Fix AppArmor test at scale

test/e2e/common/apparmor.go

@@ -20,8 +20,8 @@ import (
 	"fmt"
 
 	api "k8s.io/api/core/v1"
-	extensions "k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/kubernetes/pkg/security/apparmor"
 	"k8s.io/kubernetes/test/e2e/framework"
 )
@@ -30,6 +30,9 @@ const (
 	appArmorProfilePrefix = "e2e-apparmor-test-"
 	appArmorAllowedPath   = "/expect_allowed_write"
 	appArmorDeniedPath    = "/expect_permission_denied"
+
+	loaderLabelKey   = "name"
+	loaderLabelValue = "e2e-apparmor-loader"
 )
 
 // AppArmorDistros are distros with AppArmor support
@@ -40,10 +43,8 @@ func SkipIfAppArmorNotSupported() {
 }
 
 func LoadAppArmorProfiles(f *framework.Framework) {
-	_, err := createAppArmorProfileCM(f)
+	createAppArmorProfileCM(f)
-	framework.ExpectNoError(err)
+	createAppArmorProfileLoader(f)
-	_, err = createAppArmorProfileLoader(f)
-	framework.ExpectNoError(err)
 }
 
 // CreateAppArmorTestPod creates a pod that tests apparmor profile enforcement. The pod exits with
@@ -71,6 +72,18 @@ sleep 1
 done`, testCmd)
 	}
 
+	loaderAffinity := &api.Affinity{
+		PodAffinity: &api.PodAffinity{
+			RequiredDuringSchedulingIgnoredDuringExecution: []api.PodAffinityTerm{{
+				Namespaces: []string{f.Namespace.Name},
+				LabelSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{loaderLabelKey: loaderLabelValue},
+				},
+				TopologyKey: "kubernetes.io/hostname",
+			}},
+		},
+	}
+
 	pod := &api.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-apparmor-",
@@ -82,6 +95,7 @@ done`, testCmd)
 			},
 		},
 		Spec: api.PodSpec{
+			Affinity: loaderAffinity,
 			Containers: []api.Container{{
 				Name:    "test",
 				Image:   busyboxImage,
@@ -103,7 +117,7 @@ done`, testCmd)
 	return pod
 }
 
-func createAppArmorProfileCM(f *framework.Framework) (*api.ConfigMap, error) {
+func createAppArmorProfileCM(f *framework.Framework) {
 	profileName := appArmorProfilePrefix + f.Namespace.Name
 	profile := fmt.Sprintf(`#include <tunables/global>
 profile %s flags=(attach_disconnected) {
@@ -125,21 +139,23 @@ profile %s flags=(attach_disconnected) {
 			profileName: profile,
 		},
 	}
-	return f.ClientSet.Core().ConfigMaps(f.Namespace.Name).Create(cm)
+	_, err := f.ClientSet.Core().ConfigMaps(f.Namespace.Name).Create(cm)
+	framework.ExpectNoError(err, "Failed to create apparmor-profiles ConfigMap")
 }
 
-func createAppArmorProfileLoader(f *framework.Framework) (*extensions.DaemonSet, error) {
+func createAppArmorProfileLoader(f *framework.Framework) {
 	True := true
-	// Copied from https://github.com/kubernetes/contrib/blob/master/apparmor/loader/example-configmap.yaml
+	One := int32(1)
-	loader := &extensions.DaemonSet{
+	loader := &api.ReplicationController{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "apparmor-loader",
 			Namespace: f.Namespace.Name,
 		},
-		Spec: extensions.DaemonSetSpec{
+		Spec: api.ReplicationControllerSpec{
-			Template: api.PodTemplateSpec{
+			Replicas: &One,
+			Template: &api.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Labels: map[string]string{"name": "apparmor-loader"},
+					Labels: map[string]string{loaderLabelKey: loaderLabelValue},
 				},
 				Spec: api.PodSpec{
 					Containers: []api.Container{{
@@ -191,5 +207,12 @@ func createAppArmorProfileLoader(f *framework.Framework) (*extensions.DaemonSet,
 			},
 		},
 	}
-	return f.ClientSet.Extensions().DaemonSets(f.Namespace.Name).Create(loader)
+	_, err := f.ClientSet.Core().ReplicationControllers(f.Namespace.Name).Create(loader)
+	framework.ExpectNoError(err, "Failed to create apparmor-loader ReplicationController")
+
+	// Wait for loader to be ready.
+	label := labels.SelectorFromSet(labels.Set(map[string]string{loaderLabelKey: loaderLabelValue}))
+	pods, err := framework.WaitForPodsWithLabelScheduled(f.ClientSet, f.Namespace.Name, label)
+	framework.ExpectNoError(err, "Failed to schedule apparmor-loader Pod")
+	framework.ExpectNoError(framework.WaitForPodRunningInNamespace(f.ClientSet, &pods.Items[0]), "Failed to run apparmor-loader Pod")
 }