aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2022-05-09 16:37:34 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2022-05-10 09:09:14 +0200
commit9e1ee081f8849cbba89fb0f79218812164527251 (patch)
tree8d8c161ebce56588faee0f79a04b7da8a84e2f43 /test
parent82a4b8f01c8061c022e7c9222746865a44f25d64 (diff)
downloadpodman-9e1ee081f8849cbba89fb0f79218812164527251.tar.gz
podman-9e1ee081f8849cbba89fb0f79218812164527251.tar.bz2
podman-9e1ee081f8849cbba89fb0f79218812164527251.zip
kube: honor pod security context IDs
If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/play_kube_test.go100
1 files changed, 89 insertions, 11 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index fb01dc1e9..c627ada53 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -327,6 +327,11 @@ spec:
name: {{ .Name }}
{{ end }}
{{ end }}
+{{ if .SecurityContext }}
+ securityContext:
+ {{ if .RunAsUser }}runAsUser: {{ .RunAsUser }}{{- end }}
+ {{ if .RunAsGroup }}runAsGroup: {{ .RunAsGroup }}{{- end }}
+{{ end }}
containers:
{{ with .Ctrs }}
{{ range . }}
@@ -393,6 +398,8 @@ spec:
{{- end }}
{{ if .SecurityContext }}
securityContext:
+ {{ if .RunAsUser }}runAsUser: {{ .RunAsUser }}{{- end }}
+ {{ if .RunAsGroup }}runAsGroup: {{ .RunAsGroup }}{{- end }}
allowPrivilegeEscalation: true
{{ if .Caps }}
capabilities:
@@ -758,16 +765,19 @@ func withPVCAnnotations(k, v string) pvcOption {
// Pod describes the options a kube yaml can be configured at pod level
type Pod struct {
- Name string
- RestartPolicy string
- Hostname string
- HostNetwork bool
- HostAliases []HostAlias
- Ctrs []*Ctr
- InitCtrs []*Ctr
- Volumes []*Volume
- Labels map[string]string
- Annotations map[string]string
+ Name string
+ RestartPolicy string
+ Hostname string
+ HostNetwork bool
+ HostAliases []HostAlias
+ Ctrs []*Ctr
+ InitCtrs []*Ctr
+ Volumes []*Volume
+ Labels map[string]string
+ Annotations map[string]string
+ SecurityContext bool
+ RunAsUser string
+ RunAsGroup string
}
type HostAlias struct {
@@ -802,6 +812,24 @@ func getPod(options ...podOption) *Pod {
type podOption func(*Pod)
+func withPodSecurityContext(sc bool) podOption {
+ return func(p *Pod) {
+ p.SecurityContext = sc
+ }
+}
+
+func withPodRunAsUser(runAsUser string) podOption {
+ return func(p *Pod) {
+ p.RunAsUser = runAsUser
+ }
+}
+
+func withPodRunAsGroup(runAsGroup string) podOption {
+ return func(p *Pod) {
+ p.RunAsGroup = runAsGroup
+ }
+}
+
func withPodName(name string) podOption {
return func(pod *Pod) {
pod.Name = name
@@ -949,6 +977,8 @@ type Ctr struct {
Env []Env
EnvFrom []EnvFrom
InitCtrType string
+ RunAsUser string
+ RunAsGroup string
}
// getCtr takes a list of ctrOptions and returns a Ctr with sane defaults
@@ -1042,6 +1072,18 @@ func withSecurityContext(sc bool) ctrOption {
}
}
+func withRunAsUser(runAsUser string) ctrOption {
+ return func(c *Ctr) {
+ c.RunAsUser = runAsUser
+ }
+}
+
+func withRunAsGroup(runAsGroup string) ctrOption {
+ return func(c *Ctr) {
+ c.RunAsGroup = runAsGroup
+ }
+}
+
func withCapAdd(caps []string) ctrOption {
return func(c *Ctr) {
c.CapAdd = caps
@@ -1105,8 +1147,12 @@ func withEnvFrom(name, from string, optional bool) ctrOption {
}
}
+func makeCtrNameInPod(pod *Pod, containerName string) string {
+ return fmt.Sprintf("%s-%s", pod.Name, containerName)
+}
+
func getCtrNameInPod(pod *Pod) string {
- return fmt.Sprintf("%s-%s", pod.Name, defaultCtrName)
+ return makeCtrNameInPod(pod, defaultCtrName)
}
type HostPath struct {
@@ -3222,6 +3268,38 @@ invalid kube kind
Expect(ls.OutputToStringArray()).To(HaveLen(1))
})
+ It("podman play kube RunAsUser", func() {
+ ctr1Name := "ctr1"
+ ctr2Name := "ctr2"
+ ctr1 := getCtr(withName(ctr1Name), withSecurityContext(true), withRunAsUser("101"), withRunAsGroup("102"))
+ ctr2 := getCtr(withName(ctr2Name), withSecurityContext(true))
+
+ pod := getPod(
+ withCtr(ctr1),
+ withCtr(ctr2),
+ withPodSecurityContext(true),
+ withPodRunAsUser("103"),
+ withPodRunAsGroup("104"),
+ )
+
+ err := generateKubeYaml("pod", pod, kubeYaml)
+ Expect(err).To(BeNil())
+
+ cmd := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ cmd.WaitWithDefaultTimeout()
+ Expect(cmd).Should(Exit(0))
+
+ // we expect the user:group as configured for the container
+ inspect := podmanTest.Podman([]string{"container", "inspect", "--format", "'{{.Config.User}}'", makeCtrNameInPod(pod, ctr1Name)})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.OutputToString()).To(Equal("'101:102'"))
+
+ // we expect the user:group as configured for the pod
+ inspect = podmanTest.Podman([]string{"container", "inspect", "--format", "'{{.Config.User}}'", makeCtrNameInPod(pod, ctr2Name)})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.OutputToString()).To(Equal("'103:104'"))
+ })
+
Describe("verify environment variables", func() {
var maxLength int
BeforeEach(func() {