mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-09 20:07:49 +00:00
tests: Mimic node debugger with full privileges
This commit addresses an issue with handling loop devices via a node debugger due to restricted privileges. It runs a pod with full privileges, allowing it to mount the host root to `/host`, similar to the node debugger. This change enables us to run tests for trusted image storage using the `qemu-coco-dev` runtime class. Fixes: #10133 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
parent
77c844da12
commit
aedf14b244
@ -0,0 +1,37 @@
|
||||
#
|
||||
# Copyright (c) IBM Corp. 2024
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: custom-node-debugger
|
||||
spec:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/hostname
|
||||
operator: In
|
||||
values:
|
||||
- ${NODE_NAME}
|
||||
containers:
|
||||
- name: node-debugger-container
|
||||
image: quay.io/bedrock/ubuntu:latest
|
||||
command: ["/bin/sh", "-c", "sleep infinity"]
|
||||
stdin: true
|
||||
tty: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: true
|
||||
volumeMounts:
|
||||
- name: host-root
|
||||
mountPath: /host
|
||||
volumes:
|
||||
- name: host-root
|
||||
hostPath:
|
||||
path: /
|
||||
type: Directory
|
@ -104,7 +104,7 @@ exec_host() {
|
||||
local old_debugger_pods=($(kubectl get pods -o name | grep node-debugger))
|
||||
|
||||
# Run a debug pod
|
||||
kubectl debug -q "node/${node}" --image=quay.io/bedrock/ubuntu:latest -- chroot /host bash -c "sleep infinity" >&2
|
||||
NODE_NAME="${node}" envsubst < runtimeclass_workloads/custom-node-debugger.yaml | kubectl apply -f - > /dev/null
|
||||
|
||||
# Identify the new debugger pod
|
||||
local new_debugger_pod=$(get_new_debugger_pod "${old_debugger_pods[@]}")
|
||||
|
Loading…
Reference in New Issue
Block a user