From 53b62976d70b7aa16e6495c053d021e707b15192 Mon Sep 17 00:00:00 2001 From: Anuj Sharma Date: Tue, 7 Apr 2020 13:50:15 +0530 Subject: [PATCH 1/3] #404 added test for block use of bind mounts --- .../block_bind_mounts/block_bind_mounts.go | 54 +++++++++++++++++++ benchmarks/e2e/tests/e2e.go | 3 ++ 2 files changed, 57 insertions(+) create mode 100644 benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go diff --git a/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go b/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go new file mode 100644 index 000000000..5b73f7d41 --- /dev/null +++ b/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go @@ -0,0 +1,54 @@ +package block_bind_mounts + +import ( + "fmt" + "strings" + + "github.com/onsi/ginkgo" + configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config" + "k8s.io/kubernetes/test/e2e/framework" + v1 "k8s.io/api/core/v1" + e2epod "k8s.io/kubernetes/test/e2e/framework/pod" +) + +const ( + expectedVal = "Host path volumes are not allowed" +) + +var _ = framework.KubeDescribe("Tenants should not be able to mount host volumes and folders", func() { + var config *configutil.BenchmarkConfig + var tenantA configutil.TenantSpec + var user string + var err error + var InlineVolumeSources = []*v1.VolumeSource{ + { + HostPath: &v1.HostPathVolumeSource{ + Path: "/tmp/busybox", + }, + }, + } + + ginkgo.BeforeEach(func() { + config, err = configutil.ReadConfig(configutil.ConfigPath) + framework.ExpectNoError(err) + + tenantA, err = config.GetValidTenant() + framework.ExpectNoError(err) + + user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig) + }) + + ginkgo.It("Tenants should not be able to mount host volumes and folders", func() { + ginkgo.By(fmt.Sprintf("Tenant %s should not be able to mount host volumes and folders", user)) + + pod := e2epod.MakeSecPod(tenantA.Namespace, nil, InlineVolumeSources, false, "", false, false, nil, nil) + + kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig) + _, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod) + + if !strings.Contains(err.Error(), expectedVal) { + framework.Failf("%s must be unable to create pod with host-path volume", user) + } + }) +}) + diff --git a/benchmarks/e2e/tests/e2e.go b/benchmarks/e2e/tests/e2e.go index 60332a876..f2d796bbd 100644 --- a/benchmarks/e2e/tests/e2e.go +++ b/benchmarks/e2e/tests/e2e.go @@ -23,6 +23,9 @@ import ( _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_quotas" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/create_network_policies" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/create_role_bindings" + _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_other_tenant_resources" + _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_ipc" + _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_bind_mounts" ) // RunE2ETests runs the multi-tenancy benchmark tests From c0fc583fbeca66e06c3e7ec3862d02bedf6abc89 Mon Sep 17 00:00:00 2001 From: Anuj Sharma Date: Mon, 27 Apr 2020 13:34:33 +0530 Subject: [PATCH 2/3] modified modules --- benchmarks/go.sum | 1 + 1 file changed, 1 insertion(+) diff --git a/benchmarks/go.sum b/benchmarks/go.sum index b7e09eb99..a52b8877e 100644 --- a/benchmarks/go.sum +++ b/benchmarks/go.sum @@ -666,6 +666,7 @@ modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03 modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU= +sigs.k8s.io/multi-tenancy v0.0.0-20200511084551-34a25e2335ba h1:mxTTbwfGpJkOQc+XkbPDHtv7OAz/i0mOR9XD/hmpQPk= sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= sigs.k8s.io/structured-merge-diff v0.0.0-20190817042607-6149e4549fca/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA= sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= From 8cac13de5af16661ac1c4d78a284d8f1fe9f44bb Mon Sep 17 00:00:00 2001 From: Anuj Sharma Date: Mon, 11 May 2020 22:47:46 +0530 Subject: [PATCH 3/3] added PL classification --- .../e2e/tests/block_bind_mounts/block_bind_mounts.go | 11 +++++------ benchmarks/e2e/tests/e2e.go | 4 +--- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go b/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go index 5b73f7d41..d4a6e79da 100644 --- a/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go +++ b/benchmarks/e2e/tests/block_bind_mounts/block_bind_mounts.go @@ -5,17 +5,17 @@ import ( "strings" "github.com/onsi/ginkgo" - configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config" - "k8s.io/kubernetes/test/e2e/framework" v1 "k8s.io/api/core/v1" + "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" + configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config" ) const ( expectedVal = "Host path volumes are not allowed" ) -var _ = framework.KubeDescribe("Tenants should not be able to mount host volumes and folders", func() { +var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Tenants should not be able to mount host volumes and folders", func() { var config *configutil.BenchmarkConfig var tenantA configutil.TenantSpec var user string @@ -40,8 +40,8 @@ var _ = framework.KubeDescribe("Tenants should not be able to mount host volumes ginkgo.It("Tenants should not be able to mount host volumes and folders", func() { ginkgo.By(fmt.Sprintf("Tenant %s should not be able to mount host volumes and folders", user)) - - pod := e2epod.MakeSecPod(tenantA.Namespace, nil, InlineVolumeSources, false, "", false, false, nil, nil) + + pod := e2epod.MakeSecPod(tenantA.Namespace, nil, InlineVolumeSources, false, "", false, false, nil, nil) kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig) _, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod) @@ -51,4 +51,3 @@ var _ = framework.KubeDescribe("Tenants should not be able to mount host volumes } }) }) - diff --git a/benchmarks/e2e/tests/e2e.go b/benchmarks/e2e/tests/e2e.go index f2d796bbd..a7c9ff5d8 100644 --- a/benchmarks/e2e/tests/e2e.go +++ b/benchmarks/e2e/tests/e2e.go @@ -10,6 +10,7 @@ import ( // test sources _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_add_capabilities" + _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_bind_mounts" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_cluster_resources" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_ipc" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_pid" @@ -23,9 +24,6 @@ import ( _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/configure_ns_quotas" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/create_network_policies" _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/create_role_bindings" - _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_other_tenant_resources" - _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_host_ipc" - _ "sigs.k8s.io/multi-tenancy/benchmarks/e2e/tests/block_bind_mounts" ) // RunE2ETests runs the multi-tenancy benchmark tests