kuberuntime: check the value of RunAsNonRoot when verifying
The verification function is fixed to check the value of RunAsNonRoot, not just the existence of it. Also adds unit tests to verify the correct behavior.
This commit is contained in:
Yu-Ju Hong
parent
f893cddfba
commit
07a67c252c
@ -228,7 +228,7 @@ func TestGenerateContainerConfig(t *testing.T) {
|
|||||||
assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
|
assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
|
||||||
|
|
||||||
runAsUser := types.UnixUserID(0)
|
runAsUser := types.UnixUserID(0)
|
||||||
RunAsNonRoot := false
|
runAsNonRootTrue := true
|
||||||
podWithContainerSecurityContext := &v1.Pod{
|
podWithContainerSecurityContext := &v1.Pod{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
UID: "12345678",
|
UID: "12345678",
|
||||||
@ -244,7 +244,7 @@ func TestGenerateContainerConfig(t *testing.T) {
|
|||||||
Command: []string{"testCommand"},
|
Command: []string{"testCommand"},
|
||||||
WorkingDir: "testWorkingDir",
|
WorkingDir: "testWorkingDir",
|
||||||
SecurityContext: &v1.SecurityContext{
|
SecurityContext: &v1.SecurityContext{
|
||||||
RunAsNonRoot: &RunAsNonRoot,
|
RunAsNonRoot: &runAsNonRootTrue,
|
||||||
RunAsUser: &runAsUser,
|
RunAsUser: &runAsUser,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
@ -72,7 +72,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
|
|||||||
// verifyRunAsNonRoot verifies RunAsNonRoot.
|
// verifyRunAsNonRoot verifies RunAsNonRoot.
|
||||||
func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
|
func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
|
||||||
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
|
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
|
||||||
if effectiveSc == nil || effectiveSc.RunAsNonRoot == nil {
|
// If the option is not set, or if running as root is allowed, return nil.
|
||||||
|
if effectiveSc == nil || effectiveSc.RunAsNonRoot == nil || !*effectiveSc.RunAsNonRoot {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -45,60 +45,57 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rootUser := types.UnixUserID(0)
|
||||||
|
runAsNonRootTrue := true
|
||||||
|
runAsNonRootFalse := false
|
||||||
|
|
||||||
|
for _, test := range []struct {
|
||||||
|
desc string
|
||||||
|
sc *v1.SecurityContext
|
||||||
|
errStr string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
desc: "Pass if SecurityContext is not set",
|
||||||
|
sc: nil,
|
||||||
|
errStr: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Pass if RunAsNonRoot is not set",
|
||||||
|
sc: &v1.SecurityContext{
|
||||||
|
RunAsUser: &rootUser,
|
||||||
|
},
|
||||||
|
errStr: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Pass if RunAsNonRoot is false",
|
||||||
|
sc: &v1.SecurityContext{
|
||||||
|
RunAsNonRoot: &runAsNonRootFalse,
|
||||||
|
RunAsUser: &rootUser,
|
||||||
|
},
|
||||||
|
errStr: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true",
|
||||||
|
sc: &v1.SecurityContext{
|
||||||
|
RunAsNonRoot: &runAsNonRootTrue,
|
||||||
|
RunAsUser: &rootUser,
|
||||||
|
},
|
||||||
|
errStr: "container's runAsUser breaks non-root policy",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "Fail if image's user is root and RunAsNonRoot is true",
|
||||||
|
sc: &v1.SecurityContext{
|
||||||
|
RunAsNonRoot: &runAsNonRootTrue,
|
||||||
|
},
|
||||||
|
errStr: "container has runAsNonRoot and image will run as root",
|
||||||
|
},
|
||||||
|
} {
|
||||||
|
pod.Spec.Containers[0].SecurityContext = test.sc
|
||||||
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0))
|
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0))
|
||||||
assert.NoError(t, err)
|
if len(test.errStr) == 0 {
|
||||||
|
assert.NoError(t, err, test.desc)
|
||||||
runAsUser := types.UnixUserID(0)
|
} else {
|
||||||
RunAsNonRoot := false
|
assert.EqualError(t, err, test.errStr, test.desc)
|
||||||
podWithContainerSecurityContext := &v1.Pod{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
UID: "12345678",
|
|
||||||
Name: "bar",
|
|
||||||
Namespace: "new",
|
|
||||||
},
|
|
||||||
Spec: v1.PodSpec{
|
|
||||||
Containers: []v1.Container{
|
|
||||||
{
|
|
||||||
Name: "foo",
|
|
||||||
Image: "busybox",
|
|
||||||
ImagePullPolicy: v1.PullIfNotPresent,
|
|
||||||
Command: []string{"testCommand"},
|
|
||||||
WorkingDir: "testWorkingDir",
|
|
||||||
SecurityContext: &v1.SecurityContext{
|
|
||||||
RunAsNonRoot: &RunAsNonRoot,
|
|
||||||
RunAsUser: &runAsUser,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err2 := verifyRunAsNonRoot(podWithContainerSecurityContext, &podWithContainerSecurityContext.Spec.Containers[0], int64(0))
|
|
||||||
assert.EqualError(t, err2, "container's runAsUser breaks non-root policy")
|
|
||||||
|
|
||||||
RunAsNonRoot = false
|
|
||||||
podWithContainerSecurityContext = &v1.Pod{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
UID: "12345678",
|
|
||||||
Name: "bar",
|
|
||||||
Namespace: "new",
|
|
||||||
},
|
|
||||||
Spec: v1.PodSpec{
|
|
||||||
Containers: []v1.Container{
|
|
||||||
{
|
|
||||||
Name: "foo",
|
|
||||||
Image: "busybox",
|
|
||||||
ImagePullPolicy: v1.PullIfNotPresent,
|
|
||||||
Command: []string{"testCommand"},
|
|
||||||
WorkingDir: "testWorkingDir",
|
|
||||||
SecurityContext: &v1.SecurityContext{
|
|
||||||
RunAsNonRoot: &RunAsNonRoot,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err3 := verifyRunAsNonRoot(podWithContainerSecurityContext, &podWithContainerSecurityContext.Spec.Containers[0], int64(0))
|
|
||||||
assert.EqualError(t, err3, "container has runAsNonRoot and image will run as root")
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user