Merge pull request #66786 from mkurylec/65721-part-1-refactor

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Part 1: Allowing volumes to choose when to use securityContext This PR is the result of [splitting this PR]( https://github.com/kubernetes/kubernetes/pull/65793) into 2 sections: 1) This part, addressing the refactor so eligible-test-for-conformance can use get rid of privileged security context. 2) a second part that will address the promotion of the testcases to be in conformance suite. Changes: a) demoted privileged mode for these tests (not needed) b) regular tests (the other ones existing in the file) will still be using privileged security context. b) adding privilegedSecurityContext field to VolInfo, so each volume-flavor can let the test know if the security context has to be privileged or not. This allows granular changes and updates per volume).
2025-07-22 03:11:40 +00:00 · 2018-08-01 10:28:33 -07:00 · 2018-08-01 10:28:33 -07:00 · 9a61384a7d
commit 9a61384a7d
parent fda2b024d2 677eaa5b88
1 changed files with 23 additions and 13 deletions
--- a/test/e2e/storage/subpath.go
+++ b/test/e2e/storage/subpath.go
@ -49,8 +49,9 @@ var (
 )

 type volInfo struct {
-	source *v1.VolumeSource
-	node   string
+	source                    *v1.VolumeSource
+	node                      string
+	privilegedSecurityContext bool
 }

 type volSource interface {
@ -84,6 +85,7 @@ var _ = utils.SIGDescribe("Subpath", func() {

 	Context("Atomic writer volumes", func() {
 		var err error
+		var privilegedSecurityContext bool = false

 		BeforeEach(func() {
 			By("Setting up data")
@ -98,20 +100,21 @@ var _ = utils.SIGDescribe("Subpath", func() {
 			if err != nil && !apierrors.IsAlreadyExists(err) {
 				Expect(err).ToNot(HaveOccurred(), "while creating configmap")
 			}
+
 		})

 		It("should support subpaths with secret pod", func() {
-			pod := testPodSubpath(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}})
+			pod := testPodSubpath(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}}, privilegedSecurityContext)
 			testBasicSubpath(f, "secret-value", pod)
 		})

 		It("should support subpaths with configmap pod", func() {
-			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}})
+			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
 			testBasicSubpath(f, "configmap-value", pod)
 		})

 		It("should support subpaths with configmap pod with mountPath of existing file", func() {
-			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}})
+			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
 			file := "/etc/resolv.conf"
 			pod.Spec.Containers[0].VolumeMounts[0].MountPath = file
 			testBasicSubpathFile(f, "configmap-value", pod, file)
@ -122,7 +125,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 				DownwardAPI: &v1.DownwardAPIVolumeSource{
 					Items: []v1.DownwardAPIVolumeFile{{Path: "downward/podname", FieldRef: &v1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}},
 				},
-			})
+			}, privilegedSecurityContext)
 			testBasicSubpath(f, pod.Name, pod)
 		})

@ -136,7 +139,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 						}},
 					},
 				},
-			})
+			}, privilegedSecurityContext)
 			testBasicSubpath(f, "configmap-value", pod)
 		})
 	})
@ -154,7 +157,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 				filePathInSubpath = filepath.Join(volumePath, fileName)
 				filePathInVolume = filepath.Join(subPathDir, fileName)
 				volInfo := vol.createVolume(f)
-				pod = testPodSubpath(f, subPath, curVolType, volInfo.source)
+				pod = testPodSubpath(f, subPath, curVolType, volInfo.source, volInfo.privilegedSecurityContext)
 				pod.Spec.NodeName = volInfo.node
 			})

@ -353,10 +356,9 @@ func testBasicSubpathFile(f *framework.Framework, contents string, pod *v1.Pod,
 	Expect(err).NotTo(HaveOccurred(), "while deleting pod")
 }

-func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *v1.VolumeSource) *v1.Pod {
+func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *v1.VolumeSource, privilegedSecurityContext bool) *v1.Pod {
 	var (
 		suffix          = strings.ToLower(fmt.Sprintf("%s-%s", volumeType, rand.String(4)))
-		privileged      = true
 		gracePeriod     = int64(1)
 		probeVolumeName = "liveness-probe-volume"
 	)
@ -381,7 +383,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 			},
@ -401,7 +403,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 				{
@ -418,7 +420,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 			},
@ -685,6 +687,7 @@ func (s *hostpathSource) createVolume(f *framework.Framework) volInfo {
 				Path: "/tmp",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -764,6 +767,7 @@ func (s *hostpathSymlinkSource) createVolume(f *framework.Framework) volInfo {
 			},
 		},
 		node: node0.Name,
+		privilegedSecurityContext: privileged,
 	}
 }

@ -786,6 +790,7 @@ func (s *emptydirSource) createVolume(f *framework.Framework) volInfo {
 		source: &v1.VolumeSource{
 			EmptyDir: &v1.EmptyDirVolumeSource{},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -865,6 +870,7 @@ func (s *gcepdPVCSource) createVolume(f *framework.Framework) volInfo {
 				ClaimName: s.pvc.Name,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -912,6 +918,7 @@ func (s *gcepdPartitionSource) createVolume(f *framework.Framework) volInfo {
 				Partition: 1,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -946,6 +953,7 @@ func (s *nfsSource) createVolume(f *framework.Framework) volInfo {
 				Path:   "/exports",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -985,6 +993,7 @@ func (s *glusterSource) createVolume(f *framework.Framework) volInfo {
 				Path:          "test_vol",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }

@ -1054,6 +1063,7 @@ func (s *nfsPVCSource) createVolume(f *framework.Framework) volInfo {
 				ClaimName: pvc.Name,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }