Merge pull request #119880 from saschagrunert/seccomp-filter

Make seccomp status checks in e2e tests more robust
2025-08-05 18:24:07 +00:00 · 2023-08-16 12:43:54 -07:00 · 2023-08-16 12:43:54 -07:00 · dd44792cec
commit dd44792cec
parent aef70da210 8ab6bee676
2 changed files with 12 additions and 5 deletions
--- a/test/e2e/node/security_context.go
+++ b/test/e2e/node/security_context.go
@ -40,6 +40,12 @@ import (
 	"github.com/onsi/gomega"
 )
 // SeccompProcStatusField is the field of /proc/$PID/status referencing the seccomp filter type.
 const SeccompProcStatusField = "Seccomp:"
 // ProcSelfStatusPath is the path to /proc/self/status.
 const ProcSelfStatusPath = "/proc/self/status"
 func scTestPod(hostIPC bool, hostPID bool) *v1.Pod {
 	podName := "security-context-" + string(uuid.NewUUID())
 	pod := &v1.Pod{
@ -196,27 +202,27 @@ var _ = SIGDescribe("Security Context", func() {
 		pod := scTestPod(false, false)
 		pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}}
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}}
-		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
 		e2eoutput.TestContainerOutput(ctx, f, "seccomp unconfined container", pod, 0, []string{"0"}) // seccomp disabled
 	})
 	ginkgo.It("should support seccomp unconfined on the pod [LinuxOnly]", func(ctx context.Context) {
 		pod := scTestPod(false, false)
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}}
-		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
 		e2eoutput.TestContainerOutput(ctx, f, "seccomp unconfined pod", pod, 0, []string{"0"}) // seccomp disabled
 	})
 	ginkgo.It("should support seccomp runtime/default [LinuxOnly]", func(ctx context.Context) {
 		pod := scTestPod(false, false)
 		pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}}
-		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
 		e2eoutput.TestContainerOutput(ctx, f, "seccomp runtime/default", pod, 0, []string{"2"}) // seccomp filtered
 	})
 	ginkgo.It("should support seccomp default which is unconfined [LinuxOnly]", func(ctx context.Context) {
 		pod := scTestPod(false, false)
-		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
 		e2eoutput.TestContainerOutput(ctx, f, "seccomp default unconfined", pod, 0, []string{"0"}) // seccomp disabled
 	})
 })
--- a/test/e2e_node/seccompdefault_test.go
+++ b/test/e2e_node/seccompdefault_test.go
@ -30,6 +30,7 @@ import (
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
 	"k8s.io/kubernetes/test/e2e/node"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
@ -53,7 +54,7 @@ var _ = SIGDescribe("SeccompDefault [Serial] [Feature:SeccompDefault] [LinuxOnly
 						{
 							Name:            name,
 							Image:           busyboxImage,
-							Command:         []string{"grep", "Seccomp:", "/proc/self/status"},
+							Command:         []string{"grep", node.SeccompProcStatusField, node.ProcSelfStatusPath},
 							SecurityContext: securityContext,
 						},
 					},