github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix incorrect localhost seccomp profile path

Browse Source
This commit is contained in:
Pengfei Ni 2017-11-22 02:49:23 +00:00
parent 6b97376a53
commit 2a2a875686
3 changed files with 106 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go
View File

@ -33,6 +33,10 @@ import (
proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results" proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results"
) )
const (
fakeSeccompProfileRoot = "/fakeSeccompProfileRoot"
)
type fakeHTTP struct { type fakeHTTP struct {
url string url string
err error err error
@ -78,6 +82,7 @@ func NewFakeKubeRuntimeManager(runtimeService internalapi.RuntimeService, imageS
runtimeService: runtimeService, runtimeService: runtimeService,
imageService: imageService, imageService: imageService,
keyring: keyring, keyring: keyring,
seccompProfileRoot: fakeSeccompProfileRoot,
internalLifecycle: cm.NewFakeInternalContainerLifecycle(), internalLifecycle: cm.NewFakeInternalContainerLifecycle(),
} }

2
pkg/kubelet/kuberuntime/helpers.go
View File

@ -273,7 +273,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations
if strings.HasPrefix(profile, "localhost/") { if strings.HasPrefix(profile, "localhost/") {
name := strings.TrimPrefix(profile, "localhost/") name := strings.TrimPrefix(profile, "localhost/")
fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name)) fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name))
return fname return "localhost/" + fname
} }
return profile return profile

100
pkg/kubelet/kuberuntime/helpers_test.go
View File

@ -17,9 +17,12 @@ limitations under the License.
package kuberuntime package kuberuntime
import ( import (
"path/filepath"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"k8s.io/api/core/v1" "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtimetesting "k8s.io/kubernetes/pkg/kubelet/apis/cri/testing" runtimetesting "k8s.io/kubernetes/pkg/kubelet/apis/cri/testing"
@ -205,3 +208,100 @@ func TestGetImageUser(t *testing.T) {
assert.Equal(t, test.expectedImageUserValues.username, username, "TestCase[%d]", j) assert.Equal(t, test.expectedImageUserValues.username, username, "TestCase[%d]", j)
} }
} }
func TestGetSeccompProfileFromAnnotations(t *testing.T) {
_, _, m, err := createTestRuntimeManager()
require.NoError(t, err)
tests := []struct {
description string
annotation map[string]string
containerName string
expectedProfile string
}{
{
description: "no seccomp should return empty string",
expectedProfile: "",
},
{
description: "no seccomp with containerName should return exmpty string",
containerName: "container1",
expectedProfile: "",
},
{
description: "pod docker/default seccomp profile should return docker/default",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "docker/default",
},
expectedProfile: "docker/default",
},
{
description: "pod docker/default seccomp profile with containerName should return docker/default",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "docker/default",
},
containerName: "container1",
expectedProfile: "docker/default",
},
{
description: "pod unconfined seccomp profile should return unconfined",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "unconfined",
},
expectedProfile: "unconfined",
},
{
description: "pod unconfined seccomp profile with containerName should return unconfined",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "unconfined",
},
containerName: "container1",
expectedProfile: "unconfined",
},
{
description: "pod localhost seccomp profile should return local profile path",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
},
{
description: "pod localhost seccomp profile with containerName should return local profile path",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
},
{
description: "container localhost seccomp profile with containerName should return local profile path",
annotation: map[string]string{
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
},
{
description: "container localhost seccomp profile should override pod profile",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "unconfined",
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
},
{
description: "container localhost seccomp profile with unmatched containerName should return empty string",
annotation: map[string]string{
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container2",
expectedProfile: "",
},
}
for i, test := range tests {
seccompProfile := m.getSeccompProfileFromAnnotations(test.annotation, test.containerName)
assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]", i)
}
}