github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-26 19:48:56 +00:00
Code Issues Projects Releases Wiki Activity

tests: k8s-policy-rc: add unexpected UID test

Browse Source 
Change pod runAsUser value of a Replication Controller after generating
the RC's policy, and verify that the RC pods get rejected due to this
change.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai 2024-09-13 03:06:03 +00:00
parent 6773f14667
commit 5777869cf4
2 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
tests/integration/kubernetes/k8s-policy-rc.bats
View File

@ -61,17 +61,18 @@ test_rc_policy() {
--output=jsonpath='{.spec.replicas}') --output=jsonpath='{.spec.replicas}')
[ "${number_of_replicas}" -gt 0 ] [ "${number_of_replicas}" -gt 0 ]
# The replicas pods can be in running, waiting, succeeded or failed # Wait for all the expected pods to be created.
# status. We need them all on running state before proceeding. local count=0
cmd="kubectl describe rc ${replication_name}" local launched_pods=()
cmd+=" | grep \"Pods Status\" | grep \"${number_of_replicas} Running\"" while [ $count -lt 6 ] && [ "${#launched_pods[@]}" -ne "${number_of_replicas}" ]; do
info "Waiting for: ${cmd}" count=$((count + 1))
waitForProcess "$wait_time" "$sleep_time" "$cmd" sleep 10
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
--output=jsonpath={.items..metadata.name}))
done
# Check that the number of pods created for the replication controller # Check that the number of pods created for the replication controller
# is equal to the number of replicas that we defined. # is equal to the number of replicas that we defined.
launched_pods=($(kubectl get pods "--selector=app=${app_name}" \
--output=jsonpath={.items..metadata.name}))
[ "${#launched_pods[@]}" -eq "${number_of_replicas}" ] [ "${#launched_pods[@]}" -eq "${number_of_replicas}" ]
# Check pod creation # Check pod creation
@ -110,13 +111,13 @@ test_rc_policy() {
@test "Policy failure: unexpected host device mapping" { @test "Policy failure: unexpected host device mapping" {
# Changing the template spec after generating its policy will cause CreateContainer to be denied. # Changing the template spec after generating its policy will cause CreateContainer to be denied.
yq -i \ yq -i \
'.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \ '.spec.template.spec.containers[0].volumeMounts += [{"mountPath": "/dev/ttyS0", "name": "dev-ttys0"}]' \
"${incorrect_yaml}" "${incorrect_yaml}"
yq -i \ yq -i \
'.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \ '.spec.template.spec.volumes += [{"name": "dev-ttys0", "hostPath": {"path": "/dev/ttyS0"}}]' \
"${incorrect_yaml}" "${incorrect_yaml}"
test_rc_policy true test_rc_policy true
} }
@ -139,6 +140,15 @@ test_rc_policy() {
test_rc_policy true test_rc_policy true
} }
@test "Policy failure: unexpected UID = 1000" {
# Changing the template spec after generating its policy will cause CreateContainer to be denied.
yq -i \
'.spec.template.spec.securityContext.runAsUser = 1000' \
"${incorrect_yaml}"
test_rc_policy true
}
teardown() { teardown() {
auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."

2
tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-rc.yaml
View File

@ -17,6 +17,8 @@ spec:
labels: labels:
app: policy-nginx-rc app: policy-nginx-rc
spec: spec:
securityContext:
runAsUser: 123
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 0
runtimeClassName: kata runtimeClassName: kata
containers: containers: