From ff9f027096de3526fe96dc2cbff40ea43a4ef770 Mon Sep 17 00:00:00 2001
From: Gareth Smith <gsmith@pivotal.io>
Date: Tue, 28 Nov 2017 16:36:13 +0000
Subject: [PATCH] Drop privilages before running tests in CI

---
 pkg/framework/test/ci/pipeline.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/pkg/framework/test/ci/pipeline.yml b/pkg/framework/test/ci/pipeline.yml
index 6332d7272..5acdc7765 100644
--- a/pkg/framework/test/ci/pipeline.yml
+++ b/pkg/framework/test/ci/pipeline.yml
@@ -24,11 +24,16 @@ jobs:
         - |
           #!/usr/bin/env bash
           set -eux
-          export GOPATH="${PWD}/go"
-          export PATH="${PATH}:${GOPATH}/bin"
-          go get github.com/onsi/ginkgo/ginkgo
-          "${GOPATH}/src/k8s.io/kubectl/pkg/framework/test/scripts/download-binaries.sh"
-          GINKGO_PERFORMANCE=1 "${GOPATH}/src/k8s.io/kubectl/pkg/framework/test/scripts/run-tests.sh"
+          chown -R nobody:nogroup "${PWD}/go"
+
+          cat <<'EOS' | su -c bash -s /bin/bash nobody
+            set -eux
+            export GOPATH="${PWD}/go"
+            export PATH="${PATH}:/usr/local/go/bin:${GOPATH}/bin"
+            go get github.com/onsi/ginkgo/ginkgo
+            "${GOPATH}/src/k8s.io/kubectl/pkg/framework/test/scripts/download-binaries.sh"
+            GINKGO_PERFORMANCE=1 "${GOPATH}/src/k8s.io/kubectl/pkg/framework/test/scripts/run-tests.sh"
+          EOS
 - name: push-to-prod-branch
   serial: true
   plan: