Merge pull request #45292 from yujuhong/seccomp_test

Automatic merge from submit-queue (batch tested with PRs 44068, 45292)

Add the seccomp profile loading test to dockershim

The test was originally in docker_manager_test.go (now removed). I
copied and adapated the logic for the new test. Also move the origina
test fixtures needed for the test.

ref: the original test is at https://github.com/kubernetes/kubernetes/blob/v1.6.2/pkg/kubelet/dockertools/docker_manager_linux_test.go#L294

This is part of #43234

pkg/kubelet/dockershim/BUILD

@@ -84,6 +84,10 @@ go_test(
         "naming_test.go",
         "security_context_test.go",
     ],
+    data = [
+        "fixtures/seccomp/sub/subtest",
+        "fixtures/seccomp/test",
+    ],
     library = ":go_default_library",
     tags = ["automanaged"],
     deps = [

pkg/kubelet/dockershim/helpers_test.go

@@ -18,6 +18,7 @@ package dockershim
 
 import (
 	"fmt"
+	"path"
 	"testing"
 
 	"github.com/blang/semver"
@@ -43,9 +44,6 @@ func TestLabelsAndAnnotationsRoundTrip(t *testing.T) {
 	assert.Equal(t, expectedAnnotations, actualAnnotations)
 }
 
-// TestGetSeccompSecurityOpts tests the logic of generating container seccomp options from sandbox annotations.
-// The actual profile loading logic is tested in dockertools.
-// TODO: Migrate the corresponding test to dockershim.
 func TestGetSeccompSecurityOpts(t *testing.T) {
 	containerName := "bar"
 	makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
@@ -90,6 +88,55 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
 	}
 }
 
+func TestLoadSeccompLocalhostProfiles(t *testing.T) {
+	containerName := "bar"
+	makeConfig := func(annotations map[string]string) *runtimeapi.PodSandboxConfig {
+		return makeSandboxConfigWithLabelsAndAnnotations("pod", "ns", "1234", 1, nil, annotations)
+	}
+
+	tests := []struct {
+		msg          string
+		config       *runtimeapi.PodSandboxConfig
+		expectedOpts []string
+		expectErr    bool
+	}{{
+		msg: "Seccomp localhost/test profile",
+		config: makeConfig(map[string]string{
+			v1.SeccompPodAnnotationKey: "localhost/test",
+		}),
+		expectedOpts: []string{`seccomp={"foo":"bar"}`},
+		expectErr:    false,
+	}, {
+		msg: "Seccomp localhost/sub/subtest profile",
+		config: makeConfig(map[string]string{
+			v1.SeccompPodAnnotationKey: "localhost/sub/subtest",
+		}),
+		expectedOpts: []string{`seccomp={"abc":"def"}`},
+		expectErr:    false,
+	}, {
+		msg: "Seccomp non-existent",
+		config: makeConfig(map[string]string{
+			v1.SeccompPodAnnotationKey: "localhost/non-existent",
+		}),
+		expectedOpts: nil,
+		expectErr:    true,
+	}}
+
+	profileRoot := path.Join("fixtures", "seccomp")
+	for i, test := range tests {
+		opts, err := getSeccompSecurityOpts(containerName, test.config, profileRoot, '=')
+		if test.expectErr {
+			assert.Error(t, err, fmt.Sprintf("TestCase[%d]: %s", i, test.msg))
+			continue
+		}
+		assert.NoError(t, err, "TestCase[%d]: %s", i, test.msg)
+		assert.Len(t, opts, len(test.expectedOpts), "TestCase[%d]: %s", i, test.msg)
+		for _, opt := range test.expectedOpts {
+			assert.Contains(t, opts, opt, "TestCase[%d]: %s", i, test.msg)
+		}
+	}
+}
+
 // TestGetApparmorSecurityOpts tests the logic of generating container apparmor options from sandbox annotations.
 // The actual profile loading logic is tested in dockertools.
 // TODO: Migrate the corresponding test to dockershim.

pkg/kubelet/dockertools/BUILD

@@ -44,10 +44,6 @@ go_test(
         "docker_test.go",
         "kube_docker_client_test.go",
     ],
-    data = [
-        "fixtures/seccomp/sub/subtest",
-        "fixtures/seccomp/test",
-    ],
     library = ":go_default_library",
     tags = [
         "automanaged",