Apply PSP container tests to EphemeralContainers

2025-11-04 12:18:16 +00:00 · 2021-06-25 18:07:49 +02:00
parent aff49ca684
commit babebf76d3
1 changed files with 50 additions and 0 deletions
--- a/pkg/security/podsecuritypolicy/provider_test.go
+++ b/pkg/security/podsecuritypolicy/provider_test.go
@@ -104,6 +104,8 @@ func TestMutatePodNonmutating(t *testing.T) {
 }

 func TestMutateContainerNonmutating(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
+
 	untrue := false
 	tests := []struct {
 		security *api.SecurityContext
@@ -120,6 +122,11 @@ func TestMutateContainerNonmutating(t *testing.T) {
 					Containers: []api.Container{{
 						SecurityContext: tc.security,
 					}},
+					EphemeralContainers: []api.EphemeralContainer{{
+						EphemeralContainerCommon: api.EphemeralContainerCommon{
+							SecurityContext: tc.security,
+						},
+					}},
 				},
 			}
 		}
@@ -546,6 +553,8 @@ func allowFlexVolumesPSP(allowAllFlexVolumes, allowAllVolumes bool) *policy.PodS
 }

 func TestValidateContainerFailures(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
+
 	// fail user strategy
 	failUserPSP := defaultPSP()
 	uid := int64(999)
@@ -689,6 +698,13 @@ func TestValidateContainerFailures(t *testing.T) {
 			errs := provider.ValidatePod(test.pod)
 			require.NotEmpty(t, errs, "expected validation failure but did not receive errors")
 			assert.Contains(t, errs[0].Error(), test.expectedError, "unexpected error")
+
+			// We want EphemeralContainers to behave the same as regular containers, so move the
+			// containers to ephemeralContainers and validate again.
+			ecPod := moveContainersToEphemeral(test.pod)
+			errs = provider.ValidatePod(ecPod)
+			require.NotEmpty(t, errs, "expected validation failure for ephemeral containers but did not receive errors")
+			assert.Contains(t, errs[0].Error(), test.expectedError, "unexpected error")
 		})
 	}
 }
@@ -1062,6 +1078,8 @@ func TestValidatePodSuccess(t *testing.T) {
 }

 func TestValidateContainerSuccess(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
+
 	// success user strategy
 	userPSP := defaultPSP()
 	uid := int64(999)
@@ -1221,6 +1239,12 @@ func TestValidateContainerSuccess(t *testing.T) {
 			require.NoError(t, err, "unable to create provider")
 			errs := provider.ValidatePod(test.pod)
 			assert.Empty(t, errs, "expected validation pass but received errors")
+
+			// We want EphemeralContainers to behave the same as regular containers, so move the
+			// containers to ephemeralContainers and validate again.
+			ecPod := moveContainersToEphemeral(test.pod)
+			errs = provider.ValidatePod(ecPod)
+			assert.Empty(t, errs, "expected validation pass for ephemeral containers but received errors")
 		})
 	}
 }
@@ -1377,6 +1401,17 @@ func defaultV1Pod() *v1.Pod {
 	}
 }

+func moveContainersToEphemeral(in *api.Pod) *api.Pod {
+	out := in.DeepCopy()
+	for _, c := range out.Spec.Containers {
+		out.Spec.EphemeralContainers = append(out.Spec.EphemeralContainers, api.EphemeralContainer{
+			EphemeralContainerCommon: api.EphemeralContainerCommon(c),
+		})
+	}
+	out.Spec.Containers = nil
+	return out
+}
+
 // TestValidateAllowedVolumes will test that for every field of VolumeSource we can create
 // a pod with that type of volume and deny it, accept it explicitly, or accept it with
 // the FSTypeAll wildcard.
@@ -1490,6 +1525,8 @@ func TestValidateProjectedVolume(t *testing.T) {
 }

 func TestAllowPrivilegeEscalation(t *testing.T) {
+	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()
+
 	ptr := pointer.BoolPtr
 	tests := []struct {
 		pspAPE    bool  // PSP AllowPrivilegeEscalation
@@ -1528,6 +1565,7 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
 		t.Run(fmt.Sprintf("pspAPE:%t_pspDAPE:%s_podAPE:%s", test.pspAPE, fmtPtr(test.pspDAPE), fmtPtr(test.podAPE)), func(t *testing.T) {
 			pod := defaultPod()
 			pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = test.podAPE
+			ecPod := moveContainersToEphemeral(pod)

 			psp := defaultPSP()
 			psp.Spec.AllowPrivilegeEscalation = &test.pspAPE
@@ -1547,6 +1585,18 @@ func TestAllowPrivilegeEscalation(t *testing.T) {
 				ape := pod.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation
 				assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation")
 			}
+
+			err = provider.MutatePod(ecPod)
+			require.NoError(t, err)
+
+			errs = provider.ValidatePod(ecPod)
+			if test.expectErr {
+				assert.NotEmpty(t, errs, "expected validation error for ephemeral containers")
+			} else {
+				assert.Empty(t, errs, "expected no validation errors for ephemeral containers")
+				ape := ecPod.Spec.EphemeralContainers[0].SecurityContext.AllowPrivilegeEscalation
+				assert.Equal(t, test.expectAPE, ape, "expected pod AllowPrivilegeEscalation for ephemeral container")
+			}
 		})
 	}
 }