New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MustRunAsNonRoot should reject a pod if it has non-numeric USER #56503
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -105,7 +105,8 @@ func TestVerifyRunAsNonRoot(t *testing.T) { | |
}, | ||
} { | ||
pod.Spec.Containers[0].SecurityContext = test.sc | ||
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0)) | ||
uid := int64(0) | ||
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], &uid, "") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. add also test with verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], nil, "test") ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We have a one test already and it should be enough to make this merged. In order to not block this PR, I'm going to add a test next week as a follow-up. @liggitt didn't object against this. |
||
if test.fail { | ||
assert.Error(t, err, test.desc) | ||
} else { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
two questions for @kubernetes/sig-node-pr-reviews
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know the answers for sure but I'd expect the that behavior will mimic the Docker:
In this case container will be run with zero uid. And it isn't valid when
runAsNonRoot
is specified.AFIU uid is translated to
--user
options and overridesUSER
from Dockerfile:There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd expect that to be invalid as well, so we'd need this case:
@sjenning, does that sound right to you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
old code behavior was
looks to me that the old behaviour is maintained in this refactor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can add it but it should never happen because
GetImageUser
that we use for getting uid/username returns zero uid when uid/username couldn't be determined:kubernetes/pkg/kubelet/kuberuntime/helpers.go
Lines 130 to 150 in a0ed616
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, this is fine as-is then