Set extra supplemental groups for rkt

2026-01-05 07:27:21 +00:00 · 2016-07-22 17:43:24 -04:00
parent cbdd121d2d
commit ae1575b5cc
3 changed files with 42 additions and 26 deletions
--- a/pkg/kubelet/rkt/rkt_test.go
+++ b/pkg/kubelet/rkt/rkt_test.go
@@ -940,21 +940,23 @@ func TestSetApp(t *testing.T) {
 	fsgid := int64(3)

 	tests := []struct {
-		container *api.Container
-		opts      *kubecontainer.RunContainerOptions
-		ctx       *api.SecurityContext
-		podCtx    *api.PodSecurityContext
-		expect    *appctypes.App
-		err       error
+		container        *api.Container
+		opts             *kubecontainer.RunContainerOptions
+		ctx              *api.SecurityContext
+		podCtx           *api.PodSecurityContext
+		supplementalGids []int64
+		expect           *appctypes.App
+		err              error
 	}{
 		// Nothing should change, but the "User" and "Group" should be filled.
 		{
-			container: &api.Container{},
-			opts:      &kubecontainer.RunContainerOptions{},
-			ctx:       nil,
-			podCtx:    nil,
-			expect:    baseAppWithRootUserGroup(t),
-			err:       nil,
+			container:        &api.Container{},
+			opts:             &kubecontainer.RunContainerOptions{},
+			ctx:              nil,
+			podCtx:           nil,
+			supplementalGids: nil,
+			expect:           baseAppWithRootUserGroup(t),
+			err:              nil,
 		},

 		// error verifying non-root.
@@ -965,9 +967,10 @@ func TestSetApp(t *testing.T) {
 				RunAsNonRoot: &runAsNonRootTrue,
 				RunAsUser:    &rootUser,
 			},
-			podCtx: nil,
-			expect: nil,
-			err:    fmt.Errorf("container has no runAsUser and image will run as root"),
+			podCtx:           nil,
+			supplementalGids: nil,
+			expect:           nil,
+			err:              fmt.Errorf("container has no runAsUser and image will run as root"),
 		},

 		// app's args should be changed.
@@ -975,9 +978,10 @@ func TestSetApp(t *testing.T) {
 			container: &api.Container{
 				Args: []string{"foo"},
 			},
-			opts:   &kubecontainer.RunContainerOptions{},
-			ctx:    nil,
-			podCtx: nil,
+			opts:             &kubecontainer.RunContainerOptions{},
+			ctx:              nil,
+			podCtx:           nil,
+			supplementalGids: nil,
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/foo", "foo"},
 				User:              "0",
@@ -1036,11 +1040,12 @@ func TestSetApp(t *testing.T) {
 				SupplementalGroups: []int64{1, 2},
 				FSGroup:            &fsgid,
 			},
+			supplementalGids: []int64{4},
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/bar", "foo"},
 				User:              "42",
 				Group:             "0",
-				SupplementaryGIDs: []int{1, 2, 3},
+				SupplementaryGIDs: []int{1, 2, 3, 4},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{
 					{"env-foo", "bar"},
@@ -1099,11 +1104,12 @@ func TestSetApp(t *testing.T) {
 				SupplementalGroups: []int64{1, 2},
 				FSGroup:            &fsgid,
 			},
+			supplementalGids: []int64{4},
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/hello", "foo", "hello", "world", "bar"},
 				User:              "42",
 				Group:             "0",
-				SupplementaryGIDs: []int{1, 2, 3},
+				SupplementaryGIDs: []int{1, 2, 3, 4},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{
 					{"env-foo", "foo"},
@@ -1128,7 +1134,7 @@ func TestSetApp(t *testing.T) {
 	for i, tt := range tests {
 		testCaseHint := fmt.Sprintf("test case #%d", i)
 		img := baseImageManifest(t)
-		err := setApp(img, tt.container, tt.opts, tt.ctx, tt.podCtx)
+		err := setApp(img, tt.container, tt.opts, tt.ctx, tt.podCtx, tt.supplementalGids)
 		if err == nil && tt.err != nil || err != nil && tt.err == nil {
 			t.Errorf("%s: expect %v, saw %v", testCaseHint, tt.err, err)
 		}