Merge pull request #655 from SomtochiAma/block_add_capabilities

Block add capabilities
kubernetes-retired · May 6, 2020 · 87d1844 · 87d1844
2 parents d90677d + de1731c
commit 87d1844
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 37 deletions.
diff --git a/benchmarks/config.yaml b/benchmarks/config.yaml
@@ -1,16 +1,16 @@
 # # path to cluster administrator's kubeconfig file
-# adminKubeconfig: 
+# adminKubeconfig:
 
 # # path to the tenant's kubeconfig and its namespace
 # tenantA:
-#   kubeconfig: 
-#   namespace: 
+#   kubeconfig:
+#   namespace:
 
 # # path to the tenant's kubeconfig and its namespace
 # tenantB:
-#   kubeconfig: 
-#   namespace: 
+#   kubeconfig:
+#   namespace:
 
-# # label is used to identify the resources 
+# # label is used to identify the resources
 # # managed by the cluster administrator
 # label:
diff --git a/benchmarks/e2e/tests/block_add_capabilities/block_add_capabilities.go b/benchmarks/e2e/tests/block_add_capabilities/block_add_capabilities.go
@@ -0,0 +1,69 @@
+package tenantaccess
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"strings"
+	"github.com/onsi/ginkgo"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/test/e2e/framework"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+
+)
+
+const (
+	expectedVal = "capability may not be added"
+)
+
+var _ = framework.KubeDescribe("Tenants should unable to add linux capabilities for pods", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantA configutil.TenantSpec
+	var user string
+	var err error
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+
+		tenantA, err = config.GetValidTenant()
+		framework.ExpectNoError(err)
+		user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
+	})
+
+	ginkgo.It("validate tenants can't create containers with add capabilities", func() {
+		kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)
+		BusyBoxImage := imageutils.GetE2EImage(imageutils.BusyBox)
+		podSpec := &v1.Pod{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Pod",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "multitenant-tester",
+				Namespace:    tenantA.Namespace,
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:    "write-pod",
+						Image:   BusyBoxImage,
+						Command: []string{"/bin/sh"},
+						Args:    []string{"-c", "trap exit TERM; while true; do sleep 1; done"},
+						SecurityContext: &v1.SecurityContext{
+							Capabilities: &v1.Capabilities{
+								Add: []v1.Capability{
+									"SETPCAP",
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(podSpec)
+		if !strings.Contains(err.Error(),expectedVal) {
+			framework.Failf("%s must be unable to create pod with add capabilities", user)
+		}
+	})
+})
diff --git a/benchmarks/e2e/tests/e2e.go b/benchmarks/e2e/tests/e2e.go
@@ -10,6 +10,9 @@ import (
 
 	// test sources
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_cluster_resources"
+	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_quotas"
+	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_privileged_containers"
+	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_add_capabilities"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_pid"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_multitenant_resources"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_ns_quotas"

diff --git a/benchmarks/go.mod b/benchmarks/go.mod
@@ -3,73 +3,42 @@ module sigs.k8s.io/multi-tenancy/benchmarks
 go 1.12
 
 require (
-	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/blang/semver v3.5.0+incompatible // indirect
-	github.com/coreos/etcd v3.3.15+incompatible // indirect
 	github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a // indirect
-	github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c // indirect
 	github.com/evanphx/json-patch v4.5.0+incompatible // indirect
-	github.com/fsnotify/fsnotify v1.4.7 // indirect
 	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9 // indirect
-	github.com/golang/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.3.1 // indirect
-	github.com/google/gofuzz v1.0.0 // indirect
-	github.com/google/uuid v1.1.1 // indirect
 	github.com/googleapis/gnostic v0.3.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
-	github.com/hpcloud/tail v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/json-iterator/go v1.1.8 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/onsi/ginkgo v1.10.3
 	github.com/onsi/gomega v1.7.1
-	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
-	github.com/pborman/uuid v1.2.0 // indirect
-	github.com/pkg/errors v0.8.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.0.0 // indirect
 	github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 // indirect
 	github.com/prometheus/common v0.7.0 // indirect
 	github.com/prometheus/procfs v0.0.5 // indirect
 	github.com/realshuting/multi-tenancy-benchmarks v0.0.0-20191028041724-a27250830445 // indirect
-	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.4.0 // indirect
-	go.uber.org/atomic v1.5.0 // indirect
-	go.uber.org/multierr v1.3.0 // indirect
-	go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee // indirect
 	go.uber.org/zap v1.12.0 // indirect
 	golang.org/x/crypto v0.0.0-20191029031824-8986dd9e96cf // indirect
-	golang.org/x/lint v0.0.0-20190930215403-16217165b5de // indirect
 	golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271 // indirect
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect
 	golang.org/x/sys v0.0.0-20191029155521-f43be2a4598c // indirect
-	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.0.0-20191031160344-02d0efc0fb61 // indirect
 	google.golang.org/appengine v1.6.5 // indirect
 	google.golang.org/genproto v0.0.0-20191028173616-919d9bdd9fe6 // indirect
 	google.golang.org/grpc v1.24.0 // indirect
-	gopkg.in/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.4.0 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.2.4
-	honnef.co/go/tools v0.0.1-2019.2.3 // indirect
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/component-base v0.0.0
 	k8s.io/kubernetes v1.16.2
-	sigs.k8s.io/yaml v1.1.0 // indirect
 )
 
 replace (