Merge pull request #141 from feiskyer/no-new-privs-validation

Add validation for NoNewPrivs
kubernetes-sigs · Sep 23, 2017 · 055ff3b · 055ff3b
2 parents 1a56c31 + b091a22
commit 055ff3b
Showing 1 changed file with 65 additions and 0 deletions.
diff --git a/pkg/validate/security_context.go b/pkg/validate/security_context.go
@@ -38,6 +38,7 @@ import (
 const (
 	nginxContainerImage string = "nginx"
 	localhost           string = "localhost/"
+	noNewPrivsImage     string = "gcr.io/google_containers/nonewprivs:1.2"
 )
 
 var _ = framework.KubeDescribe("Security Context", func() {
@@ -599,6 +600,70 @@ var _ = framework.KubeDescribe("Security Context", func() {
 			})
 		})
 	})
+
+	Context("NoNewPrivs", func() {
+		var podID, logPath string
+		var podConfig *runtimeapi.PodSandboxConfig
+
+		BeforeEach(func() {
+			podID, podConfig, logPath = createPodSandboxWithLogDirectory(rc)
+		})
+
+		AfterEach(func() {
+			By("stop PodSandbox")
+			rc.StopPodSandbox(podID)
+			By("delete PodSandbox")
+			rc.RemovePodSandbox(podID)
+			By("clean up the log dir")
+			os.RemoveAll(logPath)
+		})
+
+		createContainerWithNoNewPrivs := func(name string, noNewPrivs bool, uid int64) string {
+			By(fmt.Sprintf("create container %s", name))
+			containerConfig := &runtimeapi.ContainerConfig{
+				Metadata: framework.BuildContainerMetadata(name, framework.DefaultAttempt),
+				Image:    &runtimeapi.ImageSpec{Image: noNewPrivsImage},
+				Linux: &runtimeapi.LinuxContainerConfig{
+					SecurityContext: &runtimeapi.LinuxContainerSecurityContext{
+						NoNewPrivs: noNewPrivs,
+						RunAsUser: &runtimeapi.Int64Value{
+							Value: uid,
+						},
+					},
+				},
+				LogPath: fmt.Sprintf("%s.log", name),
+			}
+			containerID := framework.CreateContainer(rc, ic, containerConfig, podID, podConfig)
+
+			// wait container started and check the status.
+			startContainer(rc, containerID)
+			Eventually(func() runtimeapi.ContainerState {
+				return getContainerStatus(rc, containerID).State
+			}, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_EXITED))
+
+			return containerID
+		}
+		matchOutput := func(name, output string) {
+			By("check container's output")
+			expectedLog := &logMessage{
+				log:    []byte(output + "\n"),
+				stream: stdoutType,
+			}
+			verifyLogContents(podConfig, fmt.Sprintf("%s.log", name), expectedLog)
+		}
+
+		It("should not allow privilege escalation when true", func() {
+			containerName := "alpine-nnp-true-" + string(framework.NewUUID())
+			createContainerWithNoNewPrivs(containerName, true, 1000)
+			matchOutput(containerName, "Effective uid: 1000")
+		})
+
+		It("should allow privilege escalation when false", func() {
+			containerName := "alpine-nnp-false-" + string(framework.NewUUID())
+			createContainerWithNoNewPrivs(containerName, false, 1000)
+			matchOutput(containerName, "Effective uid: 0")
+		})
+	})
 })
 
 // createRunAsUserContainer creates the container with specified RunAsUser in ContainerConfig.