Commit 07a67c25 authored by Yu-Ju Hong's avatar Yu-Ju Hong

kuberuntime: check the value of RunAsNonRoot when verifying

The verification function is fixed to check the value of RunAsNonRoot, not just the existence of it. Also adds unit tests to verify the correct behavior.
parent f893cddf
...@@ -228,7 +228,7 @@ func TestGenerateContainerConfig(t *testing.T) { ...@@ -228,7 +228,7 @@ func TestGenerateContainerConfig(t *testing.T) {
assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.") assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
runAsUser := types.UnixUserID(0) runAsUser := types.UnixUserID(0)
RunAsNonRoot := false runAsNonRootTrue := true
podWithContainerSecurityContext := &v1.Pod{ podWithContainerSecurityContext := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
UID: "12345678", UID: "12345678",
...@@ -244,7 +244,7 @@ func TestGenerateContainerConfig(t *testing.T) { ...@@ -244,7 +244,7 @@ func TestGenerateContainerConfig(t *testing.T) {
Command: []string{"testCommand"}, Command: []string{"testCommand"},
WorkingDir: "testWorkingDir", WorkingDir: "testWorkingDir",
SecurityContext: &v1.SecurityContext{ SecurityContext: &v1.SecurityContext{
RunAsNonRoot: &RunAsNonRoot, RunAsNonRoot: &runAsNonRootTrue,
RunAsUser: &runAsUser, RunAsUser: &runAsUser,
}, },
}, },
......
...@@ -72,7 +72,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po ...@@ -72,7 +72,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
// verifyRunAsNonRoot verifies RunAsNonRoot. // verifyRunAsNonRoot verifies RunAsNonRoot.
func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error { func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container) effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
if effectiveSc == nil || effectiveSc.RunAsNonRoot == nil { // If the option is not set, or if running as root is allowed, return nil.
if effectiveSc == nil || effectiveSc.RunAsNonRoot == nil || !*effectiveSc.RunAsNonRoot {
return nil return nil
} }
......
...@@ -45,60 +45,57 @@ func TestVerifyRunAsNonRoot(t *testing.T) { ...@@ -45,60 +45,57 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
}, },
} }
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0)) rootUser := types.UnixUserID(0)
assert.NoError(t, err) runAsNonRootTrue := true
runAsNonRootFalse := false
runAsUser := types.UnixUserID(0) for _, test := range []struct {
RunAsNonRoot := false desc string
podWithContainerSecurityContext := &v1.Pod{ sc *v1.SecurityContext
ObjectMeta: metav1.ObjectMeta{ errStr string
UID: "12345678", }{
Name: "bar", {
Namespace: "new", desc: "Pass if SecurityContext is not set",
sc: nil,
errStr: "",
}, },
Spec: v1.PodSpec{ {
Containers: []v1.Container{ desc: "Pass if RunAsNonRoot is not set",
{ sc: &v1.SecurityContext{
Name: "foo", RunAsUser: &rootUser,
Image: "busybox",
ImagePullPolicy: v1.PullIfNotPresent,
Command: []string{"testCommand"},
WorkingDir: "testWorkingDir",
SecurityContext: &v1.SecurityContext{
RunAsNonRoot: &RunAsNonRoot,
RunAsUser: &runAsUser,
},
},
}, },
errStr: "",
}, },
} {
desc: "Pass if RunAsNonRoot is false",
err2 := verifyRunAsNonRoot(podWithContainerSecurityContext, &podWithContainerSecurityContext.Spec.Containers[0], int64(0)) sc: &v1.SecurityContext{
assert.EqualError(t, err2, "container's runAsUser breaks non-root policy") RunAsNonRoot: &runAsNonRootFalse,
RunAsUser: &rootUser,
RunAsNonRoot = false },
podWithContainerSecurityContext = &v1.Pod{ errStr: "",
ObjectMeta: metav1.ObjectMeta{
UID: "12345678",
Name: "bar",
Namespace: "new",
}, },
Spec: v1.PodSpec{ {
Containers: []v1.Container{ desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true",
{ sc: &v1.SecurityContext{
Name: "foo", RunAsNonRoot: &runAsNonRootTrue,
Image: "busybox", RunAsUser: &rootUser,
ImagePullPolicy: v1.PullIfNotPresent, },
Command: []string{"testCommand"}, errStr: "container's runAsUser breaks non-root policy",
WorkingDir: "testWorkingDir", },
SecurityContext: &v1.SecurityContext{ {
RunAsNonRoot: &RunAsNonRoot, desc: "Fail if image's user is root and RunAsNonRoot is true",
}, sc: &v1.SecurityContext{
}, RunAsNonRoot: &runAsNonRootTrue,
}, },
errStr: "container has runAsNonRoot and image will run as root",
}, },
} {
pod.Spec.Containers[0].SecurityContext = test.sc
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0))
if len(test.errStr) == 0 {
assert.NoError(t, err, test.desc)
} else {
assert.EqualError(t, err, test.errStr, test.desc)
}
} }
err3 := verifyRunAsNonRoot(podWithContainerSecurityContext, &podWithContainerSecurityContext.Spec.Containers[0], int64(0))
assert.EqualError(t, err3, "container has runAsNonRoot and image will run as root")
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment