desc: "Pass if image's user is non-root and RunAsNonRoot is true",
   135  			sc: &v1.SecurityContext{
   136  				RunAsNonRoot: &runAsNonRootTrue,
   137  			},
   138  			username: anyUser,
   139  			fail:     false,
   140  		},
   141  		{
   142  			desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
   143  			sc: &v1.SecurityContext{
   144  				// verifyRunAsNonRoot should ignore the RunAsUser, SELinuxOptions, and RunAsGroup options.
   145  				RunAsUser:      &uid,
   146  				SELinuxOptions: &v1.SELinuxOptions{},
   147  				RunAsGroup:     &uid,
   148  				RunAsNonRoot:   &runAsNonRootTrue,
   149  			},
   150  			fail: false,
   151  		},
   152  		{
   153  			desc: "Pass if image's user is root, container's RunAsUser is not root and RunAsNonRoot is true",
   154  			sc: &v1.SecurityContext{
   155  				RunAsNonRoot: &runAsNonRootTrue,
   156  				WindowsOptions: &v1.WindowsSecurityContextOptions{
   157  					RunAsUserName: &anyUser,
   158  				},
   159  			},
   160  			username: rootUser,
   161  			fail:     false,
   162  		},
   163  		{
   164  			desc: "Pass if image's user is root (case-insensitive), container's RunAsUser is not root and RunAsNonRoot is true",
   165  			sc: &v1.SecurityContext{
   166  				RunAsNonRoot: &runAsNonRootTrue,
   167  				WindowsOptions: &v1.WindowsSecurityContextOptions{
   168  					RunAsUserName: &anyUser,
   169  				},
   170  			},
   171  			username: rootUserUppercase,
   172  			fail:     false,
   173  		},
   174  	} {
   175  		pod.Spec.Containers[0].SecurityContext = test.sc
   176  		err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username)
   177  		if test.fail {
   178  			assert.Error(t, err, test.desc)
   179  		} else {
   180  			assert.NoError(t, err, test.desc)
   181  		}
   182  	}
   183  }
   184  

View as plain text