mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-21 10:51:29 +00:00
Move privilege e2e test to common
This commit is contained in:
parent
7fab683455
commit
40976754b5
@ -27,6 +27,7 @@ import (
|
||||
)
|
||||
|
||||
// PrivilegedPodTestConfig is configuration struct for privileged pod test
|
||||
// TODO: Merge with tests in security_context.go
|
||||
type PrivilegedPodTestConfig struct {
|
||||
f *framework.Framework
|
||||
|
||||
|
@ -271,6 +271,19 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
framework.Failf("unprivileged container shouldn't be able to create dummy device")
|
||||
}
|
||||
})
|
||||
|
||||
ginkgo.It("should run the container as privileged when true [LinuxOnly] [NodeFeature:HostAccess]", func() {
|
||||
podName := createAndWaitUserPod(true)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
|
||||
}
|
||||
|
||||
framework.Logf("Got logs for pod %q: %q", podName, logs)
|
||||
if strings.Contains(logs, "Operation not permitted") {
|
||||
framework.Failf("privileged container should be able to create dummy device")
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.Context("when creating containers with AllowPrivilegeEscalation", func() {
|
||||
|
@ -350,50 +350,4 @@ var _ = framework.KubeDescribe("Security Context", func() {
|
||||
}
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.Context("When creating a pod with privileged", func() {
|
||||
makeUserPod := func(podName, image string, command []string, privileged bool) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: podName,
|
||||
},
|
||||
Spec: v1.PodSpec{
|
||||
RestartPolicy: v1.RestartPolicyNever,
|
||||
Containers: []v1.Container{
|
||||
{
|
||||
Image: image,
|
||||
Name: podName,
|
||||
Command: command,
|
||||
SecurityContext: &v1.SecurityContext{
|
||||
Privileged: &privileged,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
createAndWaitUserPod := func(privileged bool) string {
|
||||
podName := fmt.Sprintf("busybox-privileged-%v-%s", privileged, uuid.NewUUID())
|
||||
podClient.Create(makeUserPod(podName,
|
||||
busyboxImage,
|
||||
[]string{"sh", "-c", "ip link add dummy0 type dummy || true"},
|
||||
privileged,
|
||||
))
|
||||
podClient.WaitForSuccess(podName, framework.PodStartTimeout)
|
||||
return podName
|
||||
}
|
||||
|
||||
ginkgo.It("should run the container as privileged when true [NodeFeature:HostAccess]", func() {
|
||||
podName := createAndWaitUserPod(true)
|
||||
logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
|
||||
if err != nil {
|
||||
framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
|
||||
}
|
||||
|
||||
framework.Logf("Got logs for pod %q: %q", podName, logs)
|
||||
if strings.Contains(logs, "Operation not permitted") {
|
||||
framework.Failf("privileged container should be able to create dummy device")
|
||||
}
|
||||
})
|
||||
})
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user