Merge pull request #37647 from bowei/priv-pod-e2e

Automatic merge from submit-queue (batch tested with PRs 37692, 37785, 37647, 37941, 37856)

Remove extraneous curl, pods, etc from privileged pod test

test/e2e/common/privileged.go

@@ -17,9 +17,7 @@ limitations under the License.
 package common
 
 import (
-	"encoding/json"
 	"fmt"
-	"net/url"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -27,119 +25,90 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 )
 
-const (
-	privilegedPodName          = "privileged-pod"
-	privilegedContainerName    = "privileged-container"
-	privilegedHttpPort         = 8080
-	privilegedUdpPort          = 8081
-	notPrivilegedHttpPort      = 9090
-	notPrivilegedUdpPort       = 9091
-	notPrivilegedContainerName = "not-privileged-container"
-	privilegedContainerImage   = "gcr.io/google_containers/netexec:1.7"
-	privilegedCommand          = "ip link add dummy1 type dummy"
-)
-
 type PrivilegedPodTestConfig struct {
-	privilegedPod *v1.Pod
+	f *framework.Framework
-	f             *framework.Framework
+
-	hostExecPod   *v1.Pod
+	privilegedPod          string
+	privilegedContainer    string
+	notPrivilegedContainer string
+
+	pod *v1.Pod
 }
 
 var _ = framework.KubeDescribe("PrivilegedPod", func() {
-	f := framework.NewDefaultFramework("e2e-privilegedpod")
 	config := &PrivilegedPodTestConfig{
-		f: f,
+		f:                      framework.NewDefaultFramework("e2e-privileged-pod"),
+		privilegedPod:          "privileged-pod",
+		privilegedContainer:    "privileged-container",
+		notPrivilegedContainer: "not-privileged-container",
 	}
-	It("should test privileged pod", func() {
-		By("Creating a hostexec pod")
-		config.createHostExecPod()
 
-		By("Creating a privileged pod")
+	It("should enable privileged commands", func() {
-		config.createPrivilegedPod()
+		By("Creating a pod with a privileged container")
+		config.createPods()
 
-		By("Executing privileged command on privileged container")
+		By("Executing in the privileged container")
-		config.runPrivilegedCommandOnPrivilegedContainer()
+		config.run(config.privilegedContainer, true)
 
-		By("Executing privileged command on non-privileged container")
+		By("Executing in the non-privileged container")
-		config.runPrivilegedCommandOnNonPrivilegedContainer()
+		config.run(config.notPrivilegedContainer, false)
 	})
 })
 
-func (config *PrivilegedPodTestConfig) runPrivilegedCommandOnPrivilegedContainer() {
+func (c *PrivilegedPodTestConfig) run(containerName string, expectSuccess bool) {
-	outputMap := config.dialFromContainer(config.privilegedPod.Status.PodIP, privilegedHttpPort)
+	cmd := []string{"ip", "link", "add", "dummy1", "type", "dummy"}
-	if len(outputMap["error"]) > 0 {
+	reverseCmd := []string{"ip", "link", "del", "dummy1"}
-		framework.Failf("Privileged command failed unexpectedly on privileged container, output:%v", outputMap)
+
+	stdout, stderr, err := c.f.ExecCommandInContainerWithFullOutput(
+		c.privilegedPod, containerName, cmd...)
+	msg := fmt.Sprintf("cmd %v, stdout %q, stderr %q", cmd, stdout, stderr)
+
+	if expectSuccess {
+		Expect(err).NotTo(HaveOccurred(), msg)
+		// We need to clean up the dummy link that was created, as it
+		// leaks out into the node level -- yuck.
+		_, _, err := c.f.ExecCommandInContainerWithFullOutput(
+			c.privilegedPod, containerName, reverseCmd...)
+		Expect(err).NotTo(HaveOccurred(),
+			fmt.Sprintf("could not remove dummy1 link: %v", err))
+	} else {
+		Expect(err).To(HaveOccurred(), msg)
 	}
 }
 
