Merge pull request #3342 from aledbf/allowPrivilegeEscalation

Allow privilege escalation
kubernetes · Jan 3, 2019 · 2911875 · 2911875
2 parents 71cc6df + 09e2466
commit 2911875
Show file tree

Hide file tree

Showing 5 changed files with 172 additions and 2 deletions.
diff --git a/build/e2e-tests.sh b/build/e2e-tests.sh
@@ -43,14 +43,27 @@ SCRIPT_ROOT=$(dirname ${BASH_SOURCE})/..
 
 ginkgo build ./test/e2e
 
-exec --                                      \
+echo "Running e2e test suite..."
 ginkgo                                       \
     -randomizeSuites                         \
     -randomizeAllSpecs                       \
     -flakeAttempts=2                         \
-    --focus=${FOCUS}                         \
+    -focus=${FOCUS}                          \
+    -skip="\[Serial\]"                       \
     -p                                       \
     -trace                                   \
     -nodes=${E2E_NODES}                      \
     -slowSpecThreshold=${SLOW_E2E_THRESHOLD} \
     test/e2e/e2e.test
+
+echo "Running e2e test suite with tests that require serial execution..."
+ginkgo                                       \
+    -randomizeSuites                         \
+    -randomizeAllSpecs                       \
+    -flakeAttempts=2                         \
+    -focus="\[Serial\]"                      \
+    -p                                       \
+    -trace                                   \
+    -nodes=1                                 \
+    -slowSpecThreshold=${SLOW_E2E_THRESHOLD} \
+    test/e2e/e2e.test
diff --git a/deploy/mandatory.yaml b/deploy/mandatory.yaml
@@ -220,6 +220,7 @@ spec:
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
           securityContext:
+            allowPrivilegeEscalation: true
             capabilities:
               drop:
                 - ALL

diff --git a/deploy/with-rbac.yaml b/deploy/with-rbac.yaml
@@ -33,6 +33,7 @@ spec:
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
           securityContext:
+             allowPrivilegeEscalation: true
             capabilities:
               drop:
                 - ALL

diff --git a/test/e2e/settings/pod_security_policy.go b/test/e2e/settings/pod_security_policy.go
@@ -0,0 +1,154 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package settings
+
+import (
+	"net/http"
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/parnurzeal/gorequest"
+
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+const (
+	ingressControllerPSP = "ingress-controller-psp"
+)
+
+var _ = framework.IngressNginxDescribe("[Serial] Pod Security Policies", func() {
+	f := framework.NewDefaultFramework("pod-security-policies")
+
+	BeforeEach(func() {
+		psp := createPodSecurityPolicy()
+		_, err := f.KubeClientSet.Extensions().PodSecurityPolicies().Create(psp)
+		if !k8sErrors.IsAlreadyExists(err) {
+			Expect(err).NotTo(HaveOccurred(), "creating Pod Security Policy")
+		}
+
+		role, err := f.KubeClientSet.RbacV1().ClusterRoles().Get("nginx-ingress-clusterrole", metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred(), "getting ingress controller cluster role")
+		Expect(role).NotTo(BeNil())
+
+		role.Rules = append(role.Rules, rbacv1.PolicyRule{
+			APIGroups:     []string{"policy"},
+			Resources:     []string{"podsecuritypolicies"},
+			ResourceNames: []string{ingressControllerPSP},
+			Verbs:         []string{"use"},
+		})
+
+		_, err = f.KubeClientSet.RbacV1().ClusterRoles().Update(role)
+		Expect(err).NotTo(HaveOccurred(), "updating ingress controller cluster role to use a pod security policy")
+
+		// update the deployment just to trigger a rolling update and the use of the security policy
+		err = framework.UpdateDeployment(f.KubeClientSet, f.IngressController.Namespace, "nginx-ingress-controller", 1,
+			func(deployment *appsv1beta1.Deployment) error {
+				args := deployment.Spec.Template.Spec.Containers[0].Args
+				args = append(args, "--v=2")
+				deployment.Spec.Template.Spec.Containers[0].Args = args
+				_, err := f.KubeClientSet.AppsV1beta1().Deployments(f.IngressController.Namespace).Update(deployment)
+
+				return err
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		f.NewEchoDeployment()
+	})
+
+	AfterEach(func() {
+		role, err := f.KubeClientSet.RbacV1().ClusterRoles().Get("nginx-ingress-clusterrole", metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred(), "getting ingress controller cluster role")
+		Expect(role).NotTo(BeNil())
+
+		index := -1
+		for idx, rule := range role.Rules {
+			found := false
+			for _, rn := range rule.ResourceNames {
+				if rn == ingressControllerPSP {
+					found = true
+					break
+				}
+			}
+			if found {
+				index = idx
+			}
+		}
+
+		role.Rules = append(role.Rules[:index], role.Rules[index+1:]...)
+		_, err = f.KubeClientSet.RbacV1().ClusterRoles().Update(role)
+		Expect(err).NotTo(HaveOccurred(), "updating ingress controller cluster role to not use a pod security policy")
+	})
+
+	It("should be running with a Pod Security Policy", func() {
+		f.WaitForNginxConfiguration(
+			func(cfg string) bool {
+				return strings.Contains(cfg, "server_tokens on")
+			})
+
+		resp, _, _ := gorequest.New().
+			Get(f.IngressController.HTTPURL).
+			Set("Host", "foo.bar.com").
+			End()
+		Expect(resp.StatusCode).Should(Equal(http.StatusNotFound))
+	})
+})
+
+func createPodSecurityPolicy() *extensions.PodSecurityPolicy {
+	trueValue := true
+	return &extensions.PodSecurityPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: ingressControllerPSP,
+		},
+		Spec: extensions.PodSecurityPolicySpec{
+			AllowPrivilegeEscalation: &trueValue,
+			RequiredDropCapabilities: []corev1.Capability{"All"},
+			RunAsUser: extensions.RunAsUserStrategyOptions{
+				Rule: "RunAsAny",
+			},
+			SELinux: extensions.SELinuxStrategyOptions{
+				Rule: "RunAsAny",
+			},
+			FSGroup: extensions.FSGroupStrategyOptions{
+				Ranges: []extensions.IDRange{
+					{
+						Min: 1,
+						Max: 65535,
+					},
+				},
+				Rule: "MustRunAs",
+			},
+			SupplementalGroups: extensions.SupplementalGroupsStrategyOptions{
+				Ranges: []extensions.IDRange{
+					{
+						Min: 1,
+						Max: 65535,
+					},
+				},
+				Rule: "MustRunAs",
+			},
+		},
+	}
+
+}
diff --git a/test/manifests/ingress-controller/mandatory.yaml b/test/manifests/ingress-controller/mandatory.yaml
@@ -215,6 +215,7 @@ spec:
             - --annotations-prefix=nginx.ingress.kubernetes.io
             - --watch-namespace=${NAMESPACE}
           securityContext:
+            allowPrivilegeEscalation: true
             capabilities:
               drop:
                 - ALL