Skip to content
This repository has been archived by the owner on Jun 26, 2023. It is now read-only.

Commit

Permalink
#401 [MTB] Added test for privilege escalation
Browse files Browse the repository at this point in the history
  • Loading branch information
phoenixking25 committed Apr 27, 2020
1 parent 2f94410 commit 46886be
Show file tree
Hide file tree
Showing 4 changed files with 100 additions and 36 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
package block_privilege_escalation

import (
"fmt"
"strings"

"github.com/onsi/ginkgo"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework"
imageutils "k8s.io/kubernetes/test/utils/image"
configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
)

const (
expectedVal = "Allowing privilege escalation for containers is not allowed"
)


func MakeSecPod(Namespace string, AllowPrivilegeEscalation bool) (*v1.Pod) {
podName := "security-context-" + string(uuid.NewUUID())
podSpec := &v1.Pod{
TypeMeta: metav1.TypeMeta{
Kind: "Pod",
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: podName,
Namespace: Namespace,
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "write-pod",
Image: imageutils.GetE2EImage(imageutils.BusyBox),
Command: []string{"/bin/sh"},
Args: []string{"-c", ""},
SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: &AllowPrivilegeEscalation,
},
},
},
RestartPolicy: v1.RestartPolicyOnFailure,
},
}
return podSpec
}

var _ = framework.KubeDescribe("Processes in tenant containers should not be allowed to gain additional priviliges", func() {
var config *configutil.BenchmarkConfig
var tenantA configutil.TenantSpec
var user string
var err error

ginkgo.BeforeEach(func() {
config, err = configutil.ReadConfig(configutil.ConfigPath)
framework.ExpectNoError(err)

tenantA, err = config.GetValidTenant()
framework.ExpectNoError(err)

user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
})

ginkgo.It("Validate tenants can not create pods/container with allowedprivilege set to true", func() {
ginkgo.By(fmt.Sprintf("tenant %s cannot create pod/container with with allowedprivilege set to true", user))

kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)

pod := MakeSecPod(tenantA.Namespace, true)
_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod)

if !strings.Contains(err.Error(), expectedVal) {
framework.Failf("%s must be unable to create pod/container that sets allowedprivileged to true", user)
}
})
})
1 change: 1 addition & 0 deletions benchmarks/e2e/tests/e2e.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_multitenant_resources"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_ns_quotas"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_other_tenant_resources"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_privilege_escalation"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_privileged_containers"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_quotas"
_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/create_role_bindings"
Expand Down
32 changes: 0 additions & 32 deletions benchmarks/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,73 +3,41 @@ module sigs.k8s.io/multi-tenancy/benchmarks
go 1.12

require (
github.com/BurntSushi/toml v0.3.1 // indirect
github.com/Microsoft/go-winio v0.4.14 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.0+incompatible // indirect
github.com/coreos/etcd v3.3.15+incompatible // indirect
github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a // indirect
github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/docker/distribution v2.7.1+incompatible // indirect
github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c // indirect
github.com/evanphx/json-patch v4.5.0+incompatible // indirect
github.com/fsnotify/fsnotify v1.4.7 // indirect
github.com/gogo/protobuf v1.3.1 // indirect
github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9 // indirect
github.com/golang/protobuf v1.3.2 // indirect
github.com/google/go-cmp v0.3.1 // indirect
github.com/google/gofuzz v1.0.0 // indirect
github.com/google/uuid v1.1.1 // indirect
github.com/googleapis/gnostic v0.3.1 // indirect
github.com/hashicorp/golang-lru v0.5.3 // indirect
github.com/hpcloud/tail v1.0.0 // indirect
github.com/imdario/mergo v0.3.8 // indirect
github.com/json-iterator/go v1.1.8 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.1 // indirect
github.com/onsi/ginkgo v1.10.3
github.com/onsi/gomega v1.7.1
github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
github.com/pborman/uuid v1.2.0 // indirect
github.com/pkg/errors v0.8.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.0.0 // indirect
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 // indirect
github.com/prometheus/common v0.7.0 // indirect
github.com/prometheus/procfs v0.0.5 // indirect
github.com/realshuting/multi-tenancy-benchmarks v0.0.0-20191028041724-a27250830445 // indirect
github.com/spf13/afero v1.2.2 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/testify v1.4.0 // indirect
go.uber.org/atomic v1.5.0 // indirect
go.uber.org/multierr v1.3.0 // indirect
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee // indirect
go.uber.org/zap v1.12.0 // indirect
golang.org/x/crypto v0.0.0-20191029031824-8986dd9e96cf // indirect
golang.org/x/lint v0.0.0-20190930215403-16217165b5de // indirect
golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271 // indirect
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect
golang.org/x/sys v0.0.0-20191029155521-f43be2a4598c // indirect
golang.org/x/text v0.3.2 // indirect
golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
golang.org/x/tools v0.0.0-20191031160344-02d0efc0fb61 // indirect
google.golang.org/appengine v1.6.5 // indirect
google.golang.org/genproto v0.0.0-20191028173616-919d9bdd9fe6 // indirect
google.golang.org/grpc v1.24.0 // indirect
gopkg.in/fsnotify.v1 v1.4.7 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/square/go-jose.v2 v2.4.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v2 v2.2.4
honnef.co/go/tools v0.0.1-2019.2.3 // indirect
k8s.io/api v0.0.0
k8s.io/apimachinery v0.0.0
k8s.io/client-go v0.0.0
k8s.io/component-base v0.0.0
k8s.io/kubernetes v1.16.2
sigs.k8s.io/yaml v1.1.0 // indirect
)

replace (
Expand Down
Loading

0 comments on commit 46886be

Please sign in to comment.