tests: Mimic node debugger with full privileges

This commit addresses an issue with handling loop devices
via a node debugger due to restricted privileges.
It runs a pod with full privileges, allowing it to mount
the host root to `/host`, similar to the node debugger.
This change enables us to run tests for trusted image storage
using the `qemu-coco-dev` runtime class.

Fixes: #10133

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi 2024-09-02 09:44:47 +02:00
parent 77c844da12
commit aedf14b244
2 changed files with 38 additions and 1 deletions

View File

@ -0,0 +1,37 @@
#
# Copyright (c) IBM Corp. 2024
#
# SPDX-License-Identifier: Apache-2.0
#
apiVersion: v1
kind: Pod
metadata:
name: custom-node-debugger
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ${NODE_NAME}
containers:
- name: node-debugger-container
image: quay.io/bedrock/ubuntu:latest
command: ["/bin/sh", "-c", "sleep infinity"]
stdin: true
tty: true
securityContext:
privileged: true
runAsUser: 0
allowPrivilegeEscalation: true
volumeMounts:
- name: host-root
mountPath: /host
volumes:
- name: host-root
hostPath:
path: /
type: Directory

View File

@ -104,7 +104,7 @@ exec_host() {
local old_debugger_pods=($(kubectl get pods -o name | grep node-debugger))
# Run a debug pod
kubectl debug -q "node/${node}" --image=quay.io/bedrock/ubuntu:latest -- chroot /host bash -c "sleep infinity" >&2
NODE_NAME="${node}" envsubst < runtimeclass_workloads/custom-node-debugger.yaml | kubectl apply -f - > /dev/null
# Identify the new debugger pod
local new_debugger_pod=$(get_new_debugger_pod "${old_debugger_pods[@]}")