func testSCCAdmit(testCaseName string, sccs []*kapi.SecurityContextConstraints, pod *kapi.Pod, shouldPass bool, t *testing.T) { namespace := admissiontesting.CreateNamespaceForTest() serviceAccount := admissiontesting.CreateSAForTest() tc := clientsetfake.NewSimpleClientset(namespace, serviceAccount) cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range sccs { cache.Add(scc) } plugin := NewTestAdmission(cache, tc) attrs := kadmission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion("version"), pod.Namespace, pod.Name, kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{}) err := plugin.Admit(attrs) if shouldPass && err != nil { t.Errorf("%s expected no errors but received %v", testCaseName, err) } if !shouldPass && err == nil { t.Errorf("%s expected errors but received none", testCaseName) } }
func TestAllowed(t *testing.T) { testcases := map[string]struct { sccs []*kapi.SecurityContextConstraints // patch function modify nominal PodSecurityPolicySubjectReview request patch func(p *securityapi.PodSecurityPolicySubjectReview) check func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string) }{ "nominal case": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), }, check: func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string) { // must be different due defaulting return p.Status.Template.Spec.SecurityContext != nil, "Status.Template should be defaulted" }, }, // if PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted "empty service account name": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), }, patch: func(p *securityapi.PodSecurityPolicySubjectReview) { p.Spec.Template.Spec.ServiceAccountName = "" // empty SA in podSpec }, check: func(p *securityapi.PodSecurityPolicySubjectReview) (bool, string) { return p.Status.Template.Spec.SecurityContext == nil, "Status.PodTemplateSpec should not be defaulted" }, }, // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups. "user - no group": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), }, patch: func(p *securityapi.PodSecurityPolicySubjectReview) { p.Spec.Groups = nil }, }, // If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec. "no user - no group": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), saSCC(), }, patch: func(p *securityapi.PodSecurityPolicySubjectReview) { p.Spec.Groups = nil p.Spec.User = "" }, }, } namespace := admissionttesting.CreateNamespaceForTest() for testName, testcase := range testcases { serviceAccount := admissionttesting.CreateSAForTest() reviewRequest := &securityapi.PodSecurityPolicySubjectReview{ Spec: securityapi.PodSecurityPolicySubjectReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, User: "******", Groups: []string{"bar", "baz"}, }, } if testcase.patch != nil { testcase.patch(reviewRequest) // local modification of the nominal case } cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount) storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll) obj, err := storage.Create(ctx, reviewRequest) if err != nil { t.Errorf("%s - Unexpected error: %v", testName, err) continue } pspsr, ok := obj.(*securityapi.PodSecurityPolicySubjectReview) if !ok { t.Errorf("%s - Unable to convert created runtime.Object to PodSecurityPolicySubjectReview", testName) continue } if testcase.check != nil { if ok, message := testcase.check(pspsr); !ok { t.Errorf("testcase '%s' is failing: %s", testName, message) } } if pspsr.Status.AllowedBy == nil { t.Errorf("testcase '%s' is failing AllowedBy shoult be not nil\n", testName) } } }
