Files
library-charts/library/common-test/tests/container/securityContext_test.yaml
Stavros Kois 2fe00ebdd1 replace <> with [] in fail messages (#586)
**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  #584 

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._
2023-11-12 19:16:09 +01:00

1057 lines
30 KiB
YAML

suite: container security context test
templates:
- common.yaml
release:
name: test-release-name
namespace: test-release-namespace
tests:
- it: should create the securityContext correctly
set:
image: &image
repository: nginx
tag: 1.19.0
pullPolicy: IfNotPresent
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: &probes
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext runAsUser and runAsNonRoot
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsUser: 0
runAsNonRoot: false
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- CHOWN
- SETUID
- SETGID
- FOWNER
- DAC_OVERRIDE
drop:
- ALL
- it: should override the securityContext runAsGroup and runAsNonRoot
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsGroup: 0
runAsNonRoot: false
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext readOnlyRootFilesystem
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
readOnlyRootFilesystem: false
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext privileged
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
privileged: true
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext allowPrivilegeEscalation
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
allowPrivilegeEscalation: true
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext capabilities.add
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
add:
- NET_ADMIN
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- NET_ADMIN
drop:
- ALL
- it: should override the securityContext capabilities.drop
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
drop:
- NET_ADMIN
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- NET_ADMIN
- it: should override the securityContext seccompProfile.type
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
seccompProfile:
type: Unconfined
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: Unconfined
capabilities:
add: []
drop:
- ALL
- it: should override the securityContext all
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
privileged: true
capabilities:
add:
- NET_ADMIN
drop:
- NET_BIND_SERVICE
seccompProfile:
type: Localhost
profile: path/to/profile.json
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: true
seccompProfile:
type: Localhost
localhostProfile: path/to/profile.json
capabilities:
add:
- NET_ADMIN
drop:
- NET_BIND_SERVICE
- it: should set allowPrivilegeEscalation to true automatically when privileged is true
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
allowPrivilegeEscalation: false
privileged: true
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should set to privileged with assigned device on primary
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
persistence:
dev01:
enabled: true
type: device
hostPath: /dev/sda
mountPath: /test
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- CHOWN
- SETUID
- SETGID
- FOWNER
- DAC_OVERRIDE
drop:
- ALL
- it: should not include extra caps when disabled from global
set:
image: *image
securityContext:
container:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
capabilities:
disableS6Caps: true
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should not include extra caps when disabled from container level
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
capabilities:
disableS6Caps: true
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- it: should set to privileged with assigned device on selected container
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
container-name2:
enabled: true
primary: false
imageSelector: image
probes: *probes
persistence:
dev01:
enabled: true
type: device
hostPath: /dev/sda
mountPath: /test
targetSelector:
workload-name1:
container-name2: {}
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
isAPIVersion:
of: apps/v1
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
- documentIndex: *deploymentDoc
isSubset:
path: spec.template.spec.containers[1]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: true
privileged: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
capabilities:
add:
- CHOWN
- SETUID
- SETGID
- FOWNER
- DAC_OVERRIDE
drop:
- ALL
# Failures
- it: should fail with empty securityContext
set:
image: *image
securityContext:
container:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
asserts:
- failedTemplate:
errorMessage: Container - Expected non-empty [.Values.securityContext.container]
- it: should fail with readOnlyRootFilesystem not a bool
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
readOnlyRootFilesystem: "true"
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.readOnlyRootFilesystem] to be [bool], but got [true] of type [string]
- it: should fail with allowPrivilegeEscalation not a bool
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
allowPrivilegeEscalation: "true"
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.allowPrivilegeEscalation] to be [bool], but got [true] of type [string]
- it: should fail with privileged not a bool
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
privileged: "true"
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.privileged] to be [bool], but got [true] of type [string]
- it: should fail with runAsUser not an int
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsUser: "568"
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.runAsUser] to be [int], but got [568] of type [string]
- it: should fail with runAsGroup not an int
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsGroup: "568"
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.runAsGroup] to be [int], but got [568] of type [string]
- it: should fail without seccompProfile
set:
image: *image
securityContext:
container:
seccompProfile:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.seccompProfile] to be defined
- it: should fail with invalid seccompProfile
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
seccompProfile:
type: invalid
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.seccompProfile] to be one of [RuntimeDefault, Localhost, Unconfined], but got [invalid]
- it: should fail without profile on seccompProfile Localhost
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
seccompProfile:
type: Localhost
profile: ""
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.seccompProfile.profile] to be defined on type [Localhost]
- it: should fail without capabilities
set:
image: *image
securityContext:
container:
capabilities:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.capabilities] to be defined
- it: should fail capabilities.add not a list
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
add: invalid
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.capabilities.add] to be [list], but got [string]
- it: should fail capabilities.drop not a list
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
drop: invalid
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.capabilities.drop] to be [list], but got [string]
- it: should fail capabilities.disableS6Caps not a bool
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
disableS6Caps: not-bool
asserts:
- failedTemplate:
errorMessage: Container - Expected [securityContext.capabilities.disableS6Caps] to be [bool], but got [not-bool] of type [string]
- it: should fail with duplicate capabilities.add
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
add:
- CHOWN
- CHOWN
asserts:
- failedTemplate:
errorMessage: Container - Expected items of [securityContext.capabilities.add] to be unique, but got [CHOWN, CHOWN]
- it: should fail with duplicate capabilities.drop
set:
image: *image
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container-name1:
enabled: true
primary: true
imageSelector: image
probes: *probes
securityContext:
capabilities:
drop:
- CHOWN
- CHOWN
asserts:
- failedTemplate:
errorMessage: Container - Expected items of [securityContext.capabilities.drop] to be unique, but got [CHOWN, CHOWN]