set container to privileged when device is assigned

This commit is contained in:
Stavros kois
2023-02-26 20:37:34 +02:00
parent 76a9ba271c
commit 874a8c5ef3
2 changed files with 135 additions and 0 deletions

View File

@@ -451,6 +451,123 @@ tests:
drop:
- NET_BIND_SERVICE
- it: should set to privileged with assigned device on primary
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
persistence:
dev01:
enabled: true
type: device
hostPath: /dev/sda
mountPath: /test
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should set to privileged with assigned device on selected container
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
container-name2:
enabled: true
primary: false
imageSelector: image
probes: *probes
persistence:
dev01:
enabled: true
type: device
hostPath: /dev/sda
mountPath: /test
targetSelector:
workload-name1:
container-name2: {}
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[1]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
# Failures
- it: should fail with empty securityContext
set:

View File

@@ -50,6 +50,16 @@ objectData: The object data to be used to render the container.
{{- $rootCtx := .rootCtx -}}
{{- $objectData := .objectData -}}
{{- $mustPrivileged := false -}}
{{- range $persistenceName, $persistenceValues := $rootCtx.Values.persistence -}}
{{- if eq $persistenceValues.type "device" -}}
{{- $volume := (fromJson (include "tc.v1.common.lib.container.volumeMount.isSelected" (dict "persistenceName" $persistenceName "persistenceValues" $persistenceValues "objectData" $objectData "key" "persistence"))) -}}
{{- if $volume -}} {{/* If a volume is returned, it means that the container has an assigned device */}}
{{- $mustPrivileged = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not $rootCtx.Values.securityContext.container -}}
{{- fail "Container - Expected non-empty <.Values.securityContext.container>" -}}
{{- end -}}
@@ -76,6 +86,14 @@ objectData: The object data to be used to render the container.
{{- $_ := set $secContext "runAsNonRoot" true -}}
{{- end -}}
{{- if $mustPrivileged -}}
{{- $_ := set $secContext "privileged" true -}}
{{- $_ := set $secContext "allowPrivilegeEscalation" true -}}
{{- $_ := set $secContext "runAsNonRoot" false -}}
{{- $_ := set $secContext "runAsUser" 0 -}}
{{- $_ := set $secContext "runAsGroup" 0 -}}
{{- end -}}
{{- range $key := (list "privileged" "allowPrivilegeEscalation" "runAsNonRoot" "readOnlyRootFilesystem") -}}
{{- $value := (get $secContext $key) -}}
{{- if not (kindIs "bool" $value) -}}