func TestRequests(t *testing.T) { testcases := map[string]struct { request *securityapi.PodSecurityPolicySubjectReview sccs []*kapi.SecurityContextConstraints serviceAccount *kapi.ServiceAccount errorMessage string }{ "invalid request": { request: &securityapi.PodSecurityPolicySubjectReview{ Spec: securityapi.PodSecurityPolicySubjectReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "A.B.C.D", }, }, User: "******", Groups: []string{"bar", "baz"}, }, }, errorMessage: `PodSecurityPolicySubjectReview "" is invalid: spec.template.spec.serviceAccountName: Invalid value: "A.B.C.D": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`, }, "no provider": { request: &securityapi.PodSecurityPolicySubjectReview{ Spec: securityapi.PodSecurityPolicySubjectReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, }, }, // no errorMessage only pspr empty }, "container capability": { request: &securityapi.PodSecurityPolicySubjectReview{ Spec: securityapi.PodSecurityPolicySubjectReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{ { Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", SecurityContext: &kapi.SecurityContext{ Capabilities: &kapi.Capabilities{ Add: []kapi.Capability{"foo"}, }, }, }, }, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, User: "******", }, }, sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), }, // no errorMessage }, } namespace := admissionttesting.CreateNamespaceForTest() serviceAccount := admissionttesting.CreateSAForTest() for testName, testcase := range testcases { cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount) storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll) _, err := storage.Create(ctx, testcase.request) switch { case err == nil && len(testcase.errorMessage) == 0: continue case err == nil && len(testcase.errorMessage) > 0: t.Errorf("%s - Expected error %q. No error found", testName, testcase.errorMessage) continue case err.Error() != testcase.errorMessage: t.Errorf("%s - Expected error %q. But got %q", testName, testcase.errorMessage, err.Error()) } } }
func TestSpecificSAs(t *testing.T) { testcases := map[string]struct { request *securityapi.PodSecurityPolicyReview sccs []*kapi.SecurityContextConstraints errorMessage string serviceAccounts []*kapi.ServiceAccount }{ "SAs in PSPR": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{ { Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", }, }, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, ServiceAccountNames: []string{"my-sa", "yours-sa"}, }, }, sccs: []*kapi.SecurityContextConstraints{ { ObjectMeta: kapi.ObjectMeta{ SelfLink: "/api/version/securitycontextconstraints/myscc", Name: "myscc", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAsRange, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, }, Groups: []string{"system:serviceaccounts"}, }, }, serviceAccounts: []*kapi.ServiceAccount{ { ObjectMeta: kapi.ObjectMeta{ Name: "my-sa", Namespace: "default", }, }, { ObjectMeta: kapi.ObjectMeta{ Name: "yours-sa", Namespace: "default", }, }, { ObjectMeta: kapi.ObjectMeta{ Name: "our-sa", Namespace: "default", }, }, }, errorMessage: "", }, "bad SAs in PSPR": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{ { Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", }, }, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, ServiceAccountNames: []string{"bad-sa"}, }, }, sccs: []*kapi.SecurityContextConstraints{ { ObjectMeta: kapi.ObjectMeta{ SelfLink: "/api/version/securitycontextconstraints/myscc", Name: "myscc", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAsRange, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, }, Groups: []string{"system:serviceaccounts"}, }, }, serviceAccounts: []*kapi.ServiceAccount{ { ObjectMeta: kapi.ObjectMeta{ Name: "my-sa", Namespace: "default", }, }, }, errorMessage: `unable to retrieve ServiceAccount bad-sa: ServiceAccount "bad-sa" not found`, }, } for testName, testcase := range testcases { cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } objects := []runtime.Object{} namespace := admissionttesting.CreateNamespaceForTest() objects = append(objects, namespace) for i := range testcase.serviceAccounts { objects = append(objects, testcase.serviceAccounts[i]) } csf := clientsetfake.NewSimpleClientset(objects...) storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name) _, err := storage.Create(ctx, testcase.request) switch { case err == nil && len(testcase.errorMessage) == 0: continue case err == nil && len(testcase.errorMessage) > 0: t.Errorf("%s - Expected error %q. No error found", testName, testcase.errorMessage) continue case err.Error() != testcase.errorMessage: t.Errorf("%s - Expected error %q. But got %#v", testName, testcase.errorMessage, err) } } }
func TestNoErrors(t *testing.T) { var uid int64 = 999 testcases := map[string]struct { request *securityapi.PodSecurityPolicyReview sccs []*kapi.SecurityContextConstraints allowedSAs []string }{ "default in pod": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, }, }, sccs: []*kapi.SecurityContextConstraints{ { ObjectMeta: kapi.ObjectMeta{ SelfLink: "/api/version/securitycontextconstraints/scc-sa", Name: "scc-sa", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAsRange, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, }, Groups: []string{"system:serviceaccounts"}, }, }, allowedSAs: []string{"default"}, }, "failure creating provider": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{ { Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", SecurityContext: &kapi.SecurityContext{ Capabilities: &kapi.Capabilities{ Add: []kapi.Capability{"foo"}, }, }, }, }, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, }, }, sccs: []*kapi.SecurityContextConstraints{ { ObjectMeta: kapi.ObjectMeta{ SelfLink: "/api/version/securitycontextconstraints/restrictive", Name: "restrictive", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAs, UID: &uid, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, SELinuxOptions: &kapi.SELinuxOptions{ Level: "s9:z0,z1", }, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, Ranges: []kapi.IDRange{ {Min: 999, Max: 999}, }, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, Ranges: []kapi.IDRange{ {Min: 999, Max: 999}, }, }, Groups: []string{"system:serviceaccounts"}, }, }, allowedSAs: nil, }, } for testName, testcase := range testcases { cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } namespace := admissionttesting.CreateNamespaceForTest() serviceAccount := admissionttesting.CreateSAForTest() serviceAccount.Namespace = namespace.Name csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount) storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name) obj, err := storage.Create(ctx, testcase.request) if err != nil { t.Errorf("%s - Unexpected error: %v", testName, err) continue } pspsr, ok := obj.(*securityapi.PodSecurityPolicyReview) if !ok { t.Errorf("%s - unable to convert cretated runtime.Object to PodSecurityPolicyReview", testName) continue } var allowedSas []string for _, sa := range pspsr.Status.AllowedServiceAccounts { allowedSas = append(allowedSas, sa.Name) } if !reflect.DeepEqual(allowedSas, testcase.allowedSAs) { t.Errorf("%s - expected allowed ServiceAccout names %v got %v", testName, testcase.allowedSAs, allowedSas) } } }
func TestErrors(t *testing.T) { testcases := map[string]struct { request *securityapi.PodSecurityPolicyReview sccs []*kapi.SecurityContextConstraints serviceAccount *kapi.ServiceAccount errorMessage string }{ "invalid PSPR": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "A.B.C.D.E", }, }, }, }, serviceAccount: admissionttesting.CreateSAForTest(), errorMessage: `PodSecurityPolicyReview "" is invalid: spec.template.spec.serviceAccountName: Invalid value: "A.B.C.D.E": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`, }, "no SA": { request: &securityapi.PodSecurityPolicyReview{ Spec: securityapi.PodSecurityPolicyReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, }, }, errorMessage: `unable to retrieve ServiceAccount default: ServiceAccount "default" not found`, }, } for testName, testcase := range testcases { cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } namespace := admissionttesting.CreateNamespaceForTest() var csf clientset.Interface if testcase.serviceAccount != nil { testcase.serviceAccount.Namespace = namespace.Name csf = clientsetfake.NewSimpleClientset(namespace, testcase.serviceAccount) } else { csf = clientsetfake.NewSimpleClientset(namespace) } storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithNamespace(kapi.NewContext(), namespace.Name) _, err := storage.Create(ctx, testcase.request) if err == nil { t.Errorf("%s - Expected error", testName) continue } if err.Error() != testcase.errorMessage { t.Errorf("%s - Bad error. Expected %q got %q", testName, testcase.errorMessage, err.Error()) } } }
