[cri] add image-name annotation
For some tools having the actual image name in the annotations is helpful for debugging and auditing the workload. Signed-off-by: Michael Crosby <michael@thepasture.io>
This commit is contained in:
Michael Crosby
@@ -180,6 +180,9 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
|
||||
|
||||
assert.Contains(t, spec.Annotations, annotations.SandboxName)
|
||||
assert.EqualValues(t, spec.Annotations[annotations.SandboxName], "test-sandbox-name")
|
||||
|
||||
assert.Contains(t, spec.Annotations, annotations.ImageName)
|
||||
assert.EqualValues(t, spec.Annotations[annotations.ImageName], testImageName)
|
||||
}
|
||||
return config, sandboxConfig, imageConfig, specCheck
|
||||
}
|
||||
@@ -237,7 +240,7 @@ func TestContainerCapabilities(t *testing.T) {
|
||||
c := newTestCRIService()
|
||||
|
||||
containerConfig.Linux.SecurityContext.Capabilities = test.capability
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
|
||||
if selinux.GetEnabled() {
|
||||
@@ -272,7 +275,7 @@ func TestContainerSpecTty(t *testing.T) {
|
||||
c := newTestCRIService()
|
||||
for _, tty := range []bool{true, false} {
|
||||
containerConfig.Tty = tty
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
assert.Equal(t, tty, spec.Process.Terminal)
|
||||
@@ -299,7 +302,7 @@ func TestContainerSpecDefaultPath(t *testing.T) {
|
||||
imageConfig.Env = append(imageConfig.Env, pathenv)
|
||||
expected = pathenv
|
||||
}
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
assert.Contains(t, spec.Process.Env, expected)
|
||||
@@ -316,7 +319,7 @@ func TestContainerSpecReadonlyRootfs(t *testing.T) {
|
||||
c := newTestCRIService()
|
||||
for _, readonly := range []bool{true, false} {
|
||||
containerConfig.Linux.SecurityContext.ReadonlyRootfs = readonly
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
assert.Equal(t, readonly, spec.Root.Readonly)
|
||||
@@ -355,7 +358,7 @@ func TestContainerSpecWithExtraMounts(t *testing.T) {
|
||||
Readonly: false,
|
||||
},
|
||||
}
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, extraMounts, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, extraMounts, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
var mounts, sysMounts, devMounts []runtimespec.Mount
|
||||
@@ -423,7 +426,7 @@ func TestContainerAndSandboxPrivileged(t *testing.T) {
|
||||
sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: test.sandboxPrivileged,
|
||||
}
|
||||
_, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
_, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
if test.expectError {
|
||||
assert.Error(t, err)
|
||||
} else {
|
||||
@@ -614,7 +617,7 @@ func TestPrivilegedBindMount(t *testing.T) {
|
||||
containerConfig.Linux.SecurityContext.Privileged = test.privileged
|
||||
sandboxConfig.Linux.SecurityContext.Privileged = test.privileged
|
||||
|
||||
spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
|
||||
assert.NoError(t, err)
|
||||
if test.expectedSysFSRO {
|
||||
@@ -771,7 +774,7 @@ func TestPidNamespace(t *testing.T) {
|
||||
} {
|
||||
t.Logf("TestCase %q", desc)
|
||||
containerConfig.Linux.SecurityContext.NamespaceOptions = &runtime.NamespaceOption{Pid: test.pidNS}
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
assert.Contains(t, spec.Linux.Namespaces, test.expected)
|
||||
}
|
||||
@@ -786,7 +789,7 @@ func TestNoDefaultRunMount(t *testing.T) {
|
||||
ociRuntime := config.Runtime{}
|
||||
c := newTestCRIService()
|
||||
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
assert.NoError(t, err)
|
||||
for _, mount := range spec.Mounts {
|
||||
assert.NotEqual(t, "/run", mount.Destination)
|
||||
@@ -1159,7 +1162,7 @@ func TestMaskedAndReadonlyPaths(t *testing.T) {
|
||||
sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
||||
Privileged: test.privileged,
|
||||
}
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
if !test.privileged { // specCheck presumes an unprivileged container
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
@@ -1206,7 +1209,7 @@ func TestHostname(t *testing.T) {
|
||||
sandboxConfig.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
|
||||
NamespaceOptions: &runtime.NamespaceOption{Network: test.networkNs},
|
||||
}
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
assert.Contains(t, spec.Process.Env, test.expectedEnv)
|
||||
@@ -1218,7 +1221,7 @@ func TestDisableCgroup(t *testing.T) {
|
||||
ociRuntime := config.Runtime{}
|
||||
c := newTestCRIService()
|
||||
c.config.DisableCgroup = true
|
||||
spec, err := c.containerSpec("test-id", "sandbox-id", 1234, "", "container-name", containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec("test-id", "sandbox-id", 1234, "", "container-name", testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Log("resource limit should not be set")
|
||||
@@ -1341,7 +1344,7 @@ func TestPrivilegedDevices(t *testing.T) {
|
||||
ociRuntime := config.Runtime{
|
||||
PrivilegedWithoutHostDevices: test.privilegedWithoutHostDevices,
|
||||
}
|
||||
spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(t.Name(), testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
assert.NoError(t, err)
|
||||
|
||||
hostDevicesRaw, err := devices.HostDevices()
|
||||
@@ -1390,7 +1393,7 @@ func TestBaseOCISpec(t *testing.T) {
|
||||
testPid := uint32(1234)
|
||||
containerConfig, sandboxConfig, imageConfig, specCheck := getCreateContainerTestData()
|
||||
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
spec, err := c.containerSpec(testID, testSandboxID, testPid, "", testContainerName, testImageName, containerConfig, sandboxConfig, imageConfig, nil, ociRuntime)
|
||||
assert.NoError(t, err)
|
||||
|
||||
specCheck(t, testID, testSandboxID, testPid, spec)
|
||||
|
||||
Reference in New Issue
Block a user