diff --git a/pkg/kubelet/dockershim/BUILD b/pkg/kubelet/dockershim/BUILD index bafd2c884cc..1fe7673bd45 100644 --- a/pkg/kubelet/dockershim/BUILD +++ b/pkg/kubelet/dockershim/BUILD @@ -84,6 +84,10 @@ go_test( "naming_test.go", "security_context_test.go", ], + data = [ + "fixtures/seccomp/sub/subtest", + "fixtures/seccomp/test", + ], library = ":go_default_library", tags = ["automanaged"], deps = [ diff --git a/pkg/kubelet/dockertools/fixtures/seccomp/sub/subtest b/pkg/kubelet/dockershim/fixtures/seccomp/sub/subtest similarity index 100% rename from pkg/kubelet/dockertools/fixtures/seccomp/sub/subtest rename to pkg/kubelet/dockershim/fixtures/seccomp/sub/subtest diff --git a/pkg/kubelet/dockertools/fixtures/seccomp/test b/pkg/kubelet/dockershim/fixtures/seccomp/test similarity index 100% rename from pkg/kubelet/dockertools/fixtures/seccomp/test rename to pkg/kubelet/dockershim/fixtures/seccomp/test diff --git a/pkg/kubelet/dockershim/helpers_test.go b/pkg/kubelet/dockershim/helpers_test.go index 70329559962..12cda3e413c 100644 --- a/pkg/kubelet/dockershim/helpers_test.go +++ b/pkg/kubelet/dockershim/helpers_test.go @@ -18,6 +18,7 @@ package dockershim import ( "fmt" + "path" "testing" "github.com/blang/semver" @@ -43,9 +44,6 @@ func TestLabelsAndAnnotationsRoundTrip(t *testing.T) { assert.Equal(t, expectedAnnotations, actualAnnotations) } -// TestGetSeccompSecurityOpts tests the logic of generating container seccomp options from sandbox annotations. -// The actual profile loading logic is tested in dockertools. -// TODO: Migrate the corresponding test to dockershim. func TestGetSeccompSecurityOpts(t *testing.T) { containerName := "bar" makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig { @@ -90,6 +88,55 @@ func TestGetSeccompSecurityOpts(t *testing.T) { } } +func TestLoadSeccompLocalhostProfiles(t *testing.T) { + containerName := "bar" + makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig { + return makeSandboxConfigWithLabelsAndAnnotations("pod", "ns", "1234", 1, nil, annotations) + } + + tests := []struct { + msg string + config *runtimeapi.PodSandboxConfig + expectedOpts []string + expectErr bool + }{{ + msg: "Seccomp localhost/test profile", + config: makeConfig(map[string]string{ + v1.SeccompPodAnnotationKey: "localhost/test", + }), + expectedOpts: []string{`seccomp={"foo":"bar"}`}, + expectErr: false, + }, { + msg: "Seccomp localhost/sub/subtest profile", + config: makeConfig(map[string]string{ + v1.SeccompPodAnnotationKey: "localhost/sub/subtest", + }), + expectedOpts: []string{`seccomp={"abc":"def"}`}, + expectErr: false, + }, { + msg: "Seccomp non-existent", + config: makeConfig(map[string]string{ + v1.SeccompPodAnnotationKey: "localhost/non-existent", + }), + expectedOpts: nil, + expectErr: true, + }} + + profileRoot := path.Join("fixtures", "seccomp") + for i, test := range tests { + opts, err := getSeccompSecurityOpts(containerName, test.config, profileRoot, '=') + if test.expectErr { + assert.Error(t, err, fmt.Sprintf("TestCase[%d]: %s", i, test.msg)) + continue + } + assert.NoError(t, err, "TestCase[%d]: %s", i, test.msg) + assert.Len(t, opts, len(test.expectedOpts), "TestCase[%d]: %s", i, test.msg) + for _, opt := range test.expectedOpts { + assert.Contains(t, opts, opt, "TestCase[%d]: %s", i, test.msg) + } + } +} + // TestGetApparmorSecurityOpts tests the logic of generating container apparmor options from sandbox annotations. // The actual profile loading logic is tested in dockertools. // TODO: Migrate the corresponding test to dockershim. diff --git a/pkg/kubelet/dockertools/BUILD b/pkg/kubelet/dockertools/BUILD index 0c15ab0cdf8..a5e8c7efab3 100644 --- a/pkg/kubelet/dockertools/BUILD +++ b/pkg/kubelet/dockertools/BUILD @@ -44,10 +44,6 @@ go_test( "docker_test.go", "kube_docker_client_test.go", ], - data = [ - "fixtures/seccomp/sub/subtest", - "fixtures/seccomp/test", - ], library = ":go_default_library", tags = [ "automanaged",