mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-06-23 05:58:04 +00:00
b9d88f74ed
The kata webhook requires a configmap to define what runtime class it should set for the newly created pods. Additionally, the configmap allows others to modify the default runtime class name we wish to set (in case the handler is kata but the name of the runtimeclass is different). Finally, this PR changes the webhook-check to compare the runtime of the newly created pod against the specific runtime class in the configmap, if said confimap doesn't exist, then it will default to "kata". Signed-off-by: Martin <mheberling@microsoft.com>
87 lines
2.3 KiB
Bash
Executable File
87 lines
2.3 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Copyright (c) 2021 Red Hat
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# Run this script to check the webhook is deployed and working
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
webhook_dir=$(dirname $0)
|
|
source "${webhook_dir}/../../../tests/common.bash"
|
|
source "${webhook_dir}/common.bash"
|
|
|
|
readonly hello_pod="hello-kata-webhook"
|
|
# The Pod RuntimeClassName for Kata Containers.
|
|
RUNTIME_CLASS="${RUNTIME_CLASS:-$(kubectl get configmap kata-webhook -o jsonpath='{.data.runtime_class}' 2>/dev/null || echo "kata")}"
|
|
|
|
cleanup() {
|
|
{
|
|
kubectl get -n ${WEBHOOK_NS} pod/${hello_pod} && \
|
|
kubectl delete -n ${WEBHOOK_NS} pod/${hello_pod}
|
|
} &>/dev/null
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# Check the deployment exists and is available.
|
|
#
|
|
check_deployed() {
|
|
local timeout="60s"
|
|
kubectl get -n ${WEBHOOK_NS} deployment/${WEBHOOK_SVC} &>/dev/null || \
|
|
die "The ${WEBHOOK_SVC} deployment does not exist"
|
|
|
|
kubectl wait -n ${WEBHOOK_NS} deployment/${WEBHOOK_SVC} \
|
|
--for condition=Available --timeout ${timeout} &>/dev/null || \
|
|
die "The ${WEBHOOK_SVC} deployment is unavailable after ${timeout} waiting"
|
|
}
|
|
|
|
# Check the webhook is working as expected.
|
|
#
|
|
check_working() {
|
|
kubectl get -n ${WEBHOOK_NS} pod/${hello_pod} &>/dev/null && \
|
|
die "${hello_pod} pod exists, cannot reliably check the webhook"
|
|
|
|
cat <<-EOF | kubectl apply -f -
|
|
kind: Pod
|
|
apiVersion: v1
|
|
metadata:
|
|
name: ${hello_pod}
|
|
namespace: ${WEBHOOK_NS}
|
|
spec:
|
|
restartPolicy: Never
|
|
containers:
|
|
- name: ${hello_pod}
|
|
image: quay.io/prometheus/busybox:latest
|
|
command: ["echo", "Hello Webhook"]
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
EOF
|
|
local class_name=$(kubectl get -n ${WEBHOOK_NS} \
|
|
-o jsonpath='{.spec.runtimeClassName}' pod/${hello_pod})
|
|
if [ "${class_name}" != "${RUNTIME_CLASS}" ]; then
|
|
warn "RuntimeClassName expected ${RUNTIME_CLASS}, got ${class_name}"
|
|
die "kata-webhook is not working"
|
|
fi
|
|
}
|
|
|
|
main() {
|
|
info "Going to check the kata-webhook installation"
|
|
[ -n "${KUBECONFIG:-}" ] || die "KUBECONFIG should be exported"
|
|
check_deployed
|
|
check_working
|
|
info "kata-webhook is up and working"
|
|
}
|
|
|
|
main $@
|