From 2dc74abebfee5cd4c56bf78d042e44c431c85f75 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Sun, 26 Feb 2023 19:52:13 +0200 Subject: [PATCH] handle PUID 0 and move the automatic set of runAsNonRoot to the calculate func --- .../tests/container/envFixed_test .yaml | 54 +++++++++++++++++++ .../tests/container/securityContext_test.yaml | 44 --------------- .../templates/lib/container/_fixedEnv.tpl | 3 ++ .../lib/container/_securityContext.tpl | 6 +-- 4 files changed, 59 insertions(+), 48 deletions(-) diff --git a/library/common-test/tests/container/envFixed_test .yaml b/library/common-test/tests/container/envFixed_test .yaml index 438a095c..2798b359 100644 --- a/library/common-test/tests/container/envFixed_test .yaml +++ b/library/common-test/tests/container/envFixed_test .yaml @@ -312,6 +312,60 @@ tests: - name: S6_READ_ONLY_ROOT value: "1" + - it: should create the correct fixed envs with PUID set to 0 on container level + set: + image: *image + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + fixedEnv: + PUID: 0 + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "002" + - name: UMASK_SET + value: "002" + - name: PUID + value: "0" + - name: USER_ID + value: "0" + - name: UID + value: "0" + - name: PGID + value: "568" + - name: GROUP_ID + value: "568" + - name: GID + value: "568" + - name: S6_READ_ONLY_ROOT + value: "1" + # Failures - it: it should fail with NVIDIA_CAPS having invalid values set: diff --git a/library/common-test/tests/container/securityContext_test.yaml b/library/common-test/tests/container/securityContext_test.yaml index 1b10152b..48ed9a3b 100644 --- a/library/common-test/tests/container/securityContext_test.yaml +++ b/library/common-test/tests/container/securityContext_test.yaml @@ -732,47 +732,3 @@ tests: asserts: - failedTemplate: errorMessage: Container - Expected to be [list], but got [string] - - - it: should fail when trying to run as non root but with root user - set: - image: *image - workload: - workload-name1: - enabled: true - primary: true - type: Deployment - podSpec: - containers: - container-name1: - enabled: true - primary: true - imageSelector: image - probes: *probes - securityContext: - runAsNonRoot: true - runAsUser: 0 - asserts: - - failedTemplate: - errorMessage: Container - Expected to be [false] with either [runAsUser, runAsGroup] set to [0] - - - it: should fail when trying to run as non root but with root group - set: - image: *image - workload: - workload-name1: - enabled: true - primary: true - type: Deployment - podSpec: - containers: - container-name1: - enabled: true - primary: true - imageSelector: image - probes: *probes - securityContext: - runAsNonRoot: true - runAsGroup: 0 - asserts: - - failedTemplate: - errorMessage: Container - Expected to be [false] with either [runAsUser, runAsGroup] set to [0] diff --git a/library/common/templates/lib/container/_fixedEnv.tpl b/library/common/templates/lib/container/_fixedEnv.tpl index 6ac17241..625467af 100644 --- a/library/common/templates/lib/container/_fixedEnv.tpl +++ b/library/common/templates/lib/container/_fixedEnv.tpl @@ -36,6 +36,9 @@ objectData: The object data to be used to render the container. {{- $TZ := $objectData.fixedEnv.TZ | default $rootCtx.Values.TZ -}} {{- $UMASK := $objectData.fixedEnv.UMASK | default $rootCtx.Values.securityContext.container.UMASK -}} {{- $PUID := $objectData.fixedEnv.PUID | default $rootCtx.Values.securityContext.container.PUID -}} + {{- if and (not (kindIs "invalid" $objectData.fixedEnv.PUID)) (eq (int $objectData.fixedEnv.PUID) 0) -}} + {{- $PUID = $objectData.fixedEnv.PUID -}} + {{- end -}} {{/* calculatedFSGroup is passed from the pod */}} {{- $PGID := $objectData.calculatedFSGroup -}} diff --git a/library/common/templates/lib/container/_securityContext.tpl b/library/common/templates/lib/container/_securityContext.tpl index 76e5eba3..bfdd5b6f 100644 --- a/library/common/templates/lib/container/_securityContext.tpl +++ b/library/common/templates/lib/container/_securityContext.tpl @@ -10,7 +10,7 @@ objectData: The object data to be used to render the container. {{/* Initialize from the "global" options */}} {{- $secContext := fromJson (include "tc.v1.common.lib.container.securityContext.calculate" (dict "rootCtx" $rootCtx "objectData" $objectData)) }} -runAsNonRoot: {{ if or ( eq $secContext.runAsUser 0 ) ( eq $secContext.runAsGroup 0 )}}false{{else}}true{[end}} +runAsNonRoot: {{ $secContext.runAsNonRoot }} runAsUser: {{ $secContext.runAsUser }} runAsGroup: {{ $secContext.runAsGroup }} readOnlyRootFilesystem: {{ $secContext.readOnlyRootFilesystem }} @@ -110,9 +110,7 @@ objectData: The object data to be used to render the container. {{- end -}} {{- if or (eq (int $secContext.runAsUser) 0) (eq (int $secContext.runAsGroup) 0) -}} - {{- if $secContext.runAsNonRoot -}} - {{- fail "Container - Expected to be [false] with either [runAsUser, runAsGroup] set to [0]" -}} - {{- end -}} + {{- $_ := set $secContext "runAsNonRoot" false -}} {{- end -}} {{- $secContext | toJson -}}