mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #37647 from bowei/priv-pod-e2e
Automatic merge from submit-queue (batch tested with PRs 37692, 37785, 37647, 37941, 37856) Remove extraneous curl, pods, etc from privileged pod test
This commit is contained in:
commit
4451410bdc
@ -17,9 +17,7 @@ limitations under the License.
|
|||||||
package common
|
package common
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/url"
|
|
||||||
|
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
@ -27,119 +25,90 @@ import (
|
|||||||
"k8s.io/kubernetes/test/e2e/framework"
|
"k8s.io/kubernetes/test/e2e/framework"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
privilegedPodName = "privileged-pod"
|
|
||||||
privilegedContainerName = "privileged-container"
|
|
||||||
privilegedHttpPort = 8080
|
|
||||||
privilegedUdpPort = 8081
|
|
||||||
notPrivilegedHttpPort = 9090
|
|
||||||
notPrivilegedUdpPort = 9091
|
|
||||||
notPrivilegedContainerName = "not-privileged-container"
|
|
||||||
privilegedContainerImage = "gcr.io/google_containers/netexec:1.7"
|
|
||||||
privilegedCommand = "ip link add dummy1 type dummy"
|
|
||||||
)
|
|
||||||
|
|
||||||
type PrivilegedPodTestConfig struct {
|
type PrivilegedPodTestConfig struct {
|
||||||
privilegedPod *v1.Pod
|
f *framework.Framework
|
||||||
f *framework.Framework
|
|
||||||
hostExecPod *v1.Pod
|
privilegedPod string
|
||||||
|
privilegedContainer string
|
||||||
|
notPrivilegedContainer string
|
||||||
|
|
||||||
|
pod *v1.Pod
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ = framework.KubeDescribe("PrivilegedPod", func() {
|
var _ = framework.KubeDescribe("PrivilegedPod", func() {
|
||||||
f := framework.NewDefaultFramework("e2e-privilegedpod")
|
|
||||||
config := &PrivilegedPodTestConfig{
|
config := &PrivilegedPodTestConfig{
|
||||||
f: f,
|
f: framework.NewDefaultFramework("e2e-privileged-pod"),
|
||||||
|
privilegedPod: "privileged-pod",
|
||||||
|
privilegedContainer: "privileged-container",
|
||||||
|
notPrivilegedContainer: "not-privileged-container",
|
||||||
}
|
}
|
||||||
It("should test privileged pod", func() {
|
|
||||||
By("Creating a hostexec pod")
|
|
||||||
config.createHostExecPod()
|
|
||||||
|
|
||||||
By("Creating a privileged pod")
|
It("should enable privileged commands", func() {
|
||||||
config.createPrivilegedPod()
|
By("Creating a pod with a privileged container")
|
||||||
|
config.createPods()
|
||||||
|
|
||||||
By("Executing privileged command on privileged container")
|
By("Executing in the privileged container")
|
||||||
config.runPrivilegedCommandOnPrivilegedContainer()
|
config.run(config.privilegedContainer, true)
|
||||||
|
|
||||||
By("Executing privileged command on non-privileged container")
|
By("Executing in the non-privileged container")
|
||||||
config.runPrivilegedCommandOnNonPrivilegedContainer()
|
config.run(config.notPrivilegedContainer, false)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) runPrivilegedCommandOnPrivilegedContainer() {
|
func (c *PrivilegedPodTestConfig) run(containerName string, expectSuccess bool) {
|
||||||
outputMap := config.dialFromContainer(config.privilegedPod.Status.PodIP, privilegedHttpPort)
|
cmd := []string{"ip", "link", "add", "dummy1", "type", "dummy"}
|
||||||
if len(outputMap["error"]) > 0 {
|
reverseCmd := []string{"ip", "link", "del", "dummy1"}
|
||||||
framework.Failf("Privileged command failed unexpectedly on privileged container, output:%v", outputMap)
|
|
||||||
|
stdout, stderr, err := c.f.ExecCommandInContainerWithFullOutput(
|
||||||
|
c.privilegedPod, containerName, cmd...)
|
||||||
|
msg := fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
|
||||||
|
|
||||||
|
if expectSuccess {
|
||||||
|
Expect(err).NotTo(HaveOccurred(), msg)
|
||||||
|
// We need to clean up the dummy link that was created, as it
|
||||||
|
// leaks out into the node level -- yuck.
|
||||||
|
_, _, err := c.f.ExecCommandInContainerWithFullOutput(
|
||||||
|
c.privilegedPod, containerName, reverseCmd...)
