mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 03:11:40 +00:00
move hostPID tests to common
This commit is contained in:
Jefftree
parent
af67b2cbce
commit
20ac24929b
@ -22,6 +22,7 @@ import (
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/kubernetes/pkg/kubelet/events"
|
||||
"k8s.io/kubernetes/test/e2e/framework"
|
||||
@ -40,6 +41,86 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
podClient = f.PodClient()
|
||||
})
|
||||
|
||||
ginkgo.Context("when creating a pod in the host PID namespace", func() {
|
||||
makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: podName,
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
RestartPolicy: v1.RestartPolicyNever,
|
||||
HostPID: hostPID,
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Image: image,
|
||||
Name: podName,
|
||||
Command: command,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
createAndWaitHostPidPod := func(podName string, hostPID bool) {
|
||||
podClient.Create(makeHostPidPod(podName,
|
||||
framework.BusyBoxImage,
|
||||
[]string{"sh", "-c", "pidof nginx || true"},
|
||||
hostPID,
|
||||
))
|
||||
|
||||
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
|
||||
}
|
||||
|
||||
nginxPid := ""
|
||||
ginkgo.BeforeEach(func() {
|
||||
nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID())
|
||||
podClient.CreateSync(makeHostPidPod(nginxPodName,
|
||||
imageutils.GetE2EImage(imageutils.Nginx),
|
||||
nil,
|
||||
true,
|
||||
))
|
||||
|
||||
output := f.ExecShellInContainer(nginxPodName, nginxPodName,
|
||||
"cat /var/run/nginx.pid")
|
||||
nginxPid = strings.TrimSpace(output)
|
||||
})
|
||||
|
||||
ginkgo.It("should show its pid in the host PID namespace [LinuxOnly] [NodeFeature:HostAccess]", func() {
|
||||
busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID())
|
||||
createAndWaitHostPidPod(busyboxPodName, true)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
|
||||
}
|
||||
|
||||
pids := strings.TrimSpace(logs)
|
||||
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
|
||||
if pids == "" {
|
||||
framework.Failf("nginx's pid should be seen by hostpid containers")
|
||||
}
|
||||
|
||||
pidSets := sets.NewString(strings.Split(pids, " ")...)
|
||||
if !pidSets.Has(nginxPid) {
|
||||
framework.Failf("nginx's pid should be seen by hostpid containers")
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("should not show its pid in the non-hostpid containers [LinuxOnly] [NodeFeature:HostAccess]", func() {
|
||||
busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID())
|
||||
createAndWaitHostPidPod(busyboxPodName, false)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
|
||||
}
|
||||
|
||||
pids := strings.TrimSpace(logs)
|
||||
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
|
||||
pidSets := sets.NewString(strings.Split(pids, " ")...)
|
||||
if pidSets.Has(nginxPid) {
|
||||
framework.Failf("nginx's pid should not be seen by non-hostpid containers")
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.Context("When creating a container with runAsUser", func() {
|
||||
makeUserPod := func(podName, image string, command []string, userid int64) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
|
||||
@ -22,9 +22,8 @@ import (
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"k8s.io/api/core/v1"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
@ -114,86 +113,6 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.Context("when creating a pod in the host PID namespace", func() {
|
||||
makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: podName,
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
RestartPolicy: v1.RestartPolicyNever,
|
||||
HostPID: hostPID,
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Image: image,
|
||||
Name: podName,
|
||||
Command: command,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
createAndWaitHostPidPod := func(podName string, hostPID bool) {
|
||||
podClient.Create(makeHostPidPod(podName,
|
||||
busyboxImage,
|
||||
[]string{"sh", "-c", "pidof nginx || true"},
|
||||
hostPID,
|
||||
))
|
||||
|
||||
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
|
||||
}
|
||||
|
||||
nginxPid := ""
|
||||
ginkgo.BeforeEach(func() {
|
||||
nginxPodName := "nginx-hostpid-" + string(uuid.NewUUID())
|
||||
podClient.CreateSync(makeHostPidPod(nginxPodName,
|
||||
imageutils.GetE2EImage(imageutils.Nginx),
|
||||
nil,
|
||||
true,
|
||||
))
|
||||
|
||||
output := f.ExecShellInContainer(nginxPodName, nginxPodName,
|
||||
"cat /var/run/nginx.pid")
|
||||
nginxPid = strings.TrimSpace(output)
|
||||
})
|
||||
|
||||
ginkgo.It("should show its pid in the host PID namespace [NodeFeature:HostAccess]", func() {
|
||||
busyboxPodName := "busybox-hostpid-" + string(uuid.NewUUID())
|
||||
createAndWaitHostPidPod(busyboxPodName, true)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
|
||||
}
|
||||
|
||||
pids := strings.TrimSpace(logs)
|
||||
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
|
||||
if pids == "" {
|
||||
framework.Failf("nginx's pid should be seen by hostpid containers")
|
||||
}
|
||||
|
||||
pidSets := sets.NewString(strings.Split(pids, " ")...)
|
||||
if !pidSets.Has(nginxPid) {
|
||||
framework.Failf("nginx's pid should be seen by hostpid containers")
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("should not show its pid in the non-hostpid containers [NodeFeature:HostAccess]", func() {
|
||||
busyboxPodName := "busybox-non-hostpid-" + string(uuid.NewUUID())
|
||||
createAndWaitHostPidPod(busyboxPodName, false)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err)
|
||||
}
|
||||
|
||||
pids := strings.TrimSpace(logs)
|
||||
framework.Logf("Got nginx's pid %q from pod %q", pids, busyboxPodName)
|
||||
pidSets := sets.NewString(strings.Split(pids, " ")...)
|
||||
if pidSets.Has(nginxPid) {
|
||||
framework.Failf("nginx's pid should not be seen by non-hostpid containers")
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.Context("when creating a pod in the host IPC namespace", func() {
|
||||
makeHostIPCPod := func(podName, image string, command []string, hostIPC bool) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user