github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

move hostPID tests to common

Browse Source
This commit is contained in:
Jefftree 2019-10-02 13:11:24 -07:00
parent af67b2cbce
commit 20ac24929b
2 changed files with 82 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
test/e2e/common/security_context.go
View File

@ -22,6 +22,7 @@ import (
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/pkg/kubelet/events" "k8s.io/kubernetes/pkg/kubelet/events"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
@ -40,6 +41,86 @@ var _ = framework.KubeDescribe("Security Context", func() {
podClient = f.PodClient() podClient = f.PodClient()
}) })
ginkgo.Context("when creating a pod in the host PID namespace", func() {
makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
HostPID: hostPID,
Containers: []v1.Container{
{
Image: image,
Name: podName,
Command: command,
},
},
},
}
}
createAndWaitHostPidPod := func(podName string, hostPID bool) {
podClient.Create(makeHostPidPod(podName,
framework.BusyBoxImage,
[]string{"sh", "-c", "pidof nginx || true"},
hostPID,
))
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
}
nginxPid := ""
ginkgo.BeforeEach(func() {
nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID())
podClient.CreateSync(makeHostPidPod(nginxPodName,
imageutils.GetE2EImage(imageutils.Nginx),
nil,
true,
))
output := f.ExecShellInContainer(nginxPodName, nginxPodName,
"cat /var/run/nginx.pid")
nginxPid = strings.TrimSpace(output)
})
ginkgo.It("should show its pid in the host PID namespace [LinuxOnly] [NodeFeature:HostAccess]", func() {
busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID())
createAndWaitHostPidPod(busyboxPodName, true)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
}
pids := strings.TrimSpace(logs)
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
if pids == "" {
framework.Failf("nginx's pid should be seen by hostpid containers")
}
pidSets := sets.NewString(strings.Split(pids, " ")...)
if !pidSets.Has(nginxPid) {
framework.Failf("nginx's pid should be seen by hostpid containers")
}
})
ginkgo.It("should not show its pid in the non-hostpid containers [LinuxOnly] [NodeFeature:HostAccess]", func() {
busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID())
createAndWaitHostPidPod(busyboxPodName, false)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
}
pids := strings.TrimSpace(logs)
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
pidSets := sets.NewString(strings.Split(pids, " ")...)
if pidSets.Has(nginxPid) {
framework.Failf("nginx's pid should not be seen by non-hostpid containers")
}
})
})
ginkgo.Context("When creating a container with runAsUser", func() { ginkgo.Context("When creating a container with runAsUser", func() {
makeUserPod := func(podName, image string, command []string, userid int64) *v1.Pod { makeUserPod := func(podName, image string, command []string, userid int64) *v1.Pod {
return &v1.Pod{ return &v1.Pod{

83
test/e2e_node/security_context_test.go
View File

@ -22,9 +22,8 @@ import (
"os/exec" "os/exec"
"strings" "strings"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/uuid"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
@ -114,86 +113,6 @@ var _ = framework.KubeDescribe("Security Context", func() {
}) })
}) })
ginkgo.Context("when creating a pod in the host PID namespace", func() {
makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
HostPID: hostPID,
Containers: []v1.Container{
{
Image: image,
Name: podName,
Command: command,
},
},
},
}
}
createAndWaitHostPidPod := func(podName string, hostPID bool) {
podClient.Create(makeHostPidPod(podName,
busyboxImage,
[]string{"sh", "-c", "pidof nginx || true"},
hostPID,
))
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
}
nginxPid := ""
ginkgo.BeforeEach(func() {
nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID())
podClient.CreateSync(makeHostPidPod(nginxPodName,
imageutils.GetE2EImage(imageutils.Nginx),
nil,
true,
))
output := f.ExecShellInContainer(nginxPodName, nginxPodName,
"cat /var/run/nginx.pid")
nginxPid = strings.TrimSpace(output)
})
ginkgo.It("should show its pid in the host PID namespace [NodeFeature:HostAccess]", func() {
busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID())
createAndWaitHostPidPod(busyboxPodName, true)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
}
pids := strings.TrimSpace(logs)
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
if pids == "" {
framework.Failf("nginx's pid should be seen by hostpid containers")
}
pidSets := sets.NewString(strings.Split(pids, " ")...)
if !pidSets.Has(nginxPid) {
framework.Failf("nginx's pid should be seen by hostpid containers")
}
})
ginkgo.It("should not show its pid in the non-hostpid containers [NodeFeature:HostAccess]", func() {
busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID())
createAndWaitHostPidPod(busyboxPodName, false)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
}
pids := strings.TrimSpace(logs)
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
pidSets := sets.NewString(strings.Split(pids, " ")...)
if pidSets.Has(nginxPid) {
framework.Failf("nginx's pid should not be seen by non-hostpid containers")
}
})
})
ginkgo.Context("when creating a pod in the host IPC namespace", func() { ginkgo.Context("when creating a pod in the host IPC namespace", func() {
makeHostIPCPod := func(podName, image string, command []string, hostIPC bool) *v1.Pod { makeHostIPCPod := func(podName, image string, command []string, hostIPC bool) *v1.Pod {
return &v1.Pod{ return &v1.Pod{