From 2a2a8756864062c9dc15b7a86efd195951f874a7 Mon Sep 17 00:00:00 2001 From: Pengfei Ni Date: Wed, 22 Nov 2017 02:49:23 +0000 Subject: [PATCH] Fix incorrect localhost seccomp profile path --- .../kuberuntime/fake_kuberuntime_manager.go | 5 + pkg/kubelet/kuberuntime/helpers.go | 2 +- pkg/kubelet/kuberuntime/helpers_test.go | 100 ++++++++++++++++++ 3 files changed, 106 insertions(+), 1 deletion(-) diff --git a/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go b/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go index 0dd2ddeafb4..a630588e2e9 100644 --- a/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go +++ b/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go @@ -33,6 +33,10 @@ import ( proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results" ) +const ( + fakeSeccompProfileRoot = "/fakeSeccompProfileRoot" +) + type fakeHTTP struct { url string err error @@ -78,6 +82,7 @@ func NewFakeKubeRuntimeManager(runtimeService internalapi.RuntimeService, imageS runtimeService: runtimeService, imageService: imageService, keyring: keyring, + seccompProfileRoot: fakeSeccompProfileRoot, internalLifecycle: cm.NewFakeInternalContainerLifecycle(), } diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go index 89664a27437..d1ee8de3f98 100644 --- a/pkg/kubelet/kuberuntime/helpers.go +++ b/pkg/kubelet/kuberuntime/helpers.go @@ -273,7 +273,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations if strings.HasPrefix(profile, "localhost/") { name := strings.TrimPrefix(profile, "localhost/") fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name)) - return fname + return "localhost/" + fname } return profile diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go index 9de0544825f..8690749fa1c 100644 --- a/pkg/kubelet/kuberuntime/helpers_test.go +++ b/pkg/kubelet/kuberuntime/helpers_test.go @@ -17,9 +17,12 @@ limitations under the License. package kuberuntime import ( + "path/filepath" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtimetesting "k8s.io/kubernetes/pkg/kubelet/apis/cri/testing" @@ -205,3 +208,100 @@ func TestGetImageUser(t *testing.T) { assert.Equal(t, test.expectedImageUserValues.username, username, "TestCase[%d]", j) } } + +func TestGetSeccompProfileFromAnnotations(t *testing.T) { + _, _, m, err := createTestRuntimeManager() + require.NoError(t, err) + + tests := []struct { + description string + annotation map[string]string + containerName string + expectedProfile string + }{ + { + description: "no seccomp should return empty string", + expectedProfile: "", + }, + { + description: "no seccomp with containerName should return exmpty string", + containerName: "container1", + expectedProfile: "", + }, + { + description: "pod docker/default seccomp profile should return docker/default", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "docker/default", + }, + expectedProfile: "docker/default", + }, + { + description: "pod docker/default seccomp profile with containerName should return docker/default", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "docker/default", + }, + containerName: "container1", + expectedProfile: "docker/default", + }, + { + description: "pod unconfined seccomp profile should return unconfined", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "unconfined", + }, + expectedProfile: "unconfined", + }, + { + description: "pod unconfined seccomp profile with containerName should return unconfined", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "unconfined", + }, + containerName: "container1", + expectedProfile: "unconfined", + }, + { + description: "pod localhost seccomp profile should return local profile path", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "localhost/chmod.json", + }, + expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + }, + { + description: "pod localhost seccomp profile with containerName should return local profile path", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "localhost/chmod.json", + }, + containerName: "container1", + expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + }, + { + description: "container localhost seccomp profile with containerName should return local profile path", + annotation: map[string]string{ + v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", + }, + containerName: "container1", + expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + }, + { + description: "container localhost seccomp profile should override pod profile", + annotation: map[string]string{ + v1.SeccompPodAnnotationKey: "unconfined", + v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", + }, + containerName: "container1", + expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + }, + { + description: "container localhost seccomp profile with unmatched containerName should return empty string", + annotation: map[string]string{ + v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", + }, + containerName: "container2", + expectedProfile: "", + }, + } + + for i, test := range tests { + seccompProfile := m.getSeccompProfileFromAnnotations(test.annotation, test.containerName) + assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]", i) + } +}