@@ -12,12 +12,15 @@ import (
1212 corev1 "k8s.io/api/core/v1"
1313 rbacv1 "k8s.io/api/rbac/v1"
1414 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
15+ "k8s.io/kubernetes/test/e2e/framework"
16+ e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
1517 psapi "k8s.io/pod-security-admission/api"
1618 "k8s.io/utils/pointer"
1719
1820 securityv1 "github.com/openshift/api/security/v1"
1921 "github.com/openshift/origin/pkg/test/ginkgo/result"
2022 exutil "github.com/openshift/origin/test/extended/util"
23+ "github.com/openshift/origin/test/extended/util/image"
2124)
2225
2326var _ = g .Describe ("[sig-auth][Feature:SCC][Early]" , func () {
@@ -227,32 +230,7 @@ var _ = g.Describe("[sig-auth][Feature:PodSecurity][Feature:SCC]", func() {
227230 // Use the existing ClusterRole that grants access to the anyuid SCC
228231 anyuidClusterRole := "system:openshift:scc:anyuid"
229232
230- // Create a role binding for the regular user
231- g .By ("Creating a role binding for the regular user" )
232- _ , err = oc .AdminKubeClient ().RbacV1 ().RoleBindings (oc .Namespace ()).Create (
233- ctx ,
234- & rbacv1.RoleBinding {
235- ObjectMeta : metav1.ObjectMeta {
236- GenerateName : "user-anyuid-" ,
237- Namespace : oc .Namespace (),
238- },
239- RoleRef : rbacv1.RoleRef {
240- APIGroup : "rbac.authorization.k8s.io" ,
241- Kind : "ClusterRole" ,
242- Name : anyuidClusterRole ,
243- },
244- Subjects : []rbacv1.Subject {
245- {
246- Kind : "User" ,
247- Name : oc .Username (),
248- APIGroup : "rbac.authorization.k8s.io" ,
249- },
250- },
251- },
252- metav1.CreateOptions {},
253- )
254- o .Expect (err ).NotTo (o .HaveOccurred ())
255-
233+ bindUserRoleToSCC (ctx , oc , anyuidClusterRole )
256234 // Create a role binding for the service account
257235 g .By ("Creating a role binding for the service account" )
258236 _ , err = oc .AdminKubeClient ().RbacV1 ().RoleBindings (oc .Namespace ()).Create (
@@ -330,4 +308,75 @@ var _ = g.Describe("[sig-auth][Feature:PodSecurity][Feature:SCC]", func() {
330308 o .Expect (saCreatedPod .Annotations [securityv1 .ValidatedSCCAnnotation ]).To (o .Equal ("anyuid" ), "Pod should be validated against anyuid SCC" )
331309 o .Expect (saCreatedPod .Annotations [securityv1 .ValidatedSCCSubjectTypeAnnotation ]).To (o .Equal ("serviceaccount" ), "Subject type annotation should be set to 'serviceaccount'" )
332310 })
311+ g .It ("SCC hostmount-anyuid-v2 allows use of spc_t SELinux label" , func () {
312+ ctx := context .Background ()
313+
314+ // Use the existing ClusterRole that grants access to the anyuid SCC
315+ hostmountAnyuidV2ClusterRole := "system:openshift:scc:hostmount-anyuid-v2"
316+
317+ bindUserRoleToSCC (ctx , oc , hostmountAnyuidV2ClusterRole )
318+
319+ // Create a pod with the regular user - should match anyuid SCC
320+ g .By ("Creating a pod as a regular user" )
321+ userPod := & corev1.Pod {
322+ ObjectMeta : metav1.ObjectMeta {
323+ GenerateName : "user-pod-" ,
324+ },
325+ Spec : corev1.PodSpec {
326+ Containers : []corev1.Container {
327+ {
328+ Name : "test-container" ,
329+ Image : image .ShellImage (),
330+ Command : []string {"sleep" },
331+ Args : []string {"5m" },
332+ SecurityContext : & corev1.SecurityContext {
333+ SELinuxOptions : & corev1.SELinuxOptions {
334+ Type : "spc_t" ,
335+ },
336+ },
337+ },
338+ },
339+ },
340+ }
341+ userCreatedPod , err := oc .KubeClient ().CoreV1 ().Pods (oc .Namespace ()).Create (ctx , userPod , metav1.CreateOptions {})
342+ o .Expect (err ).NotTo (o .HaveOccurred ())
343+
344+ g .By ("Waiting for pod to be come ready" )
345+ o .Expect (e2epod .WaitTimeoutForPodReadyInNamespace (ctx , oc .KubeClient (), userCreatedPod .Name , userCreatedPod .Namespace , framework .PodStartTimeout )).NotTo (o .HaveOccurred ())
346+
347+ output , err := exutil .ExecInPodWithResult (oc .KubeClient ().CoreV1 (), oc .AdminConfig (), userCreatedPod .Namespace , userCreatedPod .Name , "test-container" , []string {"/bin/ps" , "-eZf" })
348+ g .By (output )
349+ o .Expect (output ).To (o .ContainSubstring ("spc_t" ))
350+
351+ g .By ("Verifying annotations on user-created pod" )
352+ o .Expect (userCreatedPod .Annotations [securityv1 .ValidatedSCCAnnotation ]).To (o .Equal ("hostmount-anyuid-v2" ), "Pod should be validated against anyuid SCC" )
353+ })
333354})
355+
356+ func bindUserRoleToSCC (ctx context.Context , oc * exutil.CLI , scc string ) {
357+ // Create a role binding for the regular user
358+ g .By ("Creating a role binding for the regular user" )
359+ _ , err := oc .AdminKubeClient ().RbacV1 ().RoleBindings (oc .Namespace ()).Create (
360+ ctx ,
361+ & rbacv1.RoleBinding {
362+ ObjectMeta : metav1.ObjectMeta {
363+ GenerateName : "user-anyuid-" ,
364+ Namespace : oc .Namespace (),
365+ },
366+ RoleRef : rbacv1.RoleRef {
367+ APIGroup : "rbac.authorization.k8s.io" ,
368+ Kind : "ClusterRole" ,
369+ Name : scc ,
370+ },
371+ Subjects : []rbacv1.Subject {
372+ {
373+ Kind : "User" ,
374+ Name : oc .Username (),
375+ APIGroup : "rbac.authorization.k8s.io" ,
376+ },
377+ },
378+ },
379+ metav1.CreateOptions {},
380+ )
381+ o .Expect (err ).NotTo (o .HaveOccurred ())
382+ }
0 commit comments