Merge pull request #126182 from sohankunkerkar/fix-procmount
test/e2e/windows: drop securityContext test for ProcMount
This commit is contained in:
Kubernetes Prow Robot
@@ -136,7 +136,7 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func()
|
||||
e2eoutput.TestContainerOutput(ctx, f, "check pod SecurityContext username", pod, 1, []string{"ContainerAdministrator"})
|
||||
})
|
||||
|
||||
ginkgo.It("should ignore SELinux Specific SecurityContext if set", func(ctx context.Context) {
|
||||
ginkgo.It("should ignore Linux Specific SecurityContext if set", func(ctx context.