diff --git a/test/e2e_node/oomkiller_linux_test.go b/test/e2e_node/oomkiller_linux_test.go index db165ffc38e..c0a7074a3a9 100644 --- a/test/e2e_node/oomkiller_linux_test.go +++ b/test/e2e_node/oomkiller_linux_test.go @@ -31,6 +31,7 @@ import ( "github.com/onsi/ginkgo/v2" libcontainercgroups "github.com/opencontainers/runc/libcontainer/cgroups" + "k8s.io/utils/ptr" ) type testCase struct { @@ -211,6 +212,16 @@ func getOOMTargetContainer(name string) v1.Container { v1.ResourceMemory: resource.MustParse("15Mi"), }, }, + SecurityContext: &v1.SecurityContext{ + SeccompProfile: &v1.SeccompProfile{ + Type: v1.SeccompProfileTypeRuntimeDefault, + }, + AllowPrivilegeEscalation: ptr.To(false), + RunAsUser: ptr.To[int64](999), + RunAsGroup: ptr.To[int64](999), + RunAsNonRoot: ptr.To(true), + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + }, } } @@ -234,6 +245,16 @@ func getOOMTargetContainerMultiProcess(name string) v1.Container { v1.ResourceMemory: resource.MustParse("15Mi"), }, }, + SecurityContext: &v1.SecurityContext{ + SeccompProfile: &v1.SeccompProfile{ + Type: v1.SeccompProfileTypeRuntimeDefault, + }, + AllowPrivilegeEscalation: ptr.To(false), + RunAsUser: ptr.To[int64](999), + RunAsGroup: ptr.To[int64](999), + RunAsNonRoot: ptr.To(true), + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + }, } } @@ -249,5 +270,15 @@ func getOOMTargetContainerWithoutLimit(name string) v1.Container { // use the dd tool to attempt to allocate huge block of memory which exceeds the node allocatable "sleep 5 && dd if=/dev/zero of=/dev/null iflag=fullblock count=10 bs=10G", }, + SecurityContext: &v1.SecurityContext{ + SeccompProfile: &v1.SeccompProfile{ + Type: v1.SeccompProfileTypeRuntimeDefault, + }, + AllowPrivilegeEscalation: ptr.To(false), + RunAsUser: ptr.To[int64](999), + RunAsGroup: ptr.To[int64](999), + RunAsNonRoot: ptr.To(true), + Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}}, + }, } }