handle PUID 0 and move the automatic set of runAsNonRoot to the calculate func

This commit is contained in:
Stavros kois
2023-02-26 19:52:13 +02:00
parent 3ede345afc
commit 2dc74abebf
4 changed files with 59 additions and 48 deletions

View File

@@ -312,6 +312,60 @@ tests:
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should create the correct fixed envs with PUID set to 0 on container level
set:
image: *image
workload:
workload-name:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
fixedEnv:
PUID: 0
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
env:
- name: TZ
value: UTC
- name: UMASK
value: "002"
- name: UMASK_SET
value: "002"
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
# Failures
- it: it should fail with NVIDIA_CAPS having invalid values
set:

View File

@@ -732,47 +732,3 @@ tests:
asserts:
- failedTemplate:
errorMessage: Container - Expected <securityContext.capabilities.drop> to be [list], but got [string]
- it: should fail when trying to run as non root but with root user
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsNonRoot: true
runAsUser: 0
asserts:
- failedTemplate:
errorMessage: Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]
- it: should fail when trying to run as non root but with root group
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsNonRoot: true
runAsGroup: 0
asserts:
- failedTemplate:
errorMessage: Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]

View File

@@ -36,6 +36,9 @@ objectData: The object data to be used to render the container.
{{- $TZ := $objectData.fixedEnv.TZ | default $rootCtx.Values.TZ -}}
{{- $UMASK := $objectData.fixedEnv.UMASK | default $rootCtx.Values.securityContext.container.UMASK -}}
{{- $PUID := $objectData.fixedEnv.PUID | default $rootCtx.Values.securityContext.container.PUID -}}
{{- if and (not (kindIs "invalid" $objectData.fixedEnv.PUID)) (eq (int $objectData.fixedEnv.PUID) 0) -}}
{{- $PUID = $objectData.fixedEnv.PUID -}}
{{- end -}}
{{/* calculatedFSGroup is passed from the pod */}}
{{- $PGID := $objectData.calculatedFSGroup -}}

View File

@@ -10,7 +10,7 @@ objectData: The object data to be used to render the container.
{{/* Initialize from the "global" options */}}
{{- $secContext := fromJson (include "tc.v1.common.lib.container.securityContext.calculate" (dict "rootCtx" $rootCtx "objectData" $objectData)) }}
runAsNonRoot: {{ if or ( eq $secContext.runAsUser 0 ) ( eq $secContext.runAsGroup 0 )}}false{{else}}true{[end}}
runAsNonRoot: {{ $secContext.runAsNonRoot }}
runAsUser: {{ $secContext.runAsUser }}
runAsGroup: {{ $secContext.runAsGroup }}
readOnlyRootFilesystem: {{ $secContext.readOnlyRootFilesystem }}
@@ -110,9 +110,7 @@ objectData: The object data to be used to render the container.
{{- end -}}
{{- if or (eq (int $secContext.runAsUser) 0) (eq (int $secContext.runAsGroup) 0) -}}
{{- if $secContext.runAsNonRoot -}}
{{- fail "Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]" -}}
{{- end -}}
{{- $_ := set $secContext "runAsNonRoot" false -}}
{{- end -}}
{{- $secContext | toJson -}}