func TestAdmitWithPrioritizedSCC(t *testing.T) { // scc with high priority but very restrictive. restricted := restrictiveSCC() restrictedPriority := int32(100) restricted.Priority = &restrictedPriority // sccs with matching priorities but one will have a higher point score (by the run as user strategy) uidFive := int64(5) matchingPrioritySCCOne := laxSCC() matchingPrioritySCCOne.Name = "matchingPrioritySCCOne" matchingPrioritySCCOne.RunAsUser = kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAs, UID: &uidFive, } matchingPriority := int32(5) matchingPrioritySCCOne.Priority = &matchingPriority matchingPrioritySCCTwo := laxSCC() matchingPrioritySCCTwo.Name = "matchingPrioritySCCTwo" matchingPrioritySCCTwo.RunAsUser = kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAsRange, UIDRangeMin: &uidFive, UIDRangeMax: &uidFive, } matchingPrioritySCCTwo.Priority = &matchingPriority // sccs with matching priorities and scores so should be matched by sorted name uidSix := int64(6) matchingPriorityAndScoreSCCOne := laxSCC() matchingPriorityAndScoreSCCOne.Name = "matchingPriorityAndScoreSCCOne" matchingPriorityAndScoreSCCOne.RunAsUser = kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAs, UID: &uidSix, } matchingPriorityAndScorePriority := int32(1) matchingPriorityAndScoreSCCOne.Priority = &matchingPriorityAndScorePriority matchingPriorityAndScoreSCCTwo := laxSCC() matchingPriorityAndScoreSCCTwo.Name = "matchingPriorityAndScoreSCCTwo" matchingPriorityAndScoreSCCTwo.RunAsUser = kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAs, UID: &uidSix, } matchingPriorityAndScoreSCCTwo.Priority = &matchingPriorityAndScorePriority // we will expect these to sort as: expectedSort := []string{"restrictive", "matchingPrioritySCCOne", "matchingPrioritySCCTwo", "matchingPriorityAndScoreSCCOne", "matchingPriorityAndScoreSCCTwo"} sccsToSort := []*kapi.SecurityContextConstraints{matchingPriorityAndScoreSCCTwo, matchingPriorityAndScoreSCCOne, matchingPrioritySCCTwo, matchingPrioritySCCOne, restricted} sort.Sort(oscc.ByPriority(sccsToSort)) for i, scc := range sccsToSort { if scc.Name != expectedSort[i] { t.Fatalf("unexpected sort found %s at element %d but expected %s", scc.Name, i, expectedSort[i]) } } // sorting works as we're expecting // now, to test we will craft some requests that are targeted to validate against specific // SCCs and ensure that they come out with the right annotation. This means admission // is using the sort strategy we expect. namespace := admissiontesting.CreateNamespaceForTest() serviceAccount := admissiontesting.CreateSAForTest() serviceAccount.Namespace = namespace.Name tc := clientsetfake.NewSimpleClientset(namespace, serviceAccount) cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range sccsToSort { err := cache.Add(scc) if err != nil { t.Fatalf("error adding sccs to store: %v", err) } } // create the admission plugin plugin := NewTestAdmission(cache, tc) // match the restricted SCC testSCCAdmission(goodPod(), plugin, restricted.Name, t) // match matchingPrioritySCCOne by setting RunAsUser to 5 matchingPrioritySCCOnePod := goodPod() matchingPrioritySCCOnePod.Spec.Containers[0].SecurityContext.RunAsUser = &uidFive testSCCAdmission(matchingPrioritySCCOnePod, plugin, matchingPrioritySCCOne.Name, t) // match matchingPriorityAndScoreSCCOne by setting RunAsUser to 6 matchingPriorityAndScoreSCCOnePod := goodPod() matchingPriorityAndScoreSCCOnePod.Spec.Containers[0].SecurityContext.RunAsUser = &uidSix testSCCAdmission(matchingPriorityAndScoreSCCOnePod, plugin, matchingPriorityAndScoreSCCOne.Name, t) }
