From fcca81aeae9c59270a58dca7c7b51e80c07b7953 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Mon, 10 Jan 2022 12:07:50 +0100 Subject: [PATCH] Fix AppArmor unloaded profile e2e test With the removal of the kubelet AppArmor profile validation in https://github.com/kubernetes/kubernetes/pull/97966 we passed the responsibility of the desired behavior to the container runtime. Therefore we have to change the e2e test which silently broke after the PR merge. Signed-off-by: Sascha Grunert --- test/e2e_node/apparmor_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/test/e2e_node/apparmor_test.go b/test/e2e_node/apparmor_test.go index 00d70a54918..5abd87520b5 100644 --- a/test/e2e_node/apparmor_test.go +++ b/test/e2e_node/apparmor_test.go @@ -38,6 +38,7 @@ import ( "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/kubelet/kuberuntime" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" @@ -57,7 +58,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func() ginkgo.It("should reject an unloaded profile", func() { status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") - expectSoftRejection(status) + gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor")) }) ginkgo.It("should enforce a profile blocking writes", func() { status := runAppArmorTest(f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write") @@ -190,6 +191,10 @@ func runAppArmorTest(f *framework.Framework, shouldRun bool, profile string) v1. if t.Status.Reason == "AppArmor" { return true, nil } + // Loading a profile not available on disk should return a container creation error + if len(t.Status.ContainerStatuses) > 0 && t.Status.ContainerStatuses[0].State.Waiting.Reason == kuberuntime.ErrCreateContainer.Error() { + return true, nil + } } return false, nil })