github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 03:33:56 +00:00
Code Issues Projects Releases Wiki Activity

Allow using SELinux on image volume e2e test

Browse Source 
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert 2024-08-30 09:07:22 +02:00
parent de6db3ffb0
commit 6bd3bb5881
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
1 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
test/e2e_node/image_volume.go
View File

@ -25,6 +25,7 @@ import (
"github.com/onsi/ginkgo/v2" "github.com/onsi/ginkgo/v2"
"github.com/onsi/gomega" "github.com/onsi/gomega"
"github.com/opencontainers/selinux/go-selinux"
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
@ -34,7 +35,6 @@ import (
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
"k8s.io/kubernetes/test/e2e/nodefeature" "k8s.io/kubernetes/test/e2e/nodefeature"
admissionapi "k8s.io/pod-security-admission/api" admissionapi "k8s.io/pod-security-admission/api"
"k8s.io/utils/ptr"
) )
// Run this single test locally using a running CRI-O instance by: // Run this single test locally using a running CRI-O instance by:
@ -44,12 +44,16 @@ var _ = SIGDescribe("ImageVolume", nodefeature.ImageVolume, func() {
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
const ( const (
podName = "test-pod" podName = "test-pod"
containerName = "test-container" containerName = "test-container"
validImageRef = "quay.io/crio/artifact:v1" validImageRef = "quay.io/crio/artifact:v1"
invalidImageRef = "localhost/invalid" invalidImageRef = "localhost/invalid"
volumeName = "volume" volumeName = "volume"
volumePathPrefix = "/volume" volumePathPrefix = "/volume"
defaultSELinuxUser = "system_u"
defaultSELinuxRole = "system_r"
defaultSELinuxType = "svirt_lxc_net_t"
defaultSELinuxLevel = "s0:c1,c5"
) )
ginkgo.BeforeEach(func(ctx context.Context) { ginkgo.BeforeEach(func(ctx context.Context) {
@ -57,6 +61,16 @@ var _ = SIGDescribe("ImageVolume", nodefeature.ImageVolume, func() {
}) })
createPod := func(ctx context.Context, volumes []v1.Volume, volumeMounts []v1.VolumeMount) { createPod := func(ctx context.Context, volumes []v1.Volume, volumeMounts []v1.VolumeMount) {
var selinuxOptions *v1.SELinuxOptions
if selinux.GetEnabled() {
selinuxOptions = &v1.SELinuxOptions{
User: defaultSELinuxUser,
Role: defaultSELinuxRole,
Type: defaultSELinuxType,
Level: defaultSELinuxLevel,
}
ginkgo.By(fmt.Sprintf("Using SELinux on pod: %v", selinuxOptions))
}
pod := &v1.Pod{ pod := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: podName, Name: podName,
@ -64,13 +78,15 @@ var _ = SIGDescribe("ImageVolume", nodefeature.ImageVolume, func() {
}, },
Spec: v1.PodSpec{ Spec: v1.PodSpec{
RestartPolicy: v1.RestartPolicyAlways, RestartPolicy: v1.RestartPolicyAlways,
SecurityContext: &v1.PodSecurityContext{
SELinuxOptions: selinuxOptions,
},
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: containerName, Name: containerName,
Image: busyboxImage, Image: busyboxImage,
Command: ExecCommand(podName, execCommand{LoopForever: true}), Command: ExecCommand(podName, execCommand{LoopForever: true}),
SecurityContext: &v1.SecurityContext{Privileged: ptr.To(true)}, VolumeMounts: volumeMounts,
VolumeMounts: volumeMounts,
}, },
}, },
Volumes: volumes, Volumes: volumes,