func TestAdmit(t *testing.T) { // create the annotated namespace and add it to the fake client namespace := admissiontesting.CreateNamespaceForTest() serviceAccount := admissiontesting.CreateSAForTest() // used for cases where things are preallocated defaultGroup := int64(2) tc := clientsetfake.NewSimpleClientset(namespace, serviceAccount) // create scc that requires allocation retrieval saSCC := &kapi.SecurityContextConstraints{ ObjectMeta: kapi.ObjectMeta{ Name: "scc-sa", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAsRange, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, }, Groups: []string{"system:serviceaccounts"}, } // create scc that has specific requirements that shouldn't match but is permissioned to // service accounts to test that even though this has matching priorities (0) and a // lower point value score (which will cause it to be sorted in front of scc-sa) it should not // validate the requests so we should try scc-sa. var exactUID int64 = 999 saExactSCC := &kapi.SecurityContextConstraints{ ObjectMeta: kapi.ObjectMeta{ Name: "scc-sa-exact", }, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyMustRunAs, UID: &exactUID, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyMustRunAs, SELinuxOptions: &kapi.SELinuxOptions{ Level: "s9:z0,z1", }, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyMustRunAs, Ranges: []kapi.IDRange{ {Min: 999, Max: 999}, }, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyMustRunAs, Ranges: []kapi.IDRange{ {Min: 999, Max: 999}, }, }, Groups: []string{"system:serviceaccounts"}, } cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } cache.Add(saExactSCC) cache.Add(saSCC) // create the admission plugin p := NewTestAdmission(cache, tc) // setup test data uidNotInRange := goodPod() var uid int64 = 1001 uidNotInRange.Spec.Containers[0].SecurityContext.RunAsUser = &uid invalidMCSLabels := goodPod() invalidMCSLabels.Spec.Containers[0].SecurityContext.SELinuxOptions = &kapi.SELinuxOptions{ Level: "s1:q0,q1", } disallowedPriv := goodPod() var priv bool = true disallowedPriv.Spec.Containers[0].SecurityContext.Privileged = &priv // specifies a UID in the range of the preallocated UID annotation specifyUIDInRange := goodPod() var goodUID int64 = 3 specifyUIDInRange.Spec.Containers[0].SecurityContext.RunAsUser = &goodUID // specifies an mcs label that matches the preallocated mcs annotation specifyLabels := goodPod() specifyLabels.Spec.Containers[0].SecurityContext.SELinuxOptions = &kapi.SELinuxOptions{ Level: "s0:c1,c0", } // specifies an FSGroup in the range of preallocated sup group annotation specifyFSGroupInRange := goodPod() // group in the range of a preallocated fs group which, by default is a single digit range // based on the first value of the ns annotation. goodFSGroup := int64(2) specifyFSGroupInRange.Spec.SecurityContext.FSGroup = &goodFSGroup // specifies a sup group in the range of preallocated sup group annotation specifySupGroup := goodPod() // group is not the default but still in the range specifySupGroup.Spec.SecurityContext.SupplementalGroups = []int64{3} specifyPodLevelSELinux := goodPod() specifyPodLevelSELinux.Spec.SecurityContext.SELinuxOptions = &kapi.SELinuxOptions{ Level: "s0:c1,c0", } requestsHostNetwork := goodPod() requestsHostNetwork.Spec.SecurityContext.HostNetwork = true requestsHostPID := goodPod() requestsHostPID.Spec.SecurityContext.HostPID = true requestsHostIPC := goodPod() requestsHostIPC.Spec.SecurityContext.HostIPC = true requestsHostPorts := goodPod() requestsHostPorts.Spec.Containers[0].Ports = []kapi.ContainerPort{{HostPort: 1}} requestsSupplementalGroup := goodPod() requestsSupplementalGroup.Spec.SecurityContext.SupplementalGroups = []int64{1} requestsFSGroup := goodPod() fsGroup := int64(1) requestsFSGroup.Spec.SecurityContext.FSGroup = &fsGroup requestsPodLevelMCS := goodPod() requestsPodLevelMCS.Spec.SecurityContext.SELinuxOptions = &kapi.SELinuxOptions{ User: "******", Type: "type", Role: "role", Level: "level", } testCases := map[string]struct { pod *kapi.Pod shouldAdmit bool expectedUID int64 expectedLevel string expectedFSGroup int64 expectedSupGroups []int64 expectedPriv bool }{ "uidNotInRange": { pod: uidNotInRange, shouldAdmit: false, }, "invalidMCSLabels": { pod: invalidMCSLabels, shouldAdmit: false, }, "disallowedPriv": { pod: disallowedPriv, shouldAdmit: false, }, "specifyUIDInRange": { pod: specifyUIDInRange, shouldAdmit: true, expectedUID: *specifyUIDInRange.Spec.Containers[0].SecurityContext.RunAsUser, expectedLevel: "s0:c1,c0", expectedFSGroup: defaultGroup, expectedSupGroups: []int64{defaultGroup}, }, "specifyLabels": { pod: specifyLabels, shouldAdmit: true, expectedUID: 1, expectedLevel: specifyLabels.Spec.Containers[0].SecurityContext.SELinuxOptions.Level, expectedFSGroup: defaultGroup, expectedSupGroups: []int64{defaultGroup}, }, "specifyFSGroup": { pod: specifyFSGroupInRange, shouldAdmit: true, expectedUID: 1, expectedLevel: "s0:c1,c0", expectedFSGroup: *specifyFSGroupInRange.Spec.SecurityContext.FSGroup, expectedSupGroups: []int64{defaultGroup}, }, "specifySupGroup": { pod: specifySupGroup, shouldAdmit: true, expectedUID: 1, expectedLevel: "s0:c1,c0", expectedFSGroup: defaultGroup, expectedSupGroups: []int64{specifySupGroup.Spec.SecurityContext.SupplementalGroups[0]}, }, "specifyPodLevelSELinuxLevel": { pod: specifyPodLevelSELinux, shouldAdmit: true, expectedUID: 1, expectedLevel: "s0:c1,c0", expectedFSGroup: defaultGroup, expectedSupGroups: []int64{defaultGroup}, }, "requestsHostNetwork": { pod: requestsHostNetwork, shouldAdmit: false, }, "requestsHostPorts": { pod: requestsHostPorts, shouldAdmit: false, }, "requestsHostPID": { pod: requestsHostPID, shouldAdmit: false, }, "requestsHostIPC": { pod: requestsHostIPC, shouldAdmit: false, }, "requestsSupplementalGroup": { pod: requestsSupplementalGroup, shouldAdmit: false, }, "requestsFSGroup": { pod: requestsFSGroup, shouldAdmit: false, }, "requestsPodLevelMCS": { pod: requestsPodLevelMCS, shouldAdmit: false, }, } for i := 0; i < 2; i++ { for k, v := range testCases { v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers containers := v.pod.Spec.Containers if i == 0 { containers = v.pod.Spec.InitContainers } attrs := kadmission.NewAttributesRecord(v.pod, nil, kapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{}) err := p.Admit(attrs) if v.shouldAdmit && err != nil { t.Fatalf("%s expected no errors but received %v", k, err) } if !v.shouldAdmit && err == nil { t.Errorf("%s expected errors but received none", k) } if v.shouldAdmit { validatedSCC, ok := v.pod.Annotations[allocator.ValidatedSCCAnnotation] if !ok { t.Errorf("%s expected to find the validated annotation on the pod for the scc but found none", k) } if validatedSCC != saSCC.Name { t.Errorf("%s should have validated against %s but found %s", k, saSCC.Name, validatedSCC) } // ensure anything we expected to be defaulted on the container level is set if *containers[0].SecurityContext.RunAsUser != v.expectedUID { t.Errorf("%s expected UID %d but found %d", k, v.expectedUID, *containers[0].SecurityContext.RunAsUser) } if containers[0].SecurityContext.SELinuxOptions.Level != v.expectedLevel { t.Errorf("%s expected Level %s but found %s", k, v.expectedLevel, containers[0].SecurityContext.SELinuxOptions.Level) } // ensure anything we expected to be defaulted on the pod level is set if v.pod.Spec.SecurityContext.SELinuxOptions.Level != v.expectedLevel { t.Errorf("%s expected pod level SELinux Level %s but found %s", k, v.expectedLevel, v.pod.Spec.SecurityContext.SELinuxOptions.Level) } if *v.pod.Spec.SecurityContext.FSGroup != v.expectedFSGroup { t.Errorf("%s expected fsgroup %d but found %d", k, v.expectedFSGroup, *v.pod.Spec.SecurityContext.FSGroup) } if len(v.pod.Spec.SecurityContext.SupplementalGroups) != len(v.expectedSupGroups) { t.Errorf("%s found unexpected supplemental groups. Expected: %v, actual %v", k, v.expectedSupGroups, v.pod.Spec.SecurityContext.SupplementalGroups) } for _, g := range v.expectedSupGroups { if !hasSupGroup(g, v.pod.Spec.SecurityContext.SupplementalGroups) { t.Errorf("%s expected sup group %d", k, g) } } } } } // now add an escalated scc to the group and re-run the cases that expected failure, they should // now pass by validating against the escalated scc. adminSCC := &kapi.SecurityContextConstraints{ ObjectMeta: kapi.ObjectMeta{ Name: "scc-admin", }, AllowPrivilegedContainer: true, AllowHostNetwork: true, AllowHostPorts: true, AllowHostPID: true, AllowHostIPC: true, RunAsUser: kapi.RunAsUserStrategyOptions{ Type: kapi.RunAsUserStrategyRunAsAny, }, SELinuxContext: kapi.SELinuxContextStrategyOptions{ Type: kapi.SELinuxStrategyRunAsAny, }, FSGroup: kapi.FSGroupStrategyOptions{ Type: kapi.FSGroupStrategyRunAsAny, }, SupplementalGroups: kapi.SupplementalGroupsStrategyOptions{ Type: kapi.SupplementalGroupsStrategyRunAsAny, }, Groups: []string{"system:serviceaccounts"}, } cache.Add(adminSCC) for i := 0; i < 2; i++ { for k, v := range testCases { v.pod.Spec.Containers, v.pod.Spec.InitContainers = v.pod.Spec.InitContainers, v.pod.Spec.Containers if !v.shouldAdmit { attrs := kadmission.NewAttributesRecord(v.pod, nil, kapi.Kind("Pod").WithVersion("version"), v.pod.Namespace, v.pod.Name, kapi.Resource("pods").WithVersion("version"), "", kadmission.Create, &user.DefaultInfo{}) err := p.Admit(attrs) if err != nil { t.Errorf("Expected %s to pass with escalated scc but got error %v", k, err) } validatedSCC, ok := v.pod.Annotations[allocator.ValidatedSCCAnnotation] if !ok { t.Errorf("%s expected to find the validated annotation on the pod for the scc but found none", k) } if validatedSCC != adminSCC.Name { t.Errorf("%s should have validated against %s but found %s", k, adminSCC.Name, validatedSCC) } } } } }
func TestPodSecurityPolicySelfSubjectReview(t *testing.T) { testcases := map[string]struct { sccs []*kapi.SecurityContextConstraints check func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string) }{ "user foo": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), admissionttesting.UserScc("foo"), }, check: func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string) { fmt.Printf("-> Is %q", p.Status.AllowedBy.Name) return p.Status.AllowedBy.Name == "foo", "SCC should be foo" }, }, "user bar ": { sccs: []*kapi.SecurityContextConstraints{ admissionttesting.UserScc("bar"), }, check: func(p *securityapi.PodSecurityPolicySelfSubjectReview) (bool, string) { return p.Status.AllowedBy == nil, "Allowed by should be nil" }, }, } for testName, testcase := range testcases { namespace := admissionttesting.CreateNamespaceForTest() serviceAccount := admissionttesting.CreateSAForTest() reviewRequest := &securityapi.PodSecurityPolicySelfSubjectReview{ Spec: securityapi.PodSecurityPolicySelfSubjectReviewSpec{ Template: kapi.PodTemplateSpec{ Spec: kapi.PodSpec{ Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}}, RestartPolicy: kapi.RestartPolicyAlways, SecurityContext: &kapi.PodSecurityContext{}, DNSPolicy: kapi.DNSClusterFirst, ServiceAccountName: "default", }, }, }, } cache := &oscache.IndexerToSecurityContextConstraintsLister{ Indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}), } for _, scc := range testcase.sccs { if err := cache.Add(scc); err != nil { t.Fatalf("error adding sccs to store: %v", err) } } csf := clientsetfake.NewSimpleClientset(namespace, serviceAccount) storage := REST{oscc.NewDefaultSCCMatcher(cache), csf} ctx := kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll), &user.DefaultInfo{Name: "foo", Groups: []string{"bar", "baz"}}) obj, err := storage.Create(ctx, reviewRequest) if err != nil { t.Errorf("%s - Unexpected error", testName) } pspssr, ok := obj.(*securityapi.PodSecurityPolicySelfSubjectReview) if !ok { t.Errorf("%s - Unable to convert created runtime.Object to PodSecurityPolicySelfSubjectReview", testName) continue } if ok, message := testcase.check(pspssr); !ok { t.Errorf("%s - %s", testName, message) } } }