k8s.io/kubernetes@v1.29.3/pkg/kubelet/kuberuntime/security_context_others_test.go (about) 1 //go:build !windows 2 // +build !windows 3 4 /* 5 Copyright 2020 The Kubernetes Authors. 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 */ 19 20 package kuberuntime 21 22 import ( 23 "testing" 24 25 "github.com/stretchr/testify/assert" 26 27 v1 "k8s.io/api/core/v1" 28 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 29 ) 30 31 func TestVerifyRunAsNonRoot(t *testing.T) { 32 pod := &v1.Pod{ 33 ObjectMeta: metav1.ObjectMeta{ 34 UID: "12345678", 35 Name: "bar", 36 Namespace: "new", 37 }, 38 Spec: v1.PodSpec{ 39 Containers: []v1.Container{ 40 { 41 Name: "foo", 42 Image: "busybox", 43 ImagePullPolicy: v1.PullIfNotPresent, 44 Command: []string{"testCommand"}, 45 WorkingDir: "testWorkingDir", 46 }, 47 }, 48 }, 49 } 50 51 rootUser := int64(0) 52 anyUser := int64(1000) 53 runAsNonRootTrue := true 54 runAsNonRootFalse := false 55 for _, test := range []struct { 56 desc string 57 sc *v1.SecurityContext 58 uid *int64 59 username string 60 fail bool 61 }{ 62 { 63 desc: "Pass if SecurityContext is not set", 64 sc: nil, 65 uid: &rootUser, 66 fail: false, 67 }, 68 { 69 desc: "Pass if RunAsUser is non-root and RunAsNonRoot is true", 70 sc: &v1.SecurityContext{ 71 RunAsNonRoot: &runAsNonRootTrue, 72 RunAsUser: &anyUser, 73 }, 74 fail: false, 75 }, 76 { 77 desc: "Pass if RunAsNonRoot is not set", 78 sc: &v1.SecurityContext{ 79 RunAsUser: &rootUser, 80 }, 81 uid: &rootUser, 82 fail: false, 83 }, 84 { 85 desc: "Pass if RunAsNonRoot is false (image user is root)", 86 sc: &v1.SecurityContext{ 87 RunAsNonRoot: &runAsNonRootFalse, 88 }, 89 uid: &rootUser, 90 fail: false, 91 }, 92 { 93 desc: "Pass if RunAsNonRoot is false (RunAsUser is root)", 94 sc: &v1.SecurityContext{ 95 RunAsNonRoot: &runAsNonRootFalse, 96 RunAsUser: &rootUser, 97 }, 98 uid: &rootUser, 99 fail: false, 100 }, 101 { 102 desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true", 103 sc: &v1.SecurityContext{ 104 RunAsNonRoot: &runAsNonRootTrue, 105 RunAsUser: &rootUser, 106 }, 107 uid: &rootUser, 108 fail: true, 109 }, 110 { 111 desc: "Fail if image's user is root and RunAsNonRoot is true", 112 sc: &v1.SecurityContext{ 113 RunAsNonRoot: &runAsNonRootTrue, 114 }, 115 uid: &rootUser, 116 fail: true, 117 }, 118 { 119 desc: "Fail if image's username is set and RunAsNonRoot is true", 120 sc: &v1.SecurityContext{ 121 RunAsNonRoot: &runAsNonRootTrue, 122 }, 123 username: "test", 124 fail: true, 125 }, 126 { 127 desc: "Pass if image's user is non-root and RunAsNonRoot is true", 128 sc: &v1.SecurityContext{ 129 RunAsNonRoot: &runAsNonRootTrue, 130 }, 131 uid: &anyUser, 132 fail: false, 133 }, 134 { 135 desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true", 136 sc: &v1.SecurityContext{ 137 RunAsNonRoot: &runAsNonRootTrue, 138 }, 139 fail: false, 140 }, 141 } { 142 pod.Spec.Containers[0].SecurityContext = test.sc 143 err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username) 144 if test.fail { 145 assert.Error(t, err, test.desc) 146 } else { 147 assert.NoError(t, err, test.desc) 148 } 149 } 150 }