mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Merge pull request #89198 from tanjunchen/cleanup20200318
e2e/framework: security/ and /service remove direct import /k8s.io/kubernetes/pkg/
This commit is contained in:
commit
1130e8910f
@ -6,7 +6,6 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/test/e2e/framework/security",
|
importpath = "k8s.io/kubernetes/test/e2e/framework/security",
|
||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/security/apparmor:go_default_library",
|
|
||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||||
|
@ -24,7 +24,6 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/kubernetes/pkg/security/apparmor"
|
|
||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
|
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
|
||||||
imageutils "k8s.io/kubernetes/test/utils/image"
|
imageutils "k8s.io/kubernetes/test/utils/image"
|
||||||
@ -37,6 +36,14 @@ const (
|
|||||||
|
|
||||||
loaderLabelKey = "name"
|
loaderLabelKey = "name"
|
||||||
loaderLabelValue = "e2e-apparmor-loader"
|
loaderLabelValue = "e2e-apparmor-loader"
|
||||||
|
|
||||||
|
// TODO: import this from the k8s.io/api once it's moved there (ref: https://github.com/kubernetes/kubernetes/pull/89198)
|
||||||
|
// Unconfined profile
|
||||||
|
profileNameUnconfined = "unconfined"
|
||||||
|
|
||||||
|
// TODO: import this from the k8s.io/api once it's moved there (ref: https://github.com/kubernetes/kubernetes/pull/89198)
|
||||||
|
// The prefix to an annotation key specifying a container profile.
|
||||||
|
containerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
|
||||||
)
|
)
|
||||||
|
|
||||||
// LoadAppArmorProfiles creates apparmor-profiles ConfigMap and apparmor-loader ReplicationController.
|
// LoadAppArmorProfiles creates apparmor-profiles ConfigMap and apparmor-loader ReplicationController.
|
||||||
@ -64,7 +71,7 @@ elif [[ $(< /proc/self/attr/current) != "%[3]s" ]]; then
|
|||||||
fi`, appArmorDeniedPath, appArmorAllowedPath, appArmorProfilePrefix+nsName)
|
fi`, appArmorDeniedPath, appArmorAllowedPath, appArmorProfilePrefix+nsName)
|
||||||
|
|
||||||
if unconfined {
|
if unconfined {
|
||||||
profile = apparmor.ProfileNameUnconfined
|
profile = profileNameUnconfined
|
||||||
testCmd = `
|
testCmd = `
|
||||||
if cat /proc/sysrq-trigger 2>&1 | grep 'Permission denied'; then
|
if cat /proc/sysrq-trigger 2>&1 | grep 'Permission denied'; then
|
||||||
echo 'FAILURE: reading /proc/sysrq-trigger should be allowed'
|
echo 'FAILURE: reading /proc/sysrq-trigger should be allowed'
|
||||||
@ -98,7 +105,7 @@ done`, testCmd)
|
|||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
GenerateName: "test-apparmor-",
|
GenerateName: "test-apparmor-",
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
apparmor.ContainerAnnotationKeyPrefix + "test": profile,
|
containerAnnotationKeyPrefix + "test": profile,
|
||||||
},
|
},
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
"test": "apparmor",
|
"test": "apparmor",
|
||||||
|
Loading…
Reference in New Issue
Block a user