github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

Run GCE unit tests as non-root

Browse Source
This commit is contained in:
Maciej Szulik 2021-03-18 12:14:02 +01:00
parent 0c6d922812
commit a3a26171d1
No known key found for this signature in database
GPG Key ID: F15E55D276FA84C4
4 changed files with 29 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
cluster/gce/gci/apiserver_etcd_test.go
View File

@ -17,26 +17,29 @@ limitations under the License.
package gci package gci
import ( import (
"os"
"strconv"
"strings" "strings"
"testing" "testing"
) )
type kubeAPIServeETCDEnv struct { type kubeAPIServeETCDEnv struct {
KubeHome string KubeHome string
ETCDServers string KubeAPIServerRunAsUser string
ETCDServersOverride string ETCDServers string
CAKey string ETCDServersOverride string
CACert string CAKey string
CACertPath string CACert string
APIServerKey string CACertPath string
APIServerCert string APIServerKey string
APIServerCertPath string APIServerCert string
APIServerKeyPath string APIServerCertPath string
ETCDKey string APIServerKeyPath string
ETCDCert string ETCDKey string
StorageBackend string ETCDCert string
StorageMediaType string StorageBackend string
CompactionInterval string StorageMediaType string
CompactionInterval string
} }
func TestServerOverride(t *testing.T) { func TestServerOverride(t *testing.T) {
@ -68,6 +71,7 @@ func TestServerOverride(t *testing.T) {
c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil) c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
defer c.tearDown() defer c.tearDown()
tc.env.KubeHome = c.kubeHome tc.env.KubeHome = c.kubeHome
tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
c.mustInvokeFunc( c.mustInvokeFunc(
tc.env, tc.env,
@ -124,6 +128,7 @@ func TestStorageOptions(t *testing.T) {
c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil) c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
defer c.tearDown() defer c.tearDown()
tc.env.KubeHome = c.kubeHome tc.env.KubeHome = c.kubeHome
tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
c.mustInvokeFunc( c.mustInvokeFunc(
tc.env, tc.env,
@ -188,6 +193,7 @@ func TestTLSFlags(t *testing.T) {
c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil) c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
defer c.tearDown() defer c.tearDown()
tc.env.KubeHome = c.kubeHome tc.env.KubeHome = c.kubeHome
tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
c.mustInvokeFunc( c.mustInvokeFunc(
tc.env, tc.env,

5
cluster/gce/gci/apiserver_kms_test.go
View File

@ -24,6 +24,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
"strconv"
"strings" "strings"
"testing" "testing"
@ -38,6 +39,7 @@ const (
type kubeAPIServerEnv struct { type kubeAPIServerEnv struct {
KubeHome string KubeHome string
KubeAPIServerRunAsUser string
EncryptionProviderConfigPath string EncryptionProviderConfigPath string
EncryptionProviderConfig string EncryptionProviderConfig string
CloudKMSIntegration bool CloudKMSIntegration bool
@ -72,6 +74,7 @@ func TestEncryptionProviderFlag(t *testing.T) {
e := kubeAPIServerEnv{ e := kubeAPIServerEnv{
KubeHome: c.kubeHome, KubeHome: c.kubeHome,
KubeAPIServerRunAsUser: strconv.Itoa(os.Getuid()),
EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"), EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
EncryptionProviderConfig: tc.encryptionProviderConfig, EncryptionProviderConfig: tc.encryptionProviderConfig,
} }
@ -107,6 +110,7 @@ func TestEncryptionProviderConfig(t *testing.T) {
p := filepath.Join(c.kubeHome, "encryption-provider-config.yaml") p := filepath.Join(c.kubeHome, "encryption-provider-config.yaml")
e := kubeAPIServerEnv{ e := kubeAPIServerEnv{
KubeHome: c.kubeHome, KubeHome: c.kubeHome,
KubeAPIServerRunAsUser: strconv.Itoa(os.Getuid()),
EncryptionProviderConfigPath: p, EncryptionProviderConfigPath: p,
EncryptionProviderConfig: base64.StdEncoding.EncodeToString([]byte("foo")), EncryptionProviderConfig: base64.StdEncoding.EncodeToString([]byte("foo")),
} }
@ -177,6 +181,7 @@ func TestKMSIntegration(t *testing.T) {
var e = kubeAPIServerEnv{ var e = kubeAPIServerEnv{
KubeHome: c.kubeHome, KubeHome: c.kubeHome,
KubeAPIServerRunAsUser: strconv.Itoa(os.Getuid()),
EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"), EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
EncryptionProviderConfig: base64.StdEncoding.EncodeToString([]byte("foo")), EncryptionProviderConfig: base64.StdEncoding.EncodeToString([]byte("foo")),
CloudKMSIntegration: tc.cloudKMSIntegration, CloudKMSIntegration: tc.cloudKMSIntegration,

1
cluster/gce/gci/testdata/kube-apiserver/etcd.template vendored
View File

@ -13,3 +13,4 @@ readonly ETCD_SERVERS_OVERRIDES={{.ETCDServersOverride}}
readonly STORAGE_BACKEND={{.StorageBackend}} readonly STORAGE_BACKEND={{.StorageBackend}}
readonly STORAGE_MEDIA_TYPE={{.StorageMediaType}} readonly STORAGE_MEDIA_TYPE={{.StorageMediaType}}
readonly ETCD_COMPACTION_INTERVAL_SEC={{.CompactionInterval}} readonly ETCD_COMPACTION_INTERVAL_SEC={{.CompactionInterval}}
readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}

3
cluster/gce/gci/testdata/kube-apiserver/kms.template vendored
View File

@ -5,4 +5,5 @@ ENCRYPTION_PROVIDER_CONFIG_PATH={{.EncryptionProviderConfigPath}}
{{end}} {{end}}
{{if .CloudKMSIntegration}} {{if .CloudKMSIntegration}}
readonly CLOUD_KMS_INTEGRATION=true readonly CLOUD_KMS_INTEGRATION=true
{{end}} {{end}}
readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}