From 40976754b5fcba291cc7832c46d7ce6771be346c Mon Sep 17 00:00:00 2001 From: Jefftree Date: Thu, 26 Sep 2019 15:33:59 -0700 Subject: [PATCH] Move privilege e2e test to common --- test/e2e/common/privileged.go | 1 + test/e2e/common/security_context.go | 13 ++++++++ test/e2e_node/security_context_test.go | 46 -------------------------- 3 files changed, 14 insertions(+), 46 deletions(-) diff --git a/test/e2e/common/privileged.go b/test/e2e/common/privileged.go index 818078a7ae6..cec1614fb93 100644 --- a/test/e2e/common/privileged.go +++ b/test/e2e/common/privileged.go @@ -27,6 +27,7 @@ import ( ) // PrivilegedPodTestConfig is configuration struct for privileged pod test +// TODO: Merge with tests in security_context.go type PrivilegedPodTestConfig struct { f *framework.Framework diff --git a/test/e2e/common/security_context.go b/test/e2e/common/security_context.go index daa9d445e89..23d286adbd5 100644 --- a/test/e2e/common/security_context.go +++ b/test/e2e/common/security_context.go @@ -271,6 +271,19 @@ var _ = framework.KubeDescribe("Security Context", func() { framework.Failf("unprivileged container shouldn't be able to create dummy device") } }) + + ginkgo.It("should run the container as privileged when true [LinuxOnly] [NodeFeature:HostAccess]", func() { + podName := createAndWaitUserPod(true) + logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) + if err != nil { + framework.Failf("GetPodLogs for pod %q failed: %v", podName, err) + } + + framework.Logf("Got logs for pod %q: %q", podName, logs) + if strings.Contains(logs, "Operation not permitted") { + framework.Failf("privileged container should be able to create dummy device") + } + }) }) ginkgo.Context("when creating containers with AllowPrivilegeEscalation", func() { diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index d6e0a113790..9b823f80d62 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -350,50 +350,4 @@ var _ = framework.KubeDescribe("Security Context", func() { } }) }) - - ginkgo.Context("When creating a pod with privileged", func() { - makeUserPod := func(podName, image string, command []string, privileged bool) *v1.Pod { - return &v1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: podName, - }, - Spec: v1.PodSpec{ - RestartPolicy: v1.RestartPolicyNever, - Containers: []v1.Container{ - { - Image: image, - Name: podName, - Command: command, - SecurityContext: &v1.SecurityContext{ - Privileged: &privileged, - }, - }, - }, - }, - } - } - createAndWaitUserPod := func(privileged bool) string { - podName := fmt.Sprintf("busybox-privileged-%v-%s", privileged, uuid.NewUUID()) - podClient.Create(makeUserPod(podName, - busyboxImage, - []string{"sh", "-c", "ip link add dummy0 type dummy || true"}, - privileged, - )) - podClient.WaitForSuccess(podName, framework.PodStartTimeout) - return podName - } - - ginkgo.It("should run the container as privileged when true [NodeFeature:HostAccess]", func() { - podName := createAndWaitUserPod(true) - logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) - if err != nil { - framework.Failf("GetPodLogs for pod %q failed: %v", podName, err) - } - - framework.Logf("Got logs for pod %q: %q", podName, logs) - if strings.Contains(logs, "Operation not permitted") { - framework.Failf("privileged container should be able to create dummy device") - } - }) - }) })