diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index f4c42983a1e8..7dcf64f361ed 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "f2fc138e" + knative.dev/example-checksum: "3c7d91f6" data: _example: |- ################################ @@ -40,12 +40,11 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default SecurityContext settings to secure-by-default values - # if unset. + # Indicates whether secure-pod-defaults support is enabled # - # This value will default to "enabled" in a future release, - # probably Knative 1.10 - secure-pod-defaults: "disabled" + # WARNING: Cannot safely be disabled once enabled. + # See: https://knative.dev/docs/serving/feature-flags/#secure-pod-defaults + secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled # diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go index 4e9d0aefde6c..46ada90a69c9 100644 --- a/pkg/apis/config/features.go +++ b/pkg/apis/config/features.go @@ -72,7 +72,7 @@ func defaultFeaturesConfig() *Features { PodSpecInitContainers: Disabled, PodSpecDNSPolicy: Disabled, PodSpecDNSConfig: Disabled, - SecurePodDefaults: Disabled, + SecurePodDefaults: Enabled, TagHeaderBasedRouting: Disabled, AutoDetectHTTP2: Disabled, } diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go index bb13c8e739a1..ac709a3351f0 100644 --- a/pkg/apis/serving/fieldmask_test.go +++ b/pkg/apis/serving/fieldmask_test.go @@ -809,7 +809,11 @@ func TestPodSecurityContextMask(t *testing.T) { }, } - want := &corev1.PodSecurityContext{} + want := &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } ctx := context.Background() got := PodSecurityContextMask(ctx, in) diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 0f10a25c2ae3..2037212ef84e 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -1265,16 +1265,6 @@ func TestPodSpecFeatureValidation(t *testing.T) { Paths: []string{"runtimeClassName"}, }, cfgOpts: []configOption{withPodSpecRuntimeClassNameEnabled()}, - }, { - name: "PodSpecSecurityContext", - featureSpec: corev1.PodSpec{ - SecurityContext: &corev1.PodSecurityContext{}, - }, - err: &apis.FieldError{ - Message: "must not set the field(s)", - Paths: []string{"securityContext"}, - }, - cfgOpts: []configOption{withPodSpecSecurityContextEnabled()}, }, { name: "PriorityClassName", featureSpec: corev1.PodSpec{ @@ -3015,3 +3005,68 @@ func TestPodSpecSecurityContextValidation(t *testing.T) { }) } } + +func TestSecurityContextSecurePodDefaultsFeatureValidation(t *testing.T) { + tests := []struct { + name string + sc *corev1.PodSecurityContext + err *apis.FieldError + errLevel apis.DiagnosticLevel + cfgOpts *config.Config + }{{ + name: "SecurePodDefaults off, PodSpecSecurityContext off", + sc: &corev1.PodSecurityContext{}, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Disabled, + PodSpecSecurityContext: config.Disabled, + }, + }, + }, { + name: "SecurePodDefaults off, PodSpecSecurityContext on", + sc: &corev1.PodSecurityContext{ + RunAsNonRoot: ptr.Bool(false), + }, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Disabled, + PodSpecSecurityContext: config.Enabled, + }, + }, + }, { + name: "SecurePodDefaults on, PodSpecSecurityContext off", + sc: &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Enabled, + PodSpecSecurityContext: config.Disabled, + }, + }, + }, { + name: "SecurePodDefaults on, PodSpecSecurityContext on", + sc: &corev1.PodSecurityContext{}, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Enabled, + PodSpecSecurityContext: config.Enabled, + }, + }, + }} + + for _, test := range tests { + ctx := config.ToContext(context.Background(), test.cfgOpts) + + t.Run(test.name, func(t *testing.T) { + got := ValidatePodSecurityContext(ctx, test.sc) + got.Filter(test.errLevel) + if diff := cmp.Diff(test.err.Error(), got.Error()); diff != "" { + t.Errorf("ValidatePodSecurityContext(-want, +got): \n%s", diff) + } + }) + } + +} diff --git a/pkg/apis/serving/v1/configuration_defaults_test.go b/pkg/apis/serving/v1/configuration_defaults_test.go index ae6e8d9058e3..4fb897833d2d 100644 --- a/pkg/apis/serving/v1/configuration_defaults_test.go +++ b/pkg/apis/serving/v1/configuration_defaults_test.go @@ -76,6 +76,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -111,6 +121,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -148,6 +168,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(60), diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go index 0fe5e65079b7..1e20de0cd6a1 100644 --- a/pkg/apis/serving/v1/revision_defaults_test.go +++ b/pkg/apis/serving/v1/revision_defaults_test.go @@ -91,6 +91,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -123,6 +133,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -158,6 +178,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -189,6 +219,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -220,6 +260,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -254,6 +304,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -289,6 +349,16 @@ func TestRevisionDefaulting(t *testing.T) { }}, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, ContainerConcurrency: ptr.Int64(1), @@ -322,6 +392,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -362,6 +442,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -399,6 +489,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -430,6 +530,16 @@ func TestRevisionDefaulting(t *testing.T) { SuccessThreshold: 1, TimeoutSeconds: 1, // Added as k8s default }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Resources: defaultResources, }}, }, @@ -452,6 +562,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -503,6 +623,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -532,12 +662,32 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -578,31 +728,111 @@ func TestRevisionDefaulting(t *testing.T) { Containers: []corev1.Container{{ Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-3", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-2", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-5", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-6", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-7", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-4", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -661,17 +891,57 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -710,21 +980,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -763,21 +1093,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -816,21 +1206,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "init-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "init-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-3", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, diff --git a/pkg/apis/serving/v1/service_defaults_test.go b/pkg/apis/serving/v1/service_defaults_test.go index 01547042ac79..d53281ac081f 100644 --- a/pkg/apis/serving/v1/service_defaults_test.go +++ b/pkg/apis/serving/v1/service_defaults_test.go @@ -87,6 +87,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -130,6 +140,17 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -176,6 +197,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -233,6 +264,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), diff --git a/pkg/reconciler/revision/table_test.go b/pkg/reconciler/revision/table_test.go index 498f779f554b..992ba5dbc9bb 100644 --- a/pkg/reconciler/revision/table_test.go +++ b/pkg/reconciler/revision/table_test.go @@ -679,7 +679,10 @@ func TestReconcile(t *testing.T) { withDefaultContainerStatuses(), withInitContainerStatuses(), WithRevisionObservedGeneration(1)), }}, Key: "foo/first-reconcile", - Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{PodSpecInitContainers: defaultconfig.Enabled}}), + Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ + PodSpecInitContainers: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, + }}), }, { Name: "first revision reconciliation with PVC, PVC enabled", // Test the simplest successful reconciliation flow. @@ -703,6 +706,7 @@ func TestReconcile(t *testing.T) { Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ PodSpecPersistentVolumeClaim: defaultconfig.Enabled, PodSpecPersistentVolumeWrite: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, }}), }} diff --git a/test/e2e-common.sh b/test/e2e-common.sh index e65224de4baa..8ba892dde59f 100644 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -29,6 +29,7 @@ export GATEWAY_API_VERSION=${GATEWAY_API_VERSION:-""} export CERTIFICATE_CLASS=${CERTIFICATE_CLASS:-""} # Only build linux/amd64 bit images export KO_FLAGS="${KO_FLAGS:---platform=linux/amd64}" +export ENABLE_GKE_TELEMETRY=true export RUN_HTTP01_AUTO_TLS_TESTS=${RUN_HTTP01_AUTO_TLS_TESTS:-0} export HTTPS=${HTTPS:-0}