Merge pull request #88247 from kolyshkin/e2e-node-selinux-fix

test/e2e/node: fix selinux test failure
This commit is contained in:
Kubernetes Prow Robot 2020-02-18 20:58:51 -08:00 committed by GitHub
commit 3a828af963
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -26,7 +26,7 @@ import (
"context" "context"
"fmt" "fmt"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
@ -252,10 +252,11 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
pod.Spec.SecurityContext.SELinuxOptions = &v1.SELinuxOptions{ pod.Spec.SecurityContext.SELinuxOptions = &v1.SELinuxOptions{
Level: "s0:c0,c1", Level: "s0:c0,c1",
} }
f.TestContainerOutput("Pod with same MCS label reading test file", pod, 0, []string{testContent}) f.TestContainerOutput("Pod with same MCS label reading test file", pod, 0, []string{testContent})
// Confirm that the same pod with a different MCS // Confirm that the same pod with a different MCS
// label cannot access the volume // label cannot access the volume
ginkgo.By("confirming a container with a different MCS label is unable to read the file")
pod = scTestPod(hostIPC, hostPID) pod = scTestPod(hostIPC, hostPID)
pod.Spec.Volumes = volumes pod.Spec.Volumes = volumes
pod.Spec.Containers[0].VolumeMounts = volumeMounts pod.Spec.Containers[0].VolumeMounts = volumeMounts
@ -269,7 +270,10 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
err = f.WaitForPodRunning(pod.Name) err = f.WaitForPodRunning(pod.Name)
framework.ExpectNoError(err, "Error waiting for pod to run %v", pod) framework.ExpectNoError(err, "Error waiting for pod to run %v", pod)
content, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath) // for this to work, SELinux should be in enforcing mode, so let's check that
framework.ExpectNoError(err, "Error reading file via container") isEnforced, err := tk.ReadFileViaContainer(pod.Name, "test-container", "/sys/fs/selinux/enforce")
gomega.Expect(content).NotTo(gomega.ContainSubstring(testContent)) if err == nil && isEnforced == "1" {
_, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath)
framework.ExpectError(err, "expecting SELinux to not let the container with different MCS label to read the file")
}
} }