github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

test/e2e/node: fix selinux test failure

Browse Source 
Commit 69a473be3 broke the test case (that was checking
that a file from a volume can't be read) by adding a
(wrong) assumption that error should be nil.

Fix the assumption (we do expect the error here).
Note that we were checking file contents before; now when
we check the error from read, checking the contents is
redundant.

The other issue with the test is SELinux should be in enforcing
mode for this to work, so let's check that first to avoid
false positives.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin 2020-02-13 19:10:25 -08:00
parent e5524f5f1a
commit 70a2857998
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
test/e2e/node/security_context.go
View File

@ -26,7 +26,7 @@ import (
"context"
"fmt"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework"
@ -252,10 +252,11 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
pod.Spec.SecurityContext.SELinuxOptions = &v1.SELinuxOptions{
Level: "s0:c0,c1",
}
f.TestContainerOutput("Pod with same MCS label reading test file", pod, 0, []string{testContent})
// Confirm that the same pod with a different MCS
// label cannot access the volume
ginkgo.By("confirming a container with a different MCS label is unable to read the file")
pod = scTestPod(hostIPC, hostPID)
pod.Spec.Volumes = volumes
pod.Spec.Containers[0].VolumeMounts = volumeMounts
@ -269,7 +270,10 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
err = f.WaitForPodRunning(pod.Name)
framework.ExpectNoError(err, "Error waiting for pod to run %v", pod)
content, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath)
framework.ExpectNoError(err, "Error reading file via container")
gomega.Expect(content).NotTo(gomega.ContainSubstring(testContent))
// for this to work, SELinux should be in enforcing mode, so let's check that
isEnforced, err := tk.ReadFileViaContainer(pod.Name, "test-container", "/sys/fs/selinux/enforce")
if err == nil && isEnforced == "1" {
_, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath)
framework.ExpectError(err, "expecting SELinux to not let the container with different MCS label to read the file")
}
}