github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 12:07:47 +00:00
Code Issues Projects Releases Wiki Activity

Remove unused getSeccompProfilePath helper function

Browse Source 
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert 2023-06-01 09:55:48 +02:00
parent 627f43d8bb
commit 15aa00fc83
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
2 changed files with 0 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
pkg/kubelet/kuberuntime/helpers.go
View File

@ -212,53 +212,6 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
return &kubecontainer.RuntimeStatus{Conditions: conditions} return &kubecontainer.RuntimeStatus{Conditions: conditions}
} }
func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) {
if scmp == nil {
if fallbackToRuntimeDefault {
return v1.SeccompProfileRuntimeDefault, nil
}
return "", nil
}
if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
return v1.SeccompProfileRuntimeDefault, nil
}
if scmp.Type == v1.SeccompProfileTypeLocalhost {
if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
return v1.SeccompLocalhostProfileNamePrefix + fname, nil
} else {
return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
}
}
if scmp.Type == v1.SeccompProfileTypeUnconfined {
return v1.SeccompProfileNameUnconfined, nil
}
if fallbackToRuntimeDefault {
return v1.SeccompProfileRuntimeDefault, nil
}
return "", nil
}
func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string,
podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) {
// container fields are applied first
if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
}
// when container seccomp is not defined, try to apply from pod field
if podSecContext != nil && podSecContext.SeccompProfile != nil {
return fieldProfile(podSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
}
if fallbackToRuntimeDefault {
return v1.SeccompProfileRuntimeDefault, nil
}
return "", nil
}
func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) { func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
if scmp == nil { if scmp == nil {
if fallbackToRuntimeDefault { if fallbackToRuntimeDefault {

291
pkg/kubelet/kuberuntime/helpers_linux_test.go
View File

@ -29,17 +29,12 @@ import (
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/kubelet/cm" "k8s.io/kubernetes/pkg/kubelet/cm"
utilpointer "k8s.io/utils/pointer"
) )
func seccompLocalhostRef(profileName string) string { func seccompLocalhostRef(profileName string) string {
return filepath.Join(fakeSeccompProfileRoot, profileName) return filepath.Join(fakeSeccompProfileRoot, profileName)
} }
func seccompLocalhostPath(profileName string) string {
return "localhost/" + seccompLocalhostRef(profileName)
}
func TestMilliCPUToQuota(t *testing.T) { func TestMilliCPUToQuota(t *testing.T) {
for _, testCase := range []struct { for _, testCase := range []struct {
msg string msg string
@ -218,292 +213,6 @@ func TestMilliCPUToQuotaWithCustomCPUCFSQuotaPeriod(t *testing.T) {
} }
} }
func TestFieldProfile(t *testing.T) {
tests := []struct {
description string
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
expectedError string
}{
{
description: "no seccompProfile should return empty",
expectedProfile: "",
},
{
description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return empty",
scmpProfile: &v1.SeccompProfile{
Type: "",
},
expectedProfile: "",
},
{
description: "SeccompProfileTypeRuntimeDefault should return runtime/default",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault,
},
expectedProfile: "runtime/default",
},
{
description: "SeccompProfileTypeUnconfined should return unconfined",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeUnconfined,
},
expectedProfile: "unconfined",
},
{
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
},
}
for i, test := range tests {
seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, false)
if test.expectedError != "" {
assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
} else {
assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
}
}
}
func TestFieldProfileDefaultSeccomp(t *testing.T) {
tests := []struct {
description string
scmpProfile *v1.SeccompProfile
rootPath string
expectedProfile string
expectedError string
}{
{
description: "no seccompProfile should return runtime/default",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
description: "type localhost without profile should return error",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "unknown type should return runtime/default",
scmpProfile: &v1.SeccompProfile{
Type: "",
},
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
description: "SeccompProfileTypeRuntimeDefault should return runtime/default",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeRuntimeDefault,
},
expectedProfile: "runtime/default",
},
{
description: "SeccompProfileTypeUnconfined should return unconfined",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeUnconfined,
},
expectedProfile: "unconfined",
},
{
description: "SeccompProfileTypeLocalhost should return localhost",
scmpProfile: &v1.SeccompProfile{
Type: v1.SeccompProfileTypeLocalhost,
LocalhostProfile: utilpointer.String("profile.json"),
},
rootPath: "/test/",
expectedProfile: "localhost//test/profile.json",
},
}
for i, test := range tests {
seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, true)
if test.expectedError != "" {
assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
} else {
assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
}
}
}
func TestGetSeccompProfilePath(t *testing.T) {
_, _, m, err := createTestRuntimeManager()
require.NoError(t, err)
tests := []struct {
description string
annotation map[string]string
podSc *v1.PodSecurityContext
containerSc *v1.SecurityContext
containerName string
expectedProfile string
expectedError string
}{
{
description: "no seccomp should return empty",
expectedProfile: "",
},
{
description: "annotations: no seccomp with containerName should return empty",
containerName: "container1",
expectedProfile: "",
},
{
description: "pod seccomp profile set to unconfined returns unconfined",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
expectedProfile: "unconfined",
},
{
description: "container seccomp profile set to unconfined returns unconfined",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
expectedProfile: "unconfined",
},
{
description: "pod seccomp profile set to SeccompProfileTypeRuntimeDefault returns runtime/default",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
{
description: "container seccomp profile set to SeccompProfileTypeRuntimeDefault returns runtime/default",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: seccompLocalhostPath("filename"),
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: seccompLocalhostPath("filename2"),
},
{
description: "prioritise container field over pod field",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
}
for i, test := range tests {
seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
if test.expectedError != "" {
assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
} else {
assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
}
}
}
func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
_, _, m, err := createTestRuntimeManager()
require.NoError(t, err)
tests := []struct {
description string
annotation map[string]string
podSc *v1.PodSecurityContext
containerSc *v1.SecurityContext
containerName string
expectedProfile string
expectedError string
}{
{
description: "no seccomp should return runtime/default",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
description: "annotations: no seccomp with containerName should return runtime/default",
containerName: "container1",
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
description: "pod seccomp profile set to unconfined returns unconfined",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
expectedProfile: "unconfined",
},
{
description: "container seccomp profile set to unconfined returns unconfined",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
expectedProfile: "unconfined",
},
{
description: "pod seccomp profile set to SeccompProfileTypeRuntimeDefault returns runtime/default",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
{
description: "container seccomp profile set to SeccompProfileTypeRuntimeDefault returns runtime/default",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: seccompLocalhostPath("filename"),
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
},
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: seccompLocalhostPath("filename2"),
},
{
description: "prioritise container field over pod field",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
expectedProfile: "runtime/default",
},
}
for i, test := range tests {
seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
if test.expectedError != "" {
assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
} else {
assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
}
}
}
func TestGetSeccompProfile(t *testing.T) { func TestGetSeccompProfile(t *testing.T) {
_, _, m, err := createTestRuntimeManager() _, _, m, err := createTestRuntimeManager()
require.NoError(t, err) require.NoError(t, err)