Skip to content
Permalink
Browse files

Merge pull request #75164 from krmayankk/runasgroup

add missing psp e2e tests for runasgroup
  • Loading branch information...
k8s-ci-robot committed Mar 14, 2019
2 parents 118e33d + c4e0ede commit 897d62ace79a8fa72f9825e065b2b67fdba65bec
Showing with 27 additions and 1 deletion.
  1. +27 −1 test/e2e/auth/pod_security_policy.go
@@ -40,6 +40,8 @@ import (
. "github.com/onsi/gomega"
)

const nobodyUser = int64(65534)

var _ = SIGDescribe("PodSecurityPolicy", func() {
f := framework.NewDefaultFramework("podsecuritypolicy")
f.SkipPrivilegedPSPBinding = true
@@ -186,6 +188,21 @@ func testPrivilegedPods(tester func(pod *v1.Pod)) {
sysadmin.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil
tester(sysadmin)
})

By("Running a RunAsGroup pod", func() {
sysadmin := restrictedPod("runasgroup")
gid := int64(0)
sysadmin.Spec.Containers[0].SecurityContext.RunAsGroup = &gid
tester(sysadmin)
})

By("Running a RunAsUser pod", func() {
sysadmin := restrictedPod("runasuser")
uid := int64(0)
sysadmin.Spec.Containers[0].SecurityContext.RunAsUser = &uid
tester(sysadmin)
})

}

// createAndBindPSP creates a PSP in the policy API group.
@@ -244,7 +261,8 @@ func restrictedPod(name string) *v1.Pod {
Image: imageutils.GetPauseImageName(),
SecurityContext: &v1.SecurityContext{
AllowPrivilegeEscalation: boolPtr(false),
RunAsUser: utilpointer.Int64Ptr(65534),
RunAsUser: utilpointer.Int64Ptr(nobodyUser),
RunAsGroup: utilpointer.Int64Ptr(nobodyUser),
},
}},
},
@@ -270,6 +288,9 @@ func privilegedPSP(name string) *policy.PodSecurityPolicy {
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyRunAsAny,
},
RunAsGroup: &policy.RunAsGroupStrategyOptions{
Rule: policy.RunAsGroupStrategyRunAsAny,
},
SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny,
},
@@ -325,6 +346,11 @@ func restrictedPSP(name string) *policy.PodSecurityPolicy {
RunAsUser: policy.RunAsUserStrategyOptions{
Rule: policy.RunAsUserStrategyMustRunAsNonRoot,
},
RunAsGroup: &policy.RunAsGroupStrategyOptions{
Rule: policy.RunAsGroupStrategyMustRunAs,
Ranges: []policy.IDRange{
{Min: nobodyUser, Max: nobodyUser}},
},
SELinux: policy.SELinuxStrategyOptions{
Rule: policy.SELinuxStrategyRunAsAny,
},

0 comments on commit 897d62a

Please sign in to comment.
You can’t perform that action at this time.