github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 09:49:50 +00:00
Code Issues Projects Releases Wiki Activity

Fix AppArmor test at scale

Browse Source
This commit is contained in:
Tim Allclair 2017-09-05 19:19:54 -07:00
parent 42e2ca8c18
commit 13558e3fe7
1 changed files with 37 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
test/e2e/common/apparmor.go
View File

@ -20,8 +20,8 @@ import (
"fmt" "fmt"
api "k8s.io/api/core/v1" api "k8s.io/api/core/v1"
extensions "k8s.io/api/extensions/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/kubernetes/pkg/security/apparmor" "k8s.io/kubernetes/pkg/security/apparmor"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
) )
@ -30,6 +30,9 @@ const (
appArmorProfilePrefix = "e2e-apparmor-test-" appArmorProfilePrefix = "e2e-apparmor-test-"
appArmorAllowedPath = "/expect_allowed_write" appArmorAllowedPath = "/expect_allowed_write"
appArmorDeniedPath = "/expect_permission_denied" appArmorDeniedPath = "/expect_permission_denied"
loaderLabelKey = "name"
loaderLabelValue = "e2e-apparmor-loader"
) )
// AppArmorDistros are distros with AppArmor support // AppArmorDistros are distros with AppArmor support
@ -40,10 +43,8 @@ func SkipIfAppArmorNotSupported() {
} }
func LoadAppArmorProfiles(f *framework.Framework) { func LoadAppArmorProfiles(f *framework.Framework) {
_, err := createAppArmorProfileCM(f) createAppArmorProfileCM(f)
framework.ExpectNoError(err) createAppArmorProfileLoader(f)
_, err = createAppArmorProfileLoader(f)
framework.ExpectNoError(err)
} }
// CreateAppArmorTestPod creates a pod that tests apparmor profile enforcement. The pod exits with // CreateAppArmorTestPod creates a pod that tests apparmor profile enforcement. The pod exits with
@ -71,6 +72,18 @@ sleep 1
done`, testCmd) done`, testCmd)
} }
loaderAffinity := &api.Affinity{
PodAffinity: &api.PodAffinity{
RequiredDuringSchedulingIgnoredDuringExecution: []api.PodAffinityTerm{{
Namespaces: []string{f.Namespace.Name},
LabelSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{loaderLabelKey: loaderLabelValue},
},
TopologyKey: "kubernetes.io/hostname",
}},
},
}
pod := &api.Pod{ pod := &api.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-apparmor-", GenerateName: "test-apparmor-",
@ -82,6 +95,7 @@ done`, testCmd)
}, },
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
Affinity: loaderAffinity,
Containers: []api.Container{{ Containers: []api.Container{{
Name: "test", Name: "test",
Image: busyboxImage, Image: busyboxImage,
@ -103,7 +117,7 @@ done`, testCmd)
return pod return pod
} }
func createAppArmorProfileCM(f *framework.Framework) (*api.ConfigMap, error) { func createAppArmorProfileCM(f *framework.Framework) {
profileName := appArmorProfilePrefix + f.Namespace.Name profileName := appArmorProfilePrefix + f.Namespace.Name
profile := fmt.Sprintf(`#include <tunables/global> profile := fmt.Sprintf(`#include <tunables/global>
profile %s flags=(attach_disconnected) { profile %s flags=(attach_disconnected) {
@ -125,21 +139,23 @@ profile %s flags=(attach_disconnected) {
profileName: profile, profileName: profile,
}, },
} }
return f.ClientSet.Core().ConfigMaps(f.Namespace.Name).Create(cm) _, err := f.ClientSet.Core().ConfigMaps(f.Namespace.Name).Create(cm)
framework.ExpectNoError(err, "Failed to create apparmor-profiles ConfigMap")
} }
func createAppArmorProfileLoader(f *framework.Framework) (*extensions.DaemonSet, error) { func createAppArmorProfileLoader(f *framework.Framework) {
True := true True := true
// Copied from https://github.com/kubernetes/contrib/blob/master/apparmor/loader/example-configmap.yaml One := int32(1)
loader := &extensions.DaemonSet{ loader := &api.ReplicationController{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "apparmor-loader", Name: "apparmor-loader",
Namespace: f.Namespace.Name, Namespace: f.Namespace.Name,
}, },
Spec: extensions.DaemonSetSpec{ Spec: api.ReplicationControllerSpec{
Template: api.PodTemplateSpec{ Replicas: &One,
Template: &api.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"name": "apparmor-loader"}, Labels: map[string]string{loaderLabelKey: loaderLabelValue},
}, },
Spec: api.PodSpec{ Spec: api.PodSpec{
Containers: []api.Container{{ Containers: []api.Container{{
@ -191,5 +207,12 @@ func createAppArmorProfileLoader(f *framework.Framework) (*extensions.DaemonSet,
}, },
}, },
} }
return f.ClientSet.Extensions().DaemonSets(f.Namespace.Name).Create(loader) _, err := f.ClientSet.Core().ReplicationControllers(f.Namespace.Name).Create(loader)
framework.ExpectNoError(err, "Failed to create apparmor-loader ReplicationController")
// Wait for loader to be ready.
label := labels.SelectorFromSet(labels.Set(map[string]string{loaderLabelKey: loaderLabelValue}))
pods, err := framework.WaitForPodsWithLabelScheduled(f.ClientSet, f.Namespace.Name, label)
framework.ExpectNoError(err, "Failed to schedule apparmor-loader Pod")
framework.ExpectNoError(framework.WaitForPodRunningInNamespace(f.ClientSet, &pods.Items[0]), "Failed to run apparmor-loader Pod")
} }