Move privilege e2e test to common

This commit is contained in:
Jefftree 2019-09-26 15:33:59 -07:00
parent 7fab683455
commit 40976754b5
3 changed files with 14 additions and 46 deletions

View File

@ -27,6 +27,7 @@ import (
)
// PrivilegedPodTestConfig is configuration struct for privileged pod test
// TODO: Merge with tests in security_context.go
type PrivilegedPodTestConfig struct {
f *framework.Framework

View File

@ -271,6 +271,19 @@ var _ = framework.KubeDescribe("Security Context", func() {
framework.Failf("unprivileged container shouldn't be able to create dummy device")
}
})
ginkgo.It("should run the container as privileged when true [LinuxOnly] [NodeFeature:HostAccess]", func() {
podName := createAndWaitUserPod(true)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
}
framework.Logf("Got logs for pod %q: %q", podName, logs)
if strings.Contains(logs, "Operation not permitted") {
framework.Failf("privileged container should be able to create dummy device")
}
})
})
ginkgo.Context("when creating containers with AllowPrivilegeEscalation", func() {

View File

@ -350,50 +350,4 @@ var _ = framework.KubeDescribe("Security Context", func() {
}
})
})
ginkgo.Context("When creating a pod with privileged", func() {
makeUserPod := func(podName, image string, command []string, privileged bool) *v1.Pod {
return &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
},
Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyNever,
Containers: []v1.Container{
{
Image: image,
Name: podName,
Command: command,
SecurityContext: &v1.SecurityContext{
Privileged: &privileged,
},
},
},
},
}
}
createAndWaitUserPod := func(privileged bool) string {
podName := fmt.Sprintf("busybox-privileged-%v-%s", privileged, uuid.NewUUID())
podClient.Create(makeUserPod(podName,
busyboxImage,
[]string{"sh", "-c", "ip link add dummy0 type dummy || true"},
privileged,
))
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
return podName
}
ginkgo.It("should run the container as privileged when true [NodeFeature:HostAccess]", func() {
podName := createAndWaitUserPod(true)
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
}
framework.Logf("Got logs for pod %q: %q", podName, logs)
if strings.Contains(logs, "Operation not permitted") {
framework.Failf("privileged container should be able to create dummy device")
}
})
})
})