Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new test to critest for privileged container #377

Merged
merged 1 commit into from
Sep 17, 2018
Merged

Add new test to critest for privileged container #377

merged 1 commit into from
Sep 17, 2018

Conversation

umohnani8
Copy link
Contributor

Test ensures that when a privileged container is run,
the mount label persists and is in the right format.
Also checks the process label.

Adds test for cri-o/cri-o#1781

Signed-off-by: Urvashi Mohnani [email protected]

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 12, 2018
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Sep 12, 2018
@umohnani8
Copy link
Contributor Author

@mrunalp PTAL

runcom
runcom reviewed Sep 12, 2018
View reviewed changes
pkg/validate/security_context.go Outdated
Expect(err).NotTo(HaveOccurred(), msg)

if privileged {
Expect(string(stdout)).To(ContainSubstring("system_r:spc_t"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure all this is going to work on non rhel systems (like fedora).

btw, I was thinking about having 2 separate tests:

  • mount label: just have a cmd for the pod that does ls -ldZ / and make sure level is applied even if privileged
  • process label: just have a cmd that cat /proc/self/attr/current

all of that to avoid having pods running top

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For mount_label we can grep for it in /proc/1/mountinfo.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests failed on Travis (based on Ubuntu):

Expected
        <string>: lrwxrwxrwx 1 root root ? 7 Feb  7  2018 bin -> usr/bin
    to contain substring
        <string>: object_r:container_file_t
    /home/travis/gopath/src/github.com/kubernetes-sigs/cri-tools/pkg/validate/security_context.go:1161

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The labels work fine on my fedora 28. Also split the it into 2 separate tests.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ubuntu doesn't have selinux enabled/installed by default for sure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@runcom I moved the test to selinux_linux.go, which checks if selinux is enabled before running the tests. That should be good right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup yup! sorry overlooked that 👍

feiskyer
feiskyer reviewed Sep 13, 2018
View reviewed changes
pkg/validate/security_context.go Outdated
@@ -451,6 +451,24 @@ var _ = framework.KubeDescribe("Security Context", func() {
checkNetworkManagement(rc, containerID, notPrivileged)
})

It("selinux mount label should persist when container is privileged", func() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you move this case to selinux_linux.go?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved.

@umohnani8
Add new test to critest for privileged container
d2c7e3d 
Test ensures that when a privileged container is run,
the mount label persists and is in the right format.
Also checks the process label.

Signed-off-by: Urvashi Mohnani <[email protected]>
@feiskyer
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2018
@feiskyer
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 17, 2018
@k8s-ci-robot k8s-ci-robot merged commit 3306a4d into kubernetes-sigs:master Sep 17, 2018
@umohnani8 umohnani8 mentioned this pull request Mar 1, 2019
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@runcom runcom runcom left review comments

@feiskyer feiskyer feiskyer left review comments

@mrunalp mrunalp mrunalp left review comments

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

Assignees

@feiskyer feiskyer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@umohnani8 @feiskyer @k8s-ci-robot @mrunalp @runcom