mirror of
https://github.com/truecharts/library-charts.git
synced 2026-07-04 21:31:23 -03:00
handle PUID 0 and move the automatic set of runAsNonRoot to the calculate func
This commit is contained in:
@@ -312,6 +312,60 @@ tests:
|
||||
- name: S6_READ_ONLY_ROOT
|
||||
value: "1"
|
||||
|
||||
- it: should create the correct fixed envs with PUID set to 0 on container level
|
||||
set:
|
||||
image: *image
|
||||
workload:
|
||||
workload-name:
|
||||
enabled: true
|
||||
primary: true
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
container-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
fixedEnv:
|
||||
PUID: 0
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
asserts:
|
||||
- documentIndex: &deploymentDoc 0
|
||||
isKind:
|
||||
of: Deployment
|
||||
- documentIndex: *deploymentDoc
|
||||
isAPIVersion:
|
||||
of: apps/v1
|
||||
- documentIndex: *deploymentDoc
|
||||
isSubset:
|
||||
path: spec.template.spec.containers[0]
|
||||
content:
|
||||
env:
|
||||
- name: TZ
|
||||
value: UTC
|
||||
- name: UMASK
|
||||
value: "002"
|
||||
- name: UMASK_SET
|
||||
value: "002"
|
||||
- name: PUID
|
||||
value: "0"
|
||||
- name: USER_ID
|
||||
value: "0"
|
||||
- name: UID
|
||||
value: "0"
|
||||
- name: PGID
|
||||
value: "568"
|
||||
- name: GROUP_ID
|
||||
value: "568"
|
||||
- name: GID
|
||||
value: "568"
|
||||
- name: S6_READ_ONLY_ROOT
|
||||
value: "1"
|
||||
|
||||
# Failures
|
||||
- it: it should fail with NVIDIA_CAPS having invalid values
|
||||
set:
|
||||
|
||||
@@ -732,47 +732,3 @@ tests:
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: Container - Expected <securityContext.capabilities.drop> to be [list], but got [string]
|
||||
|
||||
- it: should fail when trying to run as non root but with root user
|
||||
set:
|
||||
image: *image
|
||||
workload:
|
||||
workload-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
container-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]
|
||||
|
||||
- it: should fail when trying to run as non root but with root group
|
||||
set:
|
||||
image: *image
|
||||
workload:
|
||||
workload-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
container-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsGroup: 0
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]
|
||||
|
||||
@@ -36,6 +36,9 @@ objectData: The object data to be used to render the container.
|
||||
{{- $TZ := $objectData.fixedEnv.TZ | default $rootCtx.Values.TZ -}}
|
||||
{{- $UMASK := $objectData.fixedEnv.UMASK | default $rootCtx.Values.securityContext.container.UMASK -}}
|
||||
{{- $PUID := $objectData.fixedEnv.PUID | default $rootCtx.Values.securityContext.container.PUID -}}
|
||||
{{- if and (not (kindIs "invalid" $objectData.fixedEnv.PUID)) (eq (int $objectData.fixedEnv.PUID) 0) -}}
|
||||
{{- $PUID = $objectData.fixedEnv.PUID -}}
|
||||
{{- end -}}
|
||||
{{/* calculatedFSGroup is passed from the pod */}}
|
||||
{{- $PGID := $objectData.calculatedFSGroup -}}
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ objectData: The object data to be used to render the container.
|
||||
|
||||
{{/* Initialize from the "global" options */}}
|
||||
{{- $secContext := fromJson (include "tc.v1.common.lib.container.securityContext.calculate" (dict "rootCtx" $rootCtx "objectData" $objectData)) }}
|
||||
runAsNonRoot: {{ if or ( eq $secContext.runAsUser 0 ) ( eq $secContext.runAsGroup 0 )}}false{{else}}true{[end}}
|
||||
runAsNonRoot: {{ $secContext.runAsNonRoot }}
|
||||
runAsUser: {{ $secContext.runAsUser }}
|
||||
runAsGroup: {{ $secContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: {{ $secContext.readOnlyRootFilesystem }}
|
||||
@@ -110,9 +110,7 @@ objectData: The object data to be used to render the container.
|
||||
{{- end -}}
|
||||
|
||||
{{- if or (eq (int $secContext.runAsUser) 0) (eq (int $secContext.runAsGroup) 0) -}}
|
||||
{{- if $secContext.runAsNonRoot -}}
|
||||
{{- fail "Container - Expected <securityContext.runAsNonRoot> to be [false] with either [runAsUser, runAsGroup] set to [0]" -}}
|
||||
{{- end -}}
|
||||
{{- $_ := set $secContext "runAsNonRoot" false -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $secContext | toJson -}}
|
||||
|
||||
Reference in New Issue
Block a user