github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 18:00:08 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #119880 from saschagrunert/seccomp-filter

Browse Source 
Make seccomp status checks in e2e tests more robust
This commit is contained in:
Kubernetes Prow Robot 2023-08-16 12:43:54 -07:00 committed by GitHub
commit dd44792cec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
test/e2e/node/security_context.go
View File

@ -40,6 +40,12 @@ import (
"github.com/onsi/gomega"
)
// SeccompProcStatusField is the field of /proc/$PID/status referencing the seccomp filter type.
const SeccompProcStatusField = "Seccomp:"
// ProcSelfStatusPath is the path to /proc/self/status.
const ProcSelfStatusPath = "/proc/self/status"
func scTestPod(hostIPC bool, hostPID bool) *v1.Pod {
podName := "security-context-" + string(uuid.NewUUID())
pod := &v1.Pod{
@ -196,27 +202,27 @@ var _ = SIGDescribe("Security Context", func() {
pod := scTestPod(false, false)
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}}
pod.Spec.SecurityContext = &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}}
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
e2eoutput.TestContainerOutput(ctx, f, "seccomp unconfined container", pod, 0, []string{"0"}) // seccomp disabled
})
ginkgo.It("should support seccomp unconfined on the pod [LinuxOnly]", func(ctx context.Context) {
pod := scTestPod(false, false)
pod.Spec.SecurityContext = &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}}
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
e2eoutput.TestContainerOutput(ctx, f, "seccomp unconfined pod", pod, 0, []string{"0"}) // seccomp disabled
})
ginkgo.It("should support seccomp runtime/default [LinuxOnly]", func(ctx context.Context) {
pod := scTestPod(false, false)
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}}
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
e2eoutput.TestContainerOutput(ctx, f, "seccomp runtime/default", pod, 0, []string{"2"}) // seccomp filtered
})
ginkgo.It("should support seccomp default which is unconfined [LinuxOnly]", func(ctx context.Context) {
pod := scTestPod(false, false)
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
pod.Spec.Containers[0].Command = []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}
e2eoutput.TestContainerOutput(ctx, f, "seccomp default unconfined", pod, 0, []string{"0"}) // seccomp disabled
})
})

3
test/e2e_node/seccompdefault_test.go
View File

@ -30,6 +30,7 @@ import (
kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
"k8s.io/kubernetes/test/e2e/framework"
e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
"k8s.io/kubernetes/test/e2e/node"
admissionapi "k8s.io/pod-security-admission/api"
)
@ -53,7 +54,7 @@ var _ = SIGDescribe("SeccompDefault [Serial] [Feature:SeccompDefault] [LinuxOnly
{
Name: name,
Image: busyboxImage,
Command: []string{"grep", "Seccomp:", "/proc/self/status"},
Command: []string{"grep", node.SeccompProcStatusField, node.ProcSelfStatusPath},
SecurityContext: securityContext,
},
},