From aedf14b244b739775a27841ae67a65cb6152ed9a Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 2 Sep 2024 09:44:47 +0200 Subject: [PATCH] tests: Mimic node debugger with full privileges This commit addresses an issue with handling loop devices via a node debugger due to restricted privileges. It runs a pod with full privileges, allowing it to mount the host root to `/host`, similar to the node debugger. This change enables us to run tests for trusted image storage using the `qemu-coco-dev` runtime class. Fixes: #10133 Signed-off-by: Hyounggyu Choi --- .../custom-node-debugger.yaml | 37 +++++++++++++++++++ tests/integration/kubernetes/tests_common.sh | 2 +- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/custom-node-debugger.yaml diff --git a/tests/integration/kubernetes/runtimeclass_workloads/custom-node-debugger.yaml b/tests/integration/kubernetes/runtimeclass_workloads/custom-node-debugger.yaml new file mode 100644 index 0000000000..58a6a8cfae --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/custom-node-debugger.yaml @@ -0,0 +1,37 @@ +# +# Copyright (c) IBM Corp. 2024 +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: v1 +kind: Pod +metadata: + name: custom-node-debugger +spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - ${NODE_NAME} + containers: + - name: node-debugger-container + image: quay.io/bedrock/ubuntu:latest + command: ["/bin/sh", "-c", "sleep infinity"] + stdin: true + tty: true + securityContext: + privileged: true + runAsUser: 0 + allowPrivilegeEscalation: true + volumeMounts: + - name: host-root + mountPath: /host + volumes: + - name: host-root + hostPath: + path: / + type: Directory diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index c552f5bf2c..98a3c60c9e 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -104,7 +104,7 @@ exec_host() { local old_debugger_pods=($(kubectl get pods -o name | grep node-debugger)) # Run a debug pod - kubectl debug -q "node/${node}" --image=quay.io/bedrock/ubuntu:latest -- chroot /host bash -c "sleep infinity" >&2 + NODE_NAME="${node}" envsubst < runtimeclass_workloads/custom-node-debugger.yaml | kubectl apply -f - > /dev/null # Identify the new debugger pod local new_debugger_pod=$(get_new_debugger_pod "${old_debugger_pods[@]}")