Merge pull request #45292 from yujuhong/seccomp_test

Automatic merge from submit-queue (batch tested with PRs 44068, 45292)

Add the seccomp profile loading test to dockershim

The test was originally in docker_manager_test.go (now removed). I
copied and adapated the logic for the new test. Also move the origina
test fixtures needed for the test.

ref: the original test is at https://github.com/kubernetes/kubernetes/blob/v1.6.2/pkg/kubelet/dockertools/docker_manager_linux_test.go#L294

This is part of #43234
This commit is contained in:
Kubernetes Submit Queue 2017-05-03 20:50:00 -07:00 committed by GitHub
commit 3a259d38b2
5 changed files with 54 additions and 7 deletions

View File

@ -84,6 +84,10 @@ go_test(
"naming_test.go",
"security_context_test.go",
],
data = [
"fixtures/seccomp/sub/subtest",
"fixtures/seccomp/test",
],
library = ":go_default_library",
tags = ["automanaged"],
deps = [

View File

@ -18,6 +18,7 @@ package dockershim
import (
"fmt"
"path"
"testing"
"github.com/blang/semver"
@ -43,9 +44,6 @@ func TestLabelsAndAnnotationsRoundTrip(t *testing.T) {
assert.Equal(t, expectedAnnotations, actualAnnotations)
}
// TestGetSeccompSecurityOpts tests the logic of generating container seccomp options from sandbox annotations.
// The actual profile loading logic is tested in dockertools.
// TODO: Migrate the corresponding test to dockershim.
func TestGetSeccompSecurityOpts(t *testing.T) {
containerName := "bar"
makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
@ -90,6 +88,55 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
}
}
func TestLoadSeccompLocalhostProfiles(t *testing.T) {
containerName := "bar"
makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
return makeSandboxConfigWithLabelsAndAnnotations("pod", "ns", "1234", 1, nil, annotations)
}
tests := []struct {
msg string
config *runtimeapi.PodSandboxConfig
expectedOpts []string
expectErr bool
}{{
msg: "Seccomp localhost/test profile",
config: makeConfig(map[string]string{
v1.SeccompPodAnnotationKey: "localhost/test",
}),
expectedOpts: []string{`seccomp={"foo":"bar"}`},
expectErr: false,
}, {
msg: "Seccomp localhost/sub/subtest profile",
config: makeConfig(map[string]string{
v1.SeccompPodAnnotationKey: "localhost/sub/subtest",
}),
expectedOpts: []string{`seccomp={"abc":"def"}`},
expectErr: false,
}, {
msg: "Seccomp non-existent",
config: makeConfig(map[string]string{
v1.SeccompPodAnnotationKey: "localhost/non-existent",
}),
expectedOpts: nil,
expectErr: true,
}}
profileRoot := path.Join("fixtures", "seccomp")
for i, test := range tests {
opts, err := getSeccompSecurityOpts(containerName, test.config, profileRoot, '=')
if test.expectErr {
assert.Error(t, err, fmt.Sprintf("TestCase[%d]: %s", i, test.msg))
continue
}
assert.NoError(t, err, "TestCase[%d]: %s", i, test.msg)
assert.Len(t, opts, len(test.expectedOpts), "TestCase[%d]: %s", i, test.msg)
for _, opt := range test.expectedOpts {
assert.Contains(t, opts, opt, "TestCase[%d]: %s", i, test.msg)
}
}
}
// TestGetApparmorSecurityOpts tests the logic of generating container apparmor options from sandbox annotations.
// The actual profile loading logic is tested in dockertools.
// TODO: Migrate the corresponding test to dockershim.

View File

@ -44,10 +44,6 @@ go_test(
"docker_test.go",
"kube_docker_client_test.go",
],
data = [
"fixtures/seccomp/sub/subtest",
"fixtures/seccomp/test",
],
library = ":go_default_library",
tags = [
"automanaged",