Add tests for rootless containers #2546
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@annajung @kimwnasptd please review. |
|
From quick look, the script checks to two specific fields in pod spec and container spec. In the description you mention needing to create a list of containers that do not have runasnonroot set, that doesn't seem to be part of the current script. Is that intended? |
|
@annajung thanks for the review. It is a bit more complex. In the end we want to determine whether containers run as root or have been run as root (initcontainers) Some containers are already completed (initcontainers) some are missing a shell or the Id command to get the current user, some are missing a security context and or the runasnonroot within the securitycontext, some on the pod level and some on the container level. In the end it is a diverse set of problems for which we need solutions. There are just many ways to check rootfulness. The script provides per container heuristics and negative hypothesis tests that let you easily gauge whether a container runs or ran as root. For the moment it is useful for the development focus and creating securitycontext/runasnonroot PRs in each working group. In the long term we may fail the cicd if this script finds something potentially rootful. |
|
@annajung can we move forward with a /lgtm or do you think it should be refined? |
|
/lgtm |
Which issue is resolved by this Pull Request:
We need to list all containers that do not have runasnonroot set or run as the root user. Based on this list i can create per workinggroup patches and at some point we can just enable the test in the e2e pipeline.
Description of your changes:
Adding tests to warn and later on error on root containers in the cicd.