From 20ac24929b1d3bc4dd4fb757f6a9602e8cbd1b38 Mon Sep 17 00:00:00 2001 From: Jefftree Date: Wed, 2 Oct 2019 13:11:24 -0700 Subject: [PATCH] move hostPID tests to common --- test/e2e/common/security_context.go | 81 +++++++++++++++++++++++++ test/e2e_node/security_context_test.go | 83 +------------------------- 2 files changed, 82 insertions(+), 82 deletions(-) diff --git a/test/e2e/common/security_context.go b/test/e2e/common/security_context.go index daa9d445e89..92ba53a7f46 100644 --- a/test/e2e/common/security_context.go +++ b/test/e2e/common/security_context.go @@ -22,6 +22,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/pkg/kubelet/events" "k8s.io/kubernetes/test/e2e/framework" @@ -40,6 +41,86 @@ var _ = framework.KubeDescribe("Security Context", func() { podClient = f.PodClient() }) + ginkgo.Context("when creating a pod in the host PID namespace", func() { + makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod { + return &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + }, + Spec: v1.PodSpec{ + RestartPolicy: v1.RestartPolicyNever, + HostPID: hostPID, + Containers: []v1.Container{ + { + Image: image, + Name: podName, + Command: command, + }, + }, + }, + } + } + createAndWaitHostPidPod := func(podName string, hostPID bool) { + podClient.Create(makeHostPidPod(podName, + framework.BusyBoxImage, + []string{"sh", "-c", "pidof nginx || true"}, + hostPID, + )) + + podClient.WaitForSuccess(podName, framework.PodStartTimeout) + } + + nginxPid := "" + ginkgo.BeforeEach(func() { + nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID()) + podClient.CreateSync(makeHostPidPod(nginxPodName, + imageutils.GetE2EImage(imageutils.Nginx), + nil, + true, + )) + + output := f.ExecShellInContainer(nginxPodName, nginxPodName, + "cat /var/run/nginx.pid") + nginxPid = strings.TrimSpace(output) + }) + + ginkgo.It("should show its pid in the host PID namespace [LinuxOnly] [NodeFeature:HostAccess]", func() { + busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID()) + createAndWaitHostPidPod(busyboxPodName, true) + logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) + if err != nil { + framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) + } + + pids := strings.TrimSpace(logs) + framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName) + if pids == "" { + framework.Failf("nginx's pid should be seen by hostpid containers") + } + + pidSets := sets.NewString(strings.Split(pids, " ")...) + if !pidSets.Has(nginxPid) { + framework.Failf("nginx's pid should be seen by hostpid containers") + } + }) + + ginkgo.It("should not show its pid in the non-hostpid containers [LinuxOnly] [NodeFeature:HostAccess]", func() { + busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID()) + createAndWaitHostPidPod(busyboxPodName, false) + logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) + if err != nil { + framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) + } + + pids := strings.TrimSpace(logs) + framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName) + pidSets := sets.NewString(strings.Split(pids, " ")...) + if pidSets.Has(nginxPid) { + framework.Failf("nginx's pid should not be seen by non-hostpid containers") + } + }) + }) + ginkgo.Context("When creating a container with runAsUser", func() { makeUserPod := func(podName, image string, command []string, userid int64) *v1.Pod { return &v1.Pod{ diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index d6e0a113790..b3afb68ee53 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -22,9 +22,8 @@ import ( "os/exec" "strings" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/uuid" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/kubernetes/pkg/features" @@ -114,86 +113,6 @@ var _ = framework.KubeDescribe("Security Context", func() { }) }) - ginkgo.Context("when creating a pod in the host PID namespace", func() { - makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod { - return &v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: podName, - }, - Spec: v1.PodSpec{ - RestartPolicy: v1.RestartPolicyNever, - HostPID: hostPID, - Containers: []v1.Container{ - { - Image: image, - Name: podName, - Command: command, - }, - }, - }, - } - } - createAndWaitHostPidPod := func(podName string, hostPID bool) { - podClient.Create(makeHostPidPod(podName, - busyboxImage, - []string{"sh", "-c", "pidof nginx || true"}, - hostPID, - )) - - podClient.WaitForSuccess(podName, framework.PodStartTimeout) - } - - nginxPid := "" - ginkgo.BeforeEach(func() { - nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID()) - podClient.CreateSync(makeHostPidPod(nginxPodName, - imageutils.GetE2EImage(imageutils.Nginx), - nil, - true, - )) - - output := f.ExecShellInContainer(nginxPodName, nginxPodName, - "cat /var/run/nginx.pid") - nginxPid = strings.TrimSpace(output) - }) - - ginkgo.It("should show its pid in the host PID namespace [NodeFeature:HostAccess]", func() { - busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID()) - createAndWaitHostPidPod(busyboxPodName, true) - logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) - if err != nil { - framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) - } - - pids := strings.TrimSpace(logs) - framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName) - if pids == "" { - framework.Failf("nginx's pid should be seen by hostpid containers") - } - - pidSets := sets.NewString(strings.Split(pids, " ")...) - if !pidSets.Has(nginxPid) { - framework.Failf("nginx's pid should be seen by hostpid containers") - } - }) - - ginkgo.It("should not show its pid in the non-hostpid containers [NodeFeature:HostAccess]", func() { - busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID()) - createAndWaitHostPidPod(busyboxPodName, false) - logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) - if err != nil { - framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) - } - - pids := strings.TrimSpace(logs) - framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName) - pidSets := sets.NewString(strings.Split(pids, " ")...) - if pidSets.Has(nginxPid) { - framework.Failf("nginx's pid should not be seen by non-hostpid containers") - } - }) - }) - ginkgo.Context("when creating a pod in the host IPC namespace", func() { makeHostIPCPod := func(podName, image string, command []string, hostIPC bool) *v1.Pod { return &v1.Pod{