k8s.io/kubernetes@v1.29.3/pkg/kubelet/kuberuntime/security_context_windows_test.go (about) 1 //go:build windows 2 // +build windows 3 4 /* 5 Copyright 2020 The Kubernetes Authors. 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 */ 19 20 package kuberuntime 21 22 import ( 23 "k8s.io/api/core/v1" 24 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 25 26 "github.com/stretchr/testify/assert" 27 "testing" 28 ) 29 30 func TestVerifyRunAsNonRoot(t *testing.T) { 31 pod := &v1.Pod{ 32 ObjectMeta: metav1.ObjectMeta{ 33 UID: "12345678", 34 Name: "bar", 35 Namespace: "new", 36 }, 37 Spec: v1.PodSpec{ 38 Containers: []v1.Container{ 39 { 40 Name: "foo", 41 Image: "windows", 42 ImagePullPolicy: v1.PullIfNotPresent, 43 Command: []string{"testCommand"}, 44 WorkingDir: "testWorkingDir", 45 }, 46 }, 47 }, 48 } 49 rootUser := "ContainerAdministrator" 50 rootUserUppercase := "CONTAINERADMINISTRATOR" 51 anyUser := "anyone" 52 runAsNonRootTrue := true 53 runAsNonRootFalse := false 54 uid := int64(0) 55 for _, test := range []struct { 56 desc string 57 sc *v1.SecurityContext 58 uid *int64 59 username string 60 fail bool 61 }{ 62 { 63 desc: "Pass if SecurityContext is not set", 64 sc: nil, 65 username: rootUser, 66 fail: false, 67 }, 68 { 69 desc: "Pass if RunAsNonRoot is not set", 70 sc: &v1.SecurityContext{ 71 RunAsNonRoot: nil, 72 }, 73 username: rootUser, 74 fail: false, 75 }, 76 { 77 desc: "Pass if RunAsNonRoot is false (image user is root)", 78 sc: &v1.SecurityContext{ 79 RunAsNonRoot: &runAsNonRootFalse, 80 }, 81 username: rootUser, 82 fail: false, 83 }, 84 { 85 desc: "Pass if RunAsNonRoot is false (WindowsOptions RunAsUserName is root)", 86 sc: &v1.SecurityContext{ 87 RunAsNonRoot: &runAsNonRootFalse, 88 WindowsOptions: &v1.WindowsSecurityContextOptions{ 89 RunAsUserName: &rootUser, 90 }, 91 }, 92 username: rootUser, 93 fail: false, 94 }, 95 { 96 desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true", 97 sc: &v1.SecurityContext{ 98 RunAsNonRoot: &runAsNonRootTrue, 99 WindowsOptions: &v1.WindowsSecurityContextOptions{ 100 RunAsUserName: &rootUser, 101 }, 102 }, 103 username: rootUser, 104 fail: true, 105 }, 106 { 107 desc: "Fail if container's RunAsUser is root (case-insensitive) and RunAsNonRoot is true", 108 sc: &v1.SecurityContext{ 109 RunAsNonRoot: &runAsNonRootTrue, 110 WindowsOptions: &v1.WindowsSecurityContextOptions{ 111 RunAsUserName: &rootUserUppercase, 112 }, 113 }, 114 username: anyUser, 115 fail: true, 116 }, 117 { 118 desc: "Fail if image's user is root and RunAsNonRoot is true", 119 sc: &v1.SecurityContext{ 120 RunAsNonRoot: &runAsNonRootTrue, 121 }, 122 username: rootUser, 123 fail: true, 124 }, 125 { 126 desc: "Fail if image's user is root (case-insensitive) and RunAsNonRoot is true", 127 sc: &v1.SecurityContext{ 128 RunAsNonRoot: &runAsNonRootTrue, 129 }, 130 username: rootUserUppercase, 131 fail: true, 132 }, 133 { 134 desc: "Pass if image's user is non-root and RunAsNonRoot is true", 135 sc: &v1.SecurityContext{ 136 RunAsNonRoot: &runAsNonRootTrue, 137 }, 138 username: anyUser, 139 fail: false, 140 }, 141 { 142 desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true", 143 sc: &v1.SecurityContext{ 144 // verifyRunAsNonRoot should ignore the RunAsUser, SELinuxOptions, and RunAsGroup options. 145 RunAsUser: &uid, 146 SELinuxOptions: &v1.SELinuxOptions{}, 147 RunAsGroup: &uid, 148 RunAsNonRoot: &runAsNonRootTrue, 149 }, 150 fail: false, 151 }, 152 { 153 desc: "Pass if image's user is root, container's RunAsUser is not root and RunAsNonRoot is true", 154 sc: &v1.SecurityContext{ 155 RunAsNonRoot: &runAsNonRootTrue, 156 WindowsOptions: &v1.WindowsSecurityContextOptions{ 157 RunAsUserName: &anyUser, 158 }, 159 }, 160 username: rootUser, 161 fail: false, 162 }, 163 { 164 desc: "Pass if image's user is root (case-insensitive), container's RunAsUser is not root and RunAsNonRoot is true", 165 sc: &v1.SecurityContext{ 166 RunAsNonRoot: &runAsNonRootTrue, 167 WindowsOptions: &v1.WindowsSecurityContextOptions{ 168 RunAsUserName: &anyUser, 169 }, 170 }, 171 username: rootUserUppercase, 172 fail: false, 173 }, 174 } { 175 pod.Spec.Containers[0].SecurityContext = test.sc 176 err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username) 177 if test.fail { 178 assert.Error(t, err, test.desc) 179 } else { 180 assert.NoError(t, err, test.desc) 181 } 182 } 183 }