mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-25 11:13:15 +00:00
tests: k8s-policy-rc: add unexpected UID test
Change pod runAsUser value of a Replication Controller after generating the RC's policy, and verify that the RC pods get rejected due to this change. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
parent
6773f14667
commit
5777869cf4
@ -61,17 +61,18 @@ test_rc_policy() {
|
||||
--output=jsonpath='{.spec.replicas}')
|
||||
[ "${number_of_replicas}" -gt 0 ]
|
||||
|
||||
# The replicas pods can be in running, waiting, succeeded or failed
|
||||
# status. We need them all on running state before proceeding.
|
||||
cmd="kubectl describe rc ${replication_name}"
|
||||
cmd+=" | grep \"Pods Status\" | grep \"${number_of_replicas} Running\""
|
||||
info "Waiting for: ${cmd}"
|
||||
waitForProcess "$wait_time" "$sleep_time" "$cmd"
|
||||
# Wait for all the expected pods to be created.
|
||||
local count=0
|
||||
local launched_pods=()
|
||||
while [ $count -lt 6 ] && [ "${#launched_pods[@]}" -ne "${number_of_replicas}" ]; do
|
||||
count=$((count + 1))
|
||||
sleep 10
|
||||
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
|
||||
--output=jsonpath={.items..metadata.name}))
|
||||
done
|
||||
|
||||
# Check that the number of pods created for the replication controller
|
||||
# is equal to the number of replicas that we defined.
|
||||
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
|
||||
--output=jsonpath={.items..metadata.name}))
|
||||
[ "${#launched_pods[@]}" -eq "${number_of_replicas}" ]
|
||||
|
||||
# Check pod creation
|
||||
@ -110,13 +111,13 @@ test_rc_policy() {
|
||||
|
||||
@test "Policy failure: unexpected host device mapping" {
|
||||
# Changing the template spec after generating its policy will cause CreateContainer to be denied.
|
||||
yq -i \
|
||||
'.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
|
||||
"${incorrect_yaml}"
|
||||
yq -i \
|
||||
'.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
|
||||
"${incorrect_yaml}"
|
||||
|
||||
yq -i \
|
||||
'.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
|
||||
"${incorrect_yaml}"
|
||||
yq -i \
|
||||
'.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
|
||||
"${incorrect_yaml}"
|
||||
|
||||
test_rc_policy true
|
||||
}
|
||||
@ -139,6 +140,15 @@ test_rc_policy() {
|
||||
test_rc_policy true
|
||||
}
|
||||
|
||||
@test "Policy failure: unexpected UID = 1000" {
|
||||
# Changing the template spec after generating its policy will cause CreateContainer to be denied.
|
||||
yq -i \
|
||||
'.spec.template.spec.securityContext.runAsUser = 1000' \
|
||||
"${incorrect_yaml}"
|
||||
|
||||
test_rc_policy true
|
||||
}
|
||||
|
||||
teardown() {
|
||||
auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
|
||||
|
||||
|
@ -17,6 +17,8 @@ spec:
|
||||
labels:
|
||||
app: policy-nginx-rc
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: 123
|
||||
terminationGracePeriodSeconds: 0
|
||||
runtimeClassName: kata
|
||||
containers:
|
||||
|
Loading…
Reference in New Issue
Block a user