This repository has been archived by the owner on Jun 26, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 173
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
#401 [MTB] Added test for privilege escalation
- Loading branch information
1 parent
2f94410
commit 46886be
Showing
4 changed files
with
100 additions
and
36 deletions.
There are no files selected for viewing
78 changes: 78 additions & 0 deletions
78
benchmarks/e2e/tests/block_privilege_escalation/block_privilege_escalation.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
package block_privilege_escalation | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/onsi/ginkgo" | ||
v1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/util/uuid" | ||
"k8s.io/kubernetes/test/e2e/framework" | ||
imageutils "k8s.io/kubernetes/test/utils/image" | ||
configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config" | ||
) | ||
|
||
const ( | ||
expectedVal = "Allowing privilege escalation for containers is not allowed" | ||
) | ||
|
||
|
||
func MakeSecPod(Namespace string, AllowPrivilegeEscalation bool) (*v1.Pod) { | ||
podName := "security-context-" + string(uuid.NewUUID()) | ||
podSpec := &v1.Pod{ | ||
TypeMeta: metav1.TypeMeta{ | ||
Kind: "Pod", | ||
APIVersion: "v1", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: podName, | ||
Namespace: Namespace, | ||
}, | ||
Spec: v1.PodSpec{ | ||
Containers: []v1.Container{ | ||
{ | ||
Name: "write-pod", | ||
Image: imageutils.GetE2EImage(imageutils.BusyBox), | ||
Command: []string{"/bin/sh"}, | ||
Args: []string{"-c", ""}, | ||
SecurityContext: &v1.SecurityContext{ | ||
AllowPrivilegeEscalation: &AllowPrivilegeEscalation, | ||
}, | ||
}, | ||
}, | ||
RestartPolicy: v1.RestartPolicyOnFailure, | ||
}, | ||
} | ||
return podSpec | ||
} | ||
|
||
var _ = framework.KubeDescribe("Processes in tenant containers should not be allowed to gain additional priviliges", func() { | ||
var config *configutil.BenchmarkConfig | ||
var tenantA configutil.TenantSpec | ||
var user string | ||
var err error | ||
|
||
ginkgo.BeforeEach(func() { | ||
config, err = configutil.ReadConfig(configutil.ConfigPath) | ||
framework.ExpectNoError(err) | ||
|
||
tenantA, err = config.GetValidTenant() | ||
framework.ExpectNoError(err) | ||
|
||
user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig) | ||
}) | ||
|
||
ginkgo.It("Validate tenants can not create pods/container with allowedprivilege set to true", func() { | ||
ginkgo.By(fmt.Sprintf("tenant %s cannot create pod/container with with allowedprivilege set to true", user)) | ||
|
||
kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig) | ||
|
||
pod := MakeSecPod(tenantA.Namespace, true) | ||
_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod) | ||
|
||
if !strings.Contains(err.Error(), expectedVal) { | ||
framework.Failf("%s must be unable to create pod/container that sets allowedprivileged to true", user) | ||
} | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.