Run GCE unit tests as non-root

2025-07-27 13:37:30 +00:00 · 2021-03-18 12:14:02 +01:00 · 2021-03-18 12:14:02 +01:00 · a3a26171d1
commit a3a26171d1
parent 0c6d922812
4 changed files with 29 additions and 16 deletions
--- a/cluster/gce/gci/apiserver_etcd_test.go
+++ b/cluster/gce/gci/apiserver_etcd_test.go
@ -17,12 +17,15 @@ limitations under the License.
 package gci

 import (
+	"os"
+	"strconv"
 	"strings"
 	"testing"
 )

 type kubeAPIServeETCDEnv struct {
 	KubeHome               string
+	KubeAPIServerRunAsUser string
 	ETCDServers            string
 	ETCDServersOverride    string
 	CAKey                  string
@ -68,6 +71,7 @@ func TestServerOverride(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())

 			c.mustInvokeFunc(
 				tc.env,
@ -124,6 +128,7 @@ func TestStorageOptions(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())

 			c.mustInvokeFunc(
 				tc.env,
@ -188,6 +193,7 @@ func TestTLSFlags(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())

 			c.mustInvokeFunc(
 				tc.env,
--- a/cluster/gce/gci/apiserver_kms_test.go
+++ b/cluster/gce/gci/apiserver_kms_test.go
@ -24,6 +24,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strconv"
 	"strings"
 	"testing"

@ -38,6 +39,7 @@ const (

 type kubeAPIServerEnv struct {
 	KubeHome                     string
+	KubeAPIServerRunAsUser       string
 	EncryptionProviderConfigPath string
 	EncryptionProviderConfig     string
 	CloudKMSIntegration          bool
@ -72,6 +74,7 @@ func TestEncryptionProviderFlag(t *testing.T) {

 			e := kubeAPIServerEnv{
 				KubeHome:                     c.kubeHome,
+				KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 				EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
 				EncryptionProviderConfig:     tc.encryptionProviderConfig,
 			}
@ -107,6 +110,7 @@ func TestEncryptionProviderConfig(t *testing.T) {
 	p := filepath.Join(c.kubeHome, "encryption-provider-config.yaml")
 	e := kubeAPIServerEnv{
 		KubeHome:                     c.kubeHome,
+		KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 		EncryptionProviderConfigPath: p,
 		EncryptionProviderConfig:     base64.StdEncoding.EncodeToString([]byte("foo")),
 	}
@ -177,6 +181,7 @@ func TestKMSIntegration(t *testing.T) {

 			var e = kubeAPIServerEnv{
 				KubeHome:                     c.kubeHome,
+				KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 				EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
 				EncryptionProviderConfig:     base64.StdEncoding.EncodeToString([]byte("foo")),
 				CloudKMSIntegration:          tc.cloudKMSIntegration,
--- a/cluster/gce/gci/testdata/kube-apiserver/etcd.template
+++ b/cluster/gce/gci/testdata/kube-apiserver/etcd.template
@ -13,3 +13,4 @@ readonly ETCD_SERVERS_OVERRIDES={{.ETCDServersOverride}}
 readonly STORAGE_BACKEND={{.StorageBackend}}
 readonly STORAGE_MEDIA_TYPE={{.StorageMediaType}}
 readonly ETCD_COMPACTION_INTERVAL_SEC={{.CompactionInterval}}
+readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}
--- a/cluster/gce/gci/testdata/kube-apiserver/kms.template
+++ b/cluster/gce/gci/testdata/kube-apiserver/kms.template
@ -6,3 +6,4 @@ ENCRYPTION_PROVIDER_CONFIG_PATH={{.EncryptionProviderConfigPath}}
 {{if .CloudKMSIntegration}}
  readonly CLOUD_KMS_INTEGRATION=true
 {{end}}
+readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}