Adds ReadOnlyRootFilesystem support for containers

test/e2e_node/kubelet_test.go

@@ -85,6 +85,53 @@ var _ = Describe("Kubelet", func() {
 				Expect(err).To(BeNil(), fmt.Sprintf("Error creating Pod %v", err))
 			})
 		})
+
+		Context("when scheduling a read only busybox container", func() {
+			It("it should return success", func() {
+				pod := &api.Pod{
+					ObjectMeta: api.ObjectMeta{
+						Name:      "busybox",
+						Namespace: api.NamespaceDefault,
+					},
+					Spec: api.PodSpec{
+						// Force the Pod to schedule to the node without a scheduler running
+						NodeName: *nodeName,
+						// Don't restart the Pod since it is expected to exit
+						RestartPolicy: api.RestartPolicyNever,
+						Containers: []api.Container{
+							{
+								Image:   "gcr.io/google_containers/busybox",
+								Name:    "busybox",
+								Command: []string{"sh", "-c", "echo test > /file"},
+								SecurityContext: &api.SecurityContext{
+									ReadOnlyRootFilesystem: &isReadOnly,
+								},
+							},
+						},
+					},
+				}
+				_, err := cl.Pods(api.NamespaceDefault).Create(pod)
+				Expect(err).To(BeNil(), fmt.Sprintf("Error creating Pod %v", err))
+			})
+
+			It("it should not write to the root filesystem", func() {
+				Eventually(func() string {
+					rc, err := cl.Pods(api.NamespaceDefault).GetLogs("busybox", &api.PodLogOptions{}).Stream()
+					if err != nil {
+						return ""
+					}
+					defer rc.Close()
+					buf := new(bytes.Buffer)
+					buf.ReadFrom(rc)
+					return buf.String()
+				}, time.Second*30, time.Second*4).Should(Equal("sh: can't create /file: Read-only file system"))
+			})
+
+			It("it should be possible to delete", func() {
+				err := cl.Pods(api.NamespaceDefault).Delete("busybox", &api.DeleteOptions{})
+				Expect(err).To(BeNil(), fmt.Sprintf("Error creating Pod %v", err))
+			})
+		})
 	})
 
 	Describe("metrics api", func() {