add non-root directive to SC and kubelet checking

2015-08-10 13:30:34 -04:00
parent 72db123025
commit e490c20c22
11 changed files with 356 additions and 0 deletions
--- a/pkg/securitycontext/util.go
+++ b/pkg/securitycontext/util.go
@@ -66,3 +66,24 @@ func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error) {
 		Level: fields[3],
 	}, nil
 }
+
+// HasNonRootUID returns true if the runAsUser is set and is greater than 0.
+func HasRootUID(container *api.Container) bool {
+	if container.SecurityContext == nil {
+		return false
+	}
+	if container.SecurityContext.RunAsUser == nil {
+		return false
+	}
+	return *container.SecurityContext.RunAsUser == 0
+}
+
+// HasRunAsUser determines if the sc's runAsUser field is set.
+func HasRunAsUser(container *api.Container) bool {
+	return container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil
+}
+
+// HasRootRunAsUser returns true if the run as user is set and it is set to 0.
+func HasRootRunAsUser(container *api.Container) bool {
+	return HasRunAsUser(container) && HasRootUID(container)
+}
--- a/pkg/securitycontext/util_test.go
+++ b/pkg/securitycontext/util_test.go
@@ -83,3 +83,124 @@ func compareContexts(name string, ex, ac *api.SELinuxOptions, t *testing.T) {
 		t.Errorf("%v: expected level: %v, got: %v", name, e, a)
 	}
 }
+
+func TestHaRootUID(t *testing.T) {
+	var nonRoot int64 = 1
+	var root int64 = 0
+
+	tests := map[string]struct {
+		container *api.Container
+		expect    bool
+	}{
+		"nil sc": {
+			container: &api.Container{SecurityContext: nil},
+		},
+		"nil runAsuser": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: nil,
+				},
+			},
+		},
+		"runAsUser non-root": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &nonRoot,
+				},
+			},
+		},
+		"runAsUser root": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &root,
+				},
+			},
+			expect: true,
+		},
+	}
+
+	for k, v := range tests {
+		actual := HasRootUID(v.container)
+		if actual != v.expect {
+			t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
+		}
+	}
+}
+
+func TestHasRunAsUser(t *testing.T) {
+	var runAsUser int64 = 0
+
+	tests := map[string]struct {
+		container *api.Container
+		expect    bool
+	}{
+		"nil sc": {
+			container: &api.Container{SecurityContext: nil},
+		},
+		"nil runAsUser": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: nil,
+				},
+			},
+		},
+		"valid runAsUser": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &runAsUser,
+				},
+			},
+			expect: true,
+		},
+	}
+
+	for k, v := range tests {
+		actual := HasRunAsUser(v.container)
+		if actual != v.expect {
+			t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
+		}
+	}
+}
+
+func TestHasRootRunAsUser(t *testing.T) {
+	var nonRoot int64 = 1
+	var root int64 = 0
+
+	tests := map[string]struct {
+		container *api.Container
+		expect    bool
+	}{
+		"nil sc": {
+			container: &api.Container{SecurityContext: nil},
+		},
+		"nil runAsuser": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: nil,
+				},
+			},
+		},
+		"runAsUser non-root": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &nonRoot,
+				},
+			},
+		},
+		"runAsUser root": {
+			container: &api.Container{
+				SecurityContext: &api.SecurityContext{
+					RunAsUser: &root,
+				},
+			},
+			expect: true,
+		},
+	}
+
+	for k, v := range tests {
+		actual := HasRootRunAsUser(v.container)
+		if actual != v.expect {
+			t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
+		}
+	}
+}