-func (config *PrivilegedPodTestConfig) runPrivilegedCommandOnNonPrivilegedContainer() {
+func (c *PrivilegedPodTestConfig) createPodsSpec() *v1.Pod {
-	outputMap := config.dialFromContainer(config.privilegedPod.Status.PodIP, notPrivilegedHttpPort)
-	if len(outputMap["error"]) == 0 {
-		framework.Failf("Privileged command should have failed on non-privileged container, output:%v", outputMap)
-	}
-}
-
-func (config *PrivilegedPodTestConfig) dialFromContainer(containerIP string, containerHttpPort int) map[string]string {
-	v := url.Values{}
-	v.Set("shellCommand", "ip link add dummy1 type dummy")
-	cmd := fmt.Sprintf("curl -q 'http://%s:%d/shell?%s'",
-		containerIP,
-		containerHttpPort,
-		v.Encode())
-
-	By(fmt.Sprintf("Exec-ing into container over http. Running command:%s", cmd))
-	stdout := config.f.ExecShellInPod(config.hostExecPod.Name, cmd)
-	var output map[string]string
-	err := json.Unmarshal([]byte(stdout), &output)
-	Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Could not unmarshal curl response: %s", stdout))
-	framework.Logf("Deserialized output is %v", stdout)
-	return output
-}
-
-func (config *PrivilegedPodTestConfig) createPrivilegedPodSpec() *v1.Pod {
 	isPrivileged := true
 	notPrivileged := false
-	pod := &v1.Pod{
+
+	const image = "gcr.io/google_containers/busybox:1.24"
+
+	return &v1.Pod{
 		ObjectMeta: v1.ObjectMeta{
-			Name:      privilegedPodName,
+			Name:      c.privilegedPod,
-			Namespace: config.f.Namespace.Name,
+			Namespace: c.f.Namespace.Name,
 		},
 		Spec: v1.PodSpec{
 			Containers: []v1.Container{
 				{
-					Name:            privilegedContainerName,
+					Name:            c.privilegedContainer,
-					Image:           privilegedContainerImage,
+					Image:           image,
 					ImagePullPolicy: v1.PullIfNotPresent,
 					SecurityContext: &v1.SecurityContext{Privileged: &isPrivileged},
-					Command: []string{
+					Command:         []string{"/bin/sleep", "10000"},
-						"/netexec",
-						fmt.Sprintf("--http-port=%d", privilegedHttpPort),
-						fmt.Sprintf("--udp-port=%d", privilegedUdpPort),
-					},
 				},
 				{
-					Name:            notPrivilegedContainerName,
+					Name:            c.notPrivilegedContainer,
-					Image:           privilegedContainerImage,
+					Image:           image,
 					ImagePullPolicy: v1.PullIfNotPresent,
 					SecurityContext: &v1.SecurityContext{Privileged: &notPrivileged},
-					Command: []string{
+					Command:         []string{"/bin/sleep", "10000"},
-						"/netexec",
-						fmt.Sprintf("--http-port=%d", notPrivilegedHttpPort),
-						fmt.Sprintf("--udp-port=%d", notPrivilegedUdpPort),
-					},
 				},
 			},
 		},
 	}
-	return pod
 }
 
-func (config *PrivilegedPodTestConfig) createHostExecPod() {
+func (c *PrivilegedPodTestConfig) createPods() {
-	podSpec := framework.NewHostExecPodSpec(config.f.Namespace.Name, "hostexec")
+	podSpec := c.createPodsSpec()
-	config.hostExecPod = config.f.PodClient().CreateSync(podSpec)
+	c.pod = c.f.PodClient().CreateSync(podSpec)
-}
-
-func (config *PrivilegedPodTestConfig) createPrivilegedPod() {
-	podSpec := config.createPrivilegedPodSpec()
-	config.privilegedPod = config.f.PodClient().CreateSync(podSpec)
 }