github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

e2e_node: Don't use userns in DefaultPocMount tests

Browse Source 
When proc mount is set to default, it should mask /proc.

The DefaultProcMount test was setting "hostUsers: false" which means to
create a user namespaces. This was not causing issues before, because
user namespaces was disabled by default and therefore the field was
completely ignored. Now that userns is enabled by default, the test is
failing as the runtime doesn't always have userns support.

One option would be to filter for runtimes that do have userns support.
But the default case (/proc is masked) for sure we want to test it
without userns support, as it will be applied to all pods.

To that end, we add a param "hostUsers bool" to testProcMount that will
enable it or not. Then, both test cases that call this function set it
accordingly: the default case sets it to true (no user namespace), and
the unmasked case with a privileged pod sets it to false (use a user
namespace), to verify the /proc mount is unmasked in this case.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos 2025-02-13 15:32:10 +01:00
parent 3725c6f765
commit 3b7926824e
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
test/e2e_node/proc_mount_test.go
View File

@ -41,7 +41,7 @@ var _ = SIGDescribe("DefaultProcMount [LinuxOnly]", framework.WithNodeConformanc
f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
ginkgo.It("will mask proc mounts by default", func(ctx context.Context) {
testProcMount(ctx, f, v1.DefaultProcMount, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
testProcMount(ctx, f, v1.DefaultProcMount, true, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
})
})
@ -85,11 +85,11 @@ var _ = SIGDescribe("ProcMount [LinuxOnly]", feature.ProcMountType, feature.User
if !supportsUserNS(ctx, f) {
e2eskipper.Skipf("runtime does not support user namespaces")
}
testProcMount(ctx, f, v1.UnmaskedProcMount, gomega.Equal(1), gomega.BeZero())
testProcMount(ctx, f, v1.UnmaskedProcMount, false, gomega.Equal(1), gomega.BeZero())
})
})
func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, hostUsers bool, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
ginkgo.By("creating a target pod")
podClient := e2epod.NewPodClient(f)
pod := podClient.CreateSync(ctx, &v1.Pod{
@ -106,7 +106,7 @@ func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMount
},
},
},
HostUsers: &falseVar,
HostUsers: &hostUsers,
},
})