Skip to content

Commit

Permalink
Add NoNewPrivs validation
Browse files Browse the repository at this point in the history
  • Loading branch information
feiskyer committed Sep 21, 2017
1 parent 48f8614 commit b091a22
Showing 1 changed file with 65 additions and 0 deletions.
65 changes: 65 additions & 0 deletions pkg/validate/security_context.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
const (
nginxContainerImage string = "nginx"
localhost string = "localhost/"
noNewPrivsImage string = "gcr.io/google_containers/nonewprivs:1.2"
)

var _ = framework.KubeDescribe("Security Context", func() {
Expand Down Expand Up @@ -579,6 +580,70 @@ var _ = framework.KubeDescribe("Security Context", func() {
})
})
})

Context("NoNewPrivs", func() {
var podID, logPath string
var podConfig *runtimeapi.PodSandboxConfig

BeforeEach(func() {
podID, podConfig, logPath = createPodSandboxWithLogDirectory(rc)
})

AfterEach(func() {
By("stop PodSandbox")
rc.StopPodSandbox(podID)
By("delete PodSandbox")
rc.RemovePodSandbox(podID)
By("clean up the log dir")
os.RemoveAll(logPath)
})

createContainerWithNoNewPrivs := func(name string, noNewPrivs bool, uid int64) string {
By(fmt.Sprintf("create container %s", name))
containerConfig := &runtimeapi.ContainerConfig{
Metadata: framework.BuildContainerMetadata(name, framework.DefaultAttempt),
Image: &runtimeapi.ImageSpec{Image: noNewPrivsImage},
Linux: &runtimeapi.LinuxContainerConfig{
SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
NoNewPrivs: noNewPrivs,
RunAsUser: &runtimeapi.Int64Value{
Value: uid,
},
},
},
LogPath: fmt.Sprintf("%s.log", name),
}
containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)

// wait container started and check the status.
startContainer(rc, containerID)
Eventually(func() runtimeapi.ContainerState {
return getContainerStatus(rc, containerID).State
}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_EXITED))

return containerID
}
matchOutput := func(name, output string) {
By("check container's output")
expectedLog := &logMessage{
log: []byte(output + "\n"),
stream: stdoutType,
}
verifyLogContents(podConfig, fmt.Sprintf("%s.log", name), expectedLog)
}

It("should not allow privilege escalation when true", func() {
containerName := "alpine-nnp-true-" + string(framework.NewUUID())
createContainerWithNoNewPrivs(containerName, true, 1000)
matchOutput(containerName, "Effective uid: 1000")
})

It("should allow privilege escalation when false", func() {
containerName := "alpine-nnp-false-" + string(framework.NewUUID())
createContainerWithNoNewPrivs(containerName, false, 1000)
matchOutput(containerName, "Effective uid: 0")
})
})
})

// createRunAsUserContainer creates the container with specified RunAsUser in ContainerConfig.
Expand Down

0 comments on commit b091a22

Please sign in to comment.