Merge pull request #676 from phoenixking25/block_privilege_escalation

#401 [MTB] Added test for privilege escalation
kubernetes-retired · Jun 5, 2020 · 214476c · 214476c
2 parents 3ab5cfb + 3a166d6
commit 214476c
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/benchmarks/e2e/tests/block_privilege_escalation/block_privilege_escalation.go b/benchmarks/e2e/tests/block_privilege_escalation/block_privilege_escalation.go
@@ -0,0 +1,77 @@
+package block_privilege_escalation
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/kubernetes/test/e2e/framework"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+)
+
+const (
+	expectedVal = "Allowing privilege escalation for containers is not allowed"
+)
+
+func MakeSecPod(Namespace string, AllowPrivilegeEscalation bool) *v1.Pod {
+	podName := "security-context-" + string(uuid.NewUUID())
+	podSpec := &v1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Pod",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      podName,
+			Namespace: Namespace,
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:    "write-pod",
+					Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+					Command: []string{"/bin/sh"},
+					Args:    []string{"-c", ""},
+					SecurityContext: &v1.SecurityContext{
+						AllowPrivilegeEscalation: &AllowPrivilegeEscalation,
+					},
+				},
+			},
+			RestartPolicy: v1.RestartPolicyOnFailure,
+		},
+	}
+	return podSpec
+}
+
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Processes in tenant containers should not be allowed to gain additional priviliges", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantA configutil.TenantSpec
+	var user string
+	var err error
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+
+		tenantA, err = config.GetValidTenant()
+		framework.ExpectNoError(err)
+
+		user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
+	})
+
+	ginkgo.It("Validate tenants can not create pods/container with allowedprivilege set to true", func() {
+		ginkgo.By(fmt.Sprintf("tenant %s cannot create pod/container with with allowedprivilege set to true", user))
+
+		kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)
+
+		pod := MakeSecPod(tenantA.Namespace, true)
+		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod)
+
+		if !strings.Contains(err.Error(), expectedVal) {
+			framework.Failf("%s must be unable to create pod/container that sets allowedprivileged to true", user)
+		}
+	})
+})
diff --git a/benchmarks/e2e/tests/e2e.go b/benchmarks/e2e/tests/e2e.go
@@ -17,6 +17,7 @@ import (
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_multitenant_resources"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_ns_quotas"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_other_tenant_resources"
+	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_privilege_escalation"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_privileged_containers"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_object_quotas"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_quotas"