|
||||||
|
Expect(err).NotTo(HaveOccurred(),
|
||||||
|
fmt.Sprintf("could not remove dummy1 link: %v", err))
|
||||||
|
} else {
|
||||||
|
Expect(err).To(HaveOccurred(), msg)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) runPrivilegedCommandOnNonPrivilegedContainer() {
|
func (c *PrivilegedPodTestConfig) createPodsSpec() *v1.Pod {
|
||||||
outputMap := config.dialFromContainer(config.privilegedPod.Status.PodIP, notPrivilegedHttpPort)
|
|
||||||
if len(outputMap["error"]) == 0 {
|
|
||||||
framework.Failf("Privileged command should have failed on non-privileged container, output:%v", outputMap)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) dialFromContainer(containerIP string, containerHttpPort int) map[string]string {
|
|
||||||
v := url.Values{}
|
|
||||||
v.Set("shellCommand", "ip link add dummy1 type dummy")
|
|
||||||
cmd := fmt.Sprintf("curl -q 'http://%s:%d/shell?%s'",
|
|
||||||
containerIP,
|
|
||||||
containerHttpPort,
|
|
||||||
v.Encode())
|
|
||||||
|
|
||||||
By(fmt.Sprintf("Exec-ing into container over http. Running command:%s", cmd))
|
|
||||||
stdout := config.f.ExecShellInPod(config.hostExecPod.Name, cmd)
|
|
||||||
var output map[string]string
|
|
||||||
err := json.Unmarshal([]byte(stdout), &output)
|
|
||||||
Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Could not unmarshal curl response: %s", stdout))
|
|
||||||
framework.Logf("Deserialized output is %v", stdout)
|
|
||||||
return output
|
|
||||||
}
|
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) createPrivilegedPodSpec() *v1.Pod {
|
|
||||||
isPrivileged := true
|
isPrivileged := true
|
||||||
notPrivileged := false
|
notPrivileged := false
|
||||||
pod := &v1.Pod{
|
|
||||||
|
const image = "gcr.io/google_containers/busybox:1.24"
|
||||||
|
|
||||||
|
return &v1.Pod{
|
||||||
ObjectMeta: v1.ObjectMeta{
|
ObjectMeta: v1.ObjectMeta{
|
||||||
Name: privilegedPodName,
|
Name: c.privilegedPod,
|
||||||
Namespace: config.f.Namespace.Name,
|
Namespace: c.f.Namespace.Name,
|
||||||
},
|
},
|
||||||
Spec: v1.PodSpec{
|
Spec: v1.PodSpec{
|
||||||
Containers: []v1.Container{
|
Containers: []v1.Container{
|
||||||
{
|
{
|
||||||
Name: privilegedContainerName,
|
Name: c.privilegedContainer,
|
||||||
Image: privilegedContainerImage,
|
Image: image,
|
||||||
ImagePullPolicy: v1.PullIfNotPresent,
|
ImagePullPolicy: v1.PullIfNotPresent,
|
||||||
SecurityContext: &v1.SecurityContext{Privileged: &isPrivileged},
|
SecurityContext: &v1.SecurityContext{Privileged: &isPrivileged},
|
||||||
Command: []string{
|
Command: []string{"/bin/sleep", "10000"},
|
||||||
"/netexec",
|
|
||||||
fmt.Sprintf("--http-port=%d", privilegedHttpPort),
|
|
||||||
fmt.Sprintf("--udp-port=%d", privilegedUdpPort),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: notPrivilegedContainerName,
|
Name: c.notPrivilegedContainer,
|
||||||
Image: privilegedContainerImage,
|
Image: image,
|
||||||
ImagePullPolicy: v1.PullIfNotPresent,
|
ImagePullPolicy: v1.PullIfNotPresent,
|
||||||
SecurityContext: &v1.SecurityContext{Privileged: ¬Privileged},
|
SecurityContext: &v1.SecurityContext{Privileged: ¬Privileged},
|
||||||
Command: []string{
|
Command: []string{"/bin/sleep", "10000"},
|
||||||
"/netexec",
|
|
||||||
fmt.Sprintf("--http-port=%d", notPrivilegedHttpPort),
|
|
||||||
fmt.Sprintf("--udp-port=%d", notPrivilegedUdpPort),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
return pod
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) createHostExecPod() {
|
func (c *PrivilegedPodTestConfig) createPods() {
|
||||||
podSpec := framework.NewHostExecPodSpec(config.f.Namespace.Name, "hostexec")
|
podSpec := c.createPodsSpec()
|
||||||
config.hostExecPod = config.f.PodClient().CreateSync(podSpec)
|
c.pod = c.f.PodClient().CreateSync(podSpec)
|
||||||
}
|
|
||||||
|
|
||||||
func (config *PrivilegedPodTestConfig) createPrivilegedPod() {
|
|
||||||
podSpec := config.createPrivilegedPodSpec()
|
|
||||||
config.privilegedPod = config.f.PodClient().CreateSync(podSpec)
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user