github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

Use ipc-utils container in HostIPC tests.

Browse Source 
This ensures the `ipcs` command from util-linux will be used, which
succeeds when Docker is running with SELinux enabled (while the one from
busybox fails.)

Tested: On a host with Docker running with SELinux enabled:

  $ make test-e2e-node REMOTE=true FOCUS="host IPC"

  • [SLOW TEST:17.272 seconds] (passed)
  [k8s.io] Security Context
    when creating a pod in the host IPC namespace
      should show the shared memory ID in the host IPC containers

  • [SLOW TEST:20.419 seconds] (passed)
  [k8s.io] Security Context
    when creating a pod in the host IPC namespace
      should not show the shared memory ID in the non-hostIPC containers

  Ran 2 of 257 Specs in 43.934 seconds
  SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 255 Skipped
This commit is contained in:
Filipe Brandenburger 2018-01-22 14:44:36 -08:00
parent c9e5bfbbbb
commit 46a83c2883
3 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
test/e2e/common/util.go
View File

@ -53,6 +53,7 @@ var CurrentSuite Suite
var CommonImageWhiteList = sets.NewString( var CommonImageWhiteList = sets.NewString(
"busybox", "busybox",
imageutils.GetE2EImage(imageutils.EntrypointTester), imageutils.GetE2EImage(imageutils.EntrypointTester),
imageutils.GetE2EImage(imageutils.IpcUtils),
imageutils.GetE2EImage(imageutils.Liveness), imageutils.GetE2EImage(imageutils.Liveness),
imageutils.GetE2EImage(imageutils.Mounttest), imageutils.GetE2EImage(imageutils.Mounttest),
imageutils.GetE2EImage(imageutils.MounttestUser), imageutils.GetE2EImage(imageutils.MounttestUser),

22
test/e2e_node/security_context_test.go
View File

@ -140,7 +140,7 @@ var _ = framework.KubeDescribe("Security Context", func() {
} }
createAndWaitHostIPCPod := func(podName string, hostNetwork bool) { createAndWaitHostIPCPod := func(podName string, hostNetwork bool) {
podClient.Create(makeHostIPCPod(podName, podClient.Create(makeHostIPCPod(podName,
busyboxImage, imageutils.GetE2EImage(imageutils.IpcUtils),
[]string{"sh", "-c", "ipcs -m | awk '{print $2}'"}, []string{"sh", "-c", "ipcs -m | awk '{print $2}'"},
hostNetwork, hostNetwork,
)) ))
@ -159,30 +159,30 @@ var _ = framework.KubeDescribe("Security Context", func() {
}) })
It("should show the shared memory ID in the host IPC containers", func() { It("should show the shared memory ID in the host IPC containers", func() {
busyboxPodName := "busybox-hostipc-" + string(uuid.NewUUID()) ipcutilsPodName := "ipcutils-hostipc-" + string(uuid.NewUUID())
createAndWaitHostIPCPod(busyboxPodName, true) createAndWaitHostIPCPod(ipcutilsPodName, true)
logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, ipcutilsPodName, ipcutilsPodName)
if err != nil { if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) framework.Failf("GetPodLogs for pod %q failed: %v", ipcutilsPodName, err)
} }
podSharedMemoryIDs := strings.TrimSpace(logs) podSharedMemoryIDs := strings.TrimSpace(logs)
framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, busyboxPodName) framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, ipcutilsPodName)
if !strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) { if !strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) {
framework.Failf("hostIPC container should show shared memory IDs on host") framework.Failf("hostIPC container should show shared memory IDs on host")
} }
}) })
It("should not show the shared memory ID in the non-hostIPC containers", func() { It("should not show the shared memory ID in the non-hostIPC containers", func() {
busyboxPodName := "busybox-non-hostipc-" + string(uuid.NewUUID()) ipcutilsPodName := "ipcutils-non-hostipc-" + string(uuid.NewUUID())
createAndWaitHostIPCPod(busyboxPodName, false) createAndWaitHostIPCPod(ipcutilsPodName, false)
logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, busyboxPodName, busyboxPodName) logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, ipcutilsPodName, ipcutilsPodName)
if err != nil { if err != nil {
framework.Failf("GetPodLogs for pod %q failed: %v", busyboxPodName, err) framework.Failf("GetPodLogs for pod %q failed: %v", ipcutilsPodName, err)
} }
podSharedMemoryIDs := strings.TrimSpace(logs) podSharedMemoryIDs := strings.TrimSpace(logs)
framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, busyboxPodName) framework.Logf("Got shared memory IDs %q from pod %q", podSharedMemoryIDs, ipcutilsPodName)
if strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) { if strings.Contains(podSharedMemoryIDs, hostSharedMemoryID) {
framework.Failf("non-hostIPC container should not show shared memory IDs on host") framework.Failf("non-hostIPC container should not show shared memory IDs on host")
} }

1
test/utils/image/manifest.go
View File

@ -65,6 +65,7 @@ var (
GBRedisSlave = ImageConfig{sampleRegistry, "gb-redisslave", "v2", true} GBRedisSlave = ImageConfig{sampleRegistry, "gb-redisslave", "v2", true}
Goproxy = ImageConfig{e2eRegistry, "goproxy", "1.0", true} Goproxy = ImageConfig{e2eRegistry, "goproxy", "1.0", true}
Hostexec = ImageConfig{e2eRegistry, "hostexec", "1.0", true} Hostexec = ImageConfig{e2eRegistry, "hostexec", "1.0", true}
IpcUtils = ImageConfig{e2eRegistry, "ipc-utils", "1.0", true}
Iperf = ImageConfig{e2eRegistry, "iperf", "1.0", true} Iperf = ImageConfig{e2eRegistry, "iperf", "1.0", true}
JessieDnsutils = ImageConfig{e2eRegistry, "jessie-dnsutils", "1.0", true} JessieDnsutils = ImageConfig{e2eRegistry, "jessie-dnsutils", "1.0", true}
Kitten = ImageConfig{e2eRegistry, "kitten", "1.0", true} Kitten = ImageConfig{e2eRegistry, "kitten", "1.0", true}