Merge pull request #620 from phoenixking25/block_host_path

#404 added test for block use of bind mounts
kubernetes-retired · Jun 7, 2020 · b1badb0 · b1badb0
2 parents add0b3c + 8cac13d
commit b1badb0
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 0 deletions.
diff --git a/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go b/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go
@@ -0,0 +1,53 @@
+package block_bind_mounts
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+)
+
+const (
+	expectedVal = "Host path volumes are not allowed"
+)
+
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Tenants should not be able to mount host volumes and folders", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantA configutil.TenantSpec
+	var user string
+	var err error
+	var InlineVolumeSources = []*v1.VolumeSource{
+		{
+			HostPath: &v1.HostPathVolumeSource{
+				Path: "/tmp/busybox",
+			},
+		},
+	}
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+
+		tenantA, err = config.GetValidTenant()
+		framework.ExpectNoError(err)
+
+		user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
+	})
+
+	ginkgo.It("Tenants should not be able to mount host volumes and folders", func() {
+		ginkgo.By(fmt.Sprintf("Tenant %s should not be able to mount host volumes and folders", user))
+
+		pod := e2epod.MakeSecPod(tenantA.Namespace, nil, InlineVolumeSources, false, "", false, false, nil, nil)
+
+		kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)
+		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod)
+
+		if !strings.Contains(err.Error(), expectedVal) {
+			framework.Failf("%s must be unable to create pod with host-path volume", user)
+		}
+	})
+})
diff --git a/benchmarks/e2e/tests/e2e.go b/benchmarks/e2e/tests/e2e.go
@@ -10,6 +10,7 @@ import (
 
 	// test sources
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_add_capabilities"
+	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_bind_mounts"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_cluster_resources"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_ipc"
 	_ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_pid"

diff --git a/benchmarks/go.sum b/benchmarks/go.sum
@@ -666,6 +666,7 @@ modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03
 modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
 modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
+sigs.k8s.io/multi-tenancy v0.0.0-20200511084551-34a25e2335ba h1:mxTTbwfGpJkOQc+XkbPDHtv7OAz/i0mOR9XD/hmpQPk=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190817042607-6149e4549fca/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=