mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #45292 from yujuhong/seccomp_test
Automatic merge from submit-queue (batch tested with PRs 44068, 45292) Add the seccomp profile loading test to dockershim The test was originally in docker_manager_test.go (now removed). I copied and adapated the logic for the new test. Also move the origina test fixtures needed for the test. ref: the original test is at https://github.com/kubernetes/kubernetes/blob/v1.6.2/pkg/kubelet/dockertools/docker_manager_linux_test.go#L294 This is part of #43234
This commit is contained in:
commit
3a259d38b2
@ -84,6 +84,10 @@ go_test(
|
||||
"naming_test.go",
|
||||
"security_context_test.go",
|
||||
],
|
||||
data = [
|
||||
"fixtures/seccomp/sub/subtest",
|
||||
"fixtures/seccomp/test",
|
||||
],
|
||||
library = ":go_default_library",
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
|
@ -18,6 +18,7 @@ package dockershim
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"path"
|
||||
"testing"
|
||||
|
||||
"github.com/blang/semver"
|
||||
@ -43,9 +44,6 @@ func TestLabelsAndAnnotationsRoundTrip(t *testing.T) {
|
||||
assert.Equal(t, expectedAnnotations, actualAnnotations)
|
||||
}
|
||||
|
||||
// TestGetSeccompSecurityOpts tests the logic of generating container seccomp options from sandbox annotations.
|
||||
// The actual profile loading logic is tested in dockertools.
|
||||
// TODO: Migrate the corresponding test to dockershim.
|
||||
func TestGetSeccompSecurityOpts(t *testing.T) {
|
||||
containerName := "bar"
|
||||
makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
|
||||
@ -90,6 +88,55 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadSeccompLocalhostProfiles(t *testing.T) {
|
||||
containerName := "bar"
|
||||
makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
|
||||
return makeSandboxConfigWithLabelsAndAnnotations("pod", "ns", "1234", 1, nil, annotations)
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
msg string
|
||||
config *runtimeapi.PodSandboxConfig
|
||||
expectedOpts []string
|
||||
expectErr bool
|
||||
}{{
|
||||
msg: "Seccomp localhost/test profile",
|
||||
config: makeConfig(map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "localhost/test",
|
||||
}),
|
||||
expectedOpts: []string{`seccomp={"foo":"bar"}`},
|
||||
expectErr: false,
|
||||
}, {
|
||||
msg: "Seccomp localhost/sub/subtest profile",
|
||||
config: makeConfig(map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "localhost/sub/subtest",
|
||||
}),
|
||||
expectedOpts: []string{`seccomp={"abc":"def"}`},
|
||||
expectErr: false,
|
||||
}, {
|
||||
msg: "Seccomp non-existent",
|
||||
config: makeConfig(map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "localhost/non-existent",
|
||||
}),
|
||||
expectedOpts: nil,
|
||||
expectErr: true,
|
||||
}}
|
||||
|
||||
profileRoot := path.Join("fixtures", "seccomp")
|
||||
for i, test := range tests {
|
||||
opts, err := getSeccompSecurityOpts(containerName, test.config, profileRoot, '=')
|
||||
if test.expectErr {
|
||||
assert.Error(t, err, fmt.Sprintf("TestCase[%d]: %s", i, test.msg))
|
||||
continue
|
||||
}
|
||||
assert.NoError(t, err, "TestCase[%d]: %s", i, test.msg)
|
||||
assert.Len(t, opts, len(test.expectedOpts), "TestCase[%d]: %s", i, test.msg)
|
||||
for _, opt := range test.expectedOpts {
|
||||
assert.Contains(t, opts, opt, "TestCase[%d]: %s", i, test.msg)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestGetApparmorSecurityOpts tests the logic of generating container apparmor options from sandbox annotations.
|
||||
// The actual profile loading logic is tested in dockertools.
|
||||
// TODO: Migrate the corresponding test to dockershim.
|
||||
|
@ -44,10 +44,6 @@ go_test(
|
||||
"docker_test.go",
|
||||
"kube_docker_client_test.go",
|
||||
],
|
||||
data = [
|
||||
"fixtures/seccomp/sub/subtest",
|
||||
"fixtures/seccomp/test",
|
||||
],
|
||||
library = ":go_default_library",
|
||||
tags = [
|
||||
"automanaged",
|
||||
|
Loading…
Reference in New Issue
Block a user