github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Optionally run e2e pod as privileged for SELinux

Browse Source
This commit is contained in:
Fabio Bertinatto 2019-10-11 15:09:24 +02:00
parent a3560d3ad9
commit 7e72c70772
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
test/e2e/framework/volume/fixtures.go
View File

@ -45,7 +45,7 @@ import (
"strconv"
"time"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
apierrs "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@ -443,7 +443,7 @@ func TestCleanup(f *framework.Framework, config TestConfig) {
}
}
func runVolumeTesterPod(client clientset.Interface, config TestConfig, podSuffix string, fsGroup *int64, tests []Test) (*v1.Pod, error) {
func runVolumeTesterPod(client clientset.Interface, config TestConfig, podSuffix string, privileged bool, fsGroup *int64, tests []Test) (*v1.Pod, error) {
ginkgo.By(fmt.Sprint("starting ", config.Prefix, "-", podSuffix))
var gracePeriod int64 = 1
var command string
@ -488,6 +488,17 @@ func runVolumeTesterPod(client clientset.Interface, config TestConfig, podSuffix
for i, test := range tests {
volumeName := fmt.Sprintf("%s-%s-%d", config.Prefix, "volume", i)
// We need to make the container privileged when SELinux is enabled on the
// host, so the test can write data to a location like /tmp. Also, due to
// the Docker bug below, it's not currently possible to map a device with
// a privileged container, so we don't go privileged for block volumes.
// https://github.com/moby/moby/issues/35991
if privileged && test.Mode == v1.PersistentVolumeBlock {
privileged = false
}
clientPod.Spec.Containers[0].SecurityContext = GenerateSecurityContext(privileged)
if test.Mode == v1.PersistentVolumeBlock {
clientPod.Spec.Containers[0].VolumeDevices = append(clientPod.Spec.Containers[0].VolumeDevices, v1.VolumeDevice{
Name: volumeName,
@ -564,7 +575,7 @@ func testVolumeContent(client clientset.Interface, pod *v1.Pod, fsGroup *int64,
// Multiple Tests can be specified to mount multiple volumes to a single
// pod.
func TestVolumeClient(client clientset.Interface, config TestConfig, fsGroup *int64, fsType string, tests []Test) {
clientPod, err := runVolumeTesterPod(client, config, "client", fsGroup, tests)
clientPod, err := runVolumeTesterPod(client, config, "client", false, fsGroup, tests)
if err != nil {
framework.Failf("Failed to create client pod: %v", err)
@ -577,7 +588,11 @@ func TestVolumeClient(client clientset.Interface, config TestConfig, fsGroup *in
// starting and auxiliary pod which writes the file there.
// The volume must be writable.
func InjectContent(client clientset.Interface, config TestConfig, fsGroup *int64, fsType string, tests []Test) {
injectorPod, err := runVolumeTesterPod(client, config, "injector", fsGroup, tests)
privileged := true
if framework.NodeOSDistroIs("windows") {
privileged = false
}
injectorPod, err := runVolumeTesterPod(client, config, "injector", privileged, fsGroup, tests)
if err != nil {
framework.Failf("Failed to create injector pod: %v", err)
return