Skip to content

Commit

Permalink
pkg: validate: validate Username not empty in ImageStatus
Browse files Browse the repository at this point in the history
Kubernetes rely on that Username field to provide RunAsUser, we need to
validate runtimes correctly return it. We had recently an issue in
CRI-O for that.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
  • Loading branch information
runcom committed Feb 24, 2018
1 parent b256b8f commit e082452
Showing 3 changed files with 101 additions and 0 deletions.
17 changes: 17 additions & 0 deletions images/image-user/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM busybox
ARG USER
USER ${USER}
33 changes: 33 additions & 0 deletions images/image-user/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

.PHONY: all test-image-user-uid test-image-user-username test-image-user-uid-group test-image-user-username-group

all: test-image-user-uid test-image-user-username test-image-user-uid-group test-image-user-username-group

test-image-user-uid:
docker build . -t gcr.io/cri-tools/$@ --build-arg USER=1002
gcloud docker -- push gcr.io/cri-tools/$@

test-image-user-username:
docker build . -t gcr.io/cri-tools/$@ --build-arg USER=www-data
gcloud docker -- push gcr.io/cri-tools/$@

test-image-user-uid-group:
docker build . -t gcr.io/cri-tools/$@ --build-arg USER=1003:users
gcloud docker -- push gcr.io/cri-tools/$@

test-image-user-username-group:
docker build . -t gcr.io/cri-tools/$@ --build-arg USER=www-data:100
gcloud docker -- push gcr.io/cri-tools/$@
51 changes: 51 additions & 0 deletions pkg/validate/image.go
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ limitations under the License.
package validate

import (
"fmt"
"sort"

"github.com/kubernetes-incubator/cri-tools/pkg/framework"
@@ -36,6 +37,15 @@ const (

// digested reference for test image
testImageWithDigest = "gcr.io/cri-tools/test-image-digest@sha256:9179135b4b4cc5a8721e09379244807553c318d92fa3111a65133241551ca343"

testImageUserUID = "gcr.io/cri-tools/test-image-user-uid"
imageUserUID = int64(1002)
testImageUserUsername = "gcr.io/cri-tools/test-image-user-username"
imageUserUsername = "www-data"
testImageUserUIDGroup = "gcr.io/cri-tools/test-image-user-uid-group"
imageUserUIDGroup = int64(1003)
testImageUserUsernameGroup = "gcr.io/cri-tools/test-image-user-username-group"
imageUserUsernameGroup = "www-data"
)

var _ = framework.KubeDescribe("Image Manager", func() {
@@ -66,6 +76,47 @@ var _ = framework.KubeDescribe("Image Manager", func() {
})
})

It("image status get image fields should not have Uid|Username empty [Conformance]", func() {
for _, item := range []struct {
description string
image string
uid int64
username string
}{
{
description: "UID only",
image: testImageUserUID,
uid: imageUserUID,
username: "",
},
{
description: "Username only",
image: testImageUserUsername,
uid: int64(0),
username: imageUserUsername,
},
{
description: "UID:group",
image: testImageUserUIDGroup,
uid: imageUserUIDGroup,
username: "",
},
{
description: "Username:group",
image: testImageUserUsernameGroup,
uid: int64(0),
username: imageUserUsernameGroup,
},
} {
framework.PullPublicImage(c, item.image)
defer removeImage(c, item.image)

status := framework.ImageStatus(c, item.image)
Expect(status.GetUid().GetValue()).To(Equal(item.uid), fmt.Sprintf("%s, Image Uid should be %d", item.description, item.uid))
Expect(status.GetUsername()).To(Equal(item.username), fmt.Sprintf("%s, Image Username should be %s", item.description, item.username))
}
})

It("listImage should get exactly 3 image in the result list [Conformance]", func() {
// different tags refer to different images
testImageList := []string{

0 comments on commit e082452

Please sign in to comment.