Merge pull request #48857 from feiskyer/privileged

Automatic merge from submit-queue (batch tested with PRs 49725, 50367, 50391, 48857, 50181) Add e2e test for privileged containers **What this PR does / why we need it**: This PR adds node e2e test for privileged containers. **Which issue this PR fixes** Part of #44118. **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` /assign @Random-Liu
2025-07-23 19:56:01 +00:00 · 2017-08-10 01:47:19 -07:00 · 2017-08-10 01:47:19 -07:00 · cb49706c00
commit cb49706c00
parent 0a981d4921 3027d9bac3
1 changed files with 61 additions and 0 deletions
--- a/test/e2e_node/security_context_test.go
+++ b/test/e2e_node/security_context_test.go
@ -433,4 +433,65 @@ var _ = framework.KubeDescribe("Security Context", func() {
 		})
 	})
 	Context("When creating a pod with privileged", func() {
 		makeUserPod := func(podName, image string, command []string, privileged bool) *v1.Pod {
 			return &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: podName,
 				},
 				Spec: v1.PodSpec{
 					RestartPolicy: v1.RestartPolicyNever,
 					Containers: []v1.Container{
 						{
 							Image:   image,
 							Name:    podName,
 							Command: command,
 							SecurityContext: &v1.SecurityContext{
 								Privileged: &privileged,
 							},
 						},
 					},
 				},
 			}
 		}
 		createAndWaitUserPod := func(privileged bool) string {
 			podName := fmt.Sprintf("busybox-privileged-%v-%s", privileged, uuid.NewUUID())
 			podClient.Create(makeUserPod(podName,
 				"gcr.io/google_containers/busybox:1.24",
 				[]string{"sh", "-c", "ip link add dummy0 type dummy || true"},
 				privileged,
 			))
 			podClient.WaitForSuccess(podName, framework.PodStartTimeout)
 			return podName
 		}
 		It("should run the container as privileged when true", func() {
 			podName := createAndWaitUserPod(true)
 			logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
 			if err != nil {
 				framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
 			}
 			framework.Logf("Got logs for pod %q: %q", podName, logs)
 			if strings.Contains(logs, "Operation not permitted") {
 				framework.Failf("privileged container should be able to create dummy device")
 			}
 		})
 		It("should run the container as unprivileged when false", func() {
 			podName := createAndWaitUserPod(false)
 			logs, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName)
 			if err != nil {
 				framework.Failf("GetPodLogs for pod %q failed: %v", podName, err)
 			}
 			framework.Logf("Got logs for pod %q: %q", podName, logs)
 			if !strings.Contains(logs, "Operation not permitted") {
 				framework.Failf("unprivileged container shouldn't be able to create dummy device")
 			}
 		})
 	})
 })