forked from tektoncd/pipeline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhermetic_taskrun_test.go
133 lines (116 loc) · 4.14 KB
/
hermetic_taskrun_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
//go:build e2e
// +build e2e
/*
Copyright 2021 The Tekton Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
"context"
"fmt"
"testing"
v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
"github.com/tektoncd/pipeline/test/parse"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// TestHermeticTaskRun make sure that the hermetic execution mode actually drops network from a TaskRun step
// it does this by first running the TaskRun normally to make sure it passes
// Then, it enables hermetic mode and makes sure the same TaskRun fails because it no longer has access to a network.
func TestHermeticTaskRun(t *testing.T) {
ctx := context.Background()
ctx, cancel := context.WithCancel(ctx)
defer cancel()
c, namespace := setup(ctx, t, requireAnyGate(map[string]string{"enable-api-fields": "alpha"}))
t.Parallel()
defer tearDown(ctx, t, c, namespace)
tests := []struct {
desc string
getTaskRun func(*testing.T, string, string, string) *v1.TaskRun
}{
{
desc: "run-as-root",
getTaskRun: taskRun,
}, {
desc: "run-as-nonroot",
getTaskRun: unpriviligedTaskRun,
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
// first, run the task run with hermetic=false to prove that it succeeds
regularTaskRunName := "not-hermetic-" + test.desc
regularTaskRun := test.getTaskRun(t, regularTaskRunName, namespace, "")
t.Logf("Creating TaskRun %s, hermetic=false", regularTaskRunName)
if _, err := c.V1TaskRunClient.Create(ctx, regularTaskRun, metav1.CreateOptions{}); err != nil {
t.Fatalf("Failed to create TaskRun `%s`: %s", regularTaskRunName, err)
}
if err := WaitForTaskRunState(ctx, c, regularTaskRunName, Succeed(regularTaskRunName), "TaskRunCompleted", v1Version); err != nil {
t.Errorf("Error waiting for TaskRun %s to finish: %s", regularTaskRunName, err)
}
// now, run the task mode with hermetic mode
// it should fail, since it shouldn't be able to access any network
hermeticTaskRunName := "hermetic-should-fail-" + test.desc
hermeticTaskRun := test.getTaskRun(t, hermeticTaskRunName, namespace, "hermetic")
t.Logf("Creating TaskRun %s, hermetic=true", hermeticTaskRunName)
if _, err := c.V1TaskRunClient.Create(ctx, hermeticTaskRun, metav1.CreateOptions{}); err != nil {
t.Fatalf("Failed to create TaskRun `%s`: %s", regularTaskRun.Name, err)
}
if err := WaitForTaskRunState(ctx, c, hermeticTaskRunName, Failed(hermeticTaskRunName), "Failed", v1Version); err != nil {
t.Errorf("Error waiting for TaskRun %s to fail: %s", hermeticTaskRunName, err)
}
})
}
}
func taskRun(t *testing.T, name, namespace, executionMode string) *v1.TaskRun {
t.Helper()
return parse.MustParseV1TaskRun(t, fmt.Sprintf(`
metadata:
annotations:
experimental.tekton.dev/execution-mode: %s
name: %s
namespace: %s
spec:
taskSpec:
steps:
- image: gcr.io/cloud-builders/curl
name: access-network
script: |-
#!/bin/bash
set -ex
# do something that requires network access
curl google.com
timeout: 1m0s
`, executionMode, name, namespace))
}
func unpriviligedTaskRun(t *testing.T, name, namespace, executionMode string) *v1.TaskRun {
t.Helper()
return parse.MustParseV1TaskRun(t, fmt.Sprintf(`
metadata:
annotations:
experimental.tekton.dev/execution-mode: %s
name: %s
namespace: %s
spec:
taskSpec:
steps:
- image: gcr.io/cloud-builders/curl
name: curl
script: |-
#!/bin/bash
set -ex
curl google.com
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
timeout: 1m0s
`, executionMode, name, namespace))
}