mirror of
https://github.com/truecharts/library-charts.git
synced 2026-07-05 06:56:20 -03:00
set container to privileged when device is assigned
This commit is contained in:
@@ -451,6 +451,123 @@ tests:
|
||||
drop:
|
||||
- NET_BIND_SERVICE
|
||||
|
||||
- it: should set to privileged with assigned device on primary
|
||||
set:
|
||||
image: *image
|
||||
workload:
|
||||
workload-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
container-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
persistence:
|
||||
dev01:
|
||||
enabled: true
|
||||
type: device
|
||||
hostPath: /dev/sda
|
||||
mountPath: /test
|
||||
asserts:
|
||||
- documentIndex: &deploymentDoc 0
|
||||
isKind:
|
||||
of: Deployment
|
||||
- documentIndex: *deploymentDoc
|
||||
isAPIVersion:
|
||||
of: apps/v1
|
||||
- documentIndex: *deploymentDoc
|
||||
isSubset:
|
||||
path: spec.template.spec.containers[0]
|
||||
content:
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
runAsNonRoot: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
add: []
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
- it: should set to privileged with assigned device on selected container
|
||||
set:
|
||||
image: *image
|
||||
workload:
|
||||
workload-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
container-name1:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
container-name2:
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: image
|
||||
probes: *probes
|
||||
persistence:
|
||||
dev01:
|
||||
enabled: true
|
||||
type: device
|
||||
hostPath: /dev/sda
|
||||
mountPath: /test
|
||||
targetSelector:
|
||||
workload-name1:
|
||||
container-name2: {}
|
||||
asserts:
|
||||
- documentIndex: &deploymentDoc 0
|
||||
isKind:
|
||||
of: Deployment
|
||||
- documentIndex: *deploymentDoc
|
||||
isAPIVersion:
|
||||
of: apps/v1
|
||||
- documentIndex: *deploymentDoc
|
||||
isSubset:
|
||||
path: spec.template.spec.containers[0]
|
||||
content:
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
add: []
|
||||
drop:
|
||||
- ALL
|
||||
- documentIndex: *deploymentDoc
|
||||
isSubset:
|
||||
path: spec.template.spec.containers[1]
|
||||
content:
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
runAsNonRoot: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
add: []
|
||||
drop:
|
||||
- ALL
|
||||
|
||||
# Failures
|
||||
- it: should fail with empty securityContext
|
||||
set:
|
||||
|
||||
@@ -50,6 +50,16 @@ objectData: The object data to be used to render the container.
|
||||
{{- $rootCtx := .rootCtx -}}
|
||||
{{- $objectData := .objectData -}}
|
||||
|
||||
{{- $mustPrivileged := false -}}
|
||||
{{- range $persistenceName, $persistenceValues := $rootCtx.Values.persistence -}}
|
||||
{{- if eq $persistenceValues.type "device" -}}
|
||||
{{- $volume := (fromJson (include "tc.v1.common.lib.container.volumeMount.isSelected" (dict "persistenceName" $persistenceName "persistenceValues" $persistenceValues "objectData" $objectData "key" "persistence"))) -}}
|
||||
{{- if $volume -}} {{/* If a volume is returned, it means that the container has an assigned device */}}
|
||||
{{- $mustPrivileged = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not $rootCtx.Values.securityContext.container -}}
|
||||
{{- fail "Container - Expected non-empty <.Values.securityContext.container>" -}}
|
||||
{{- end -}}
|
||||
@@ -76,6 +86,14 @@ objectData: The object data to be used to render the container.
|
||||
{{- $_ := set $secContext "runAsNonRoot" true -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if $mustPrivileged -}}
|
||||
{{- $_ := set $secContext "privileged" true -}}
|
||||
{{- $_ := set $secContext "allowPrivilegeEscalation" true -}}
|
||||
{{- $_ := set $secContext "runAsNonRoot" false -}}
|
||||
{{- $_ := set $secContext "runAsUser" 0 -}}
|
||||
{{- $_ := set $secContext "runAsGroup" 0 -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range $key := (list "privileged" "allowPrivilegeEscalation" "runAsNonRoot" "readOnlyRootFilesystem") -}}
|
||||
{{- $value := (get $secContext $key) -}}
|
||||
{{- if not (kindIs "bool" $value) -}}
|
||||
|
||||
Reference in New Issue
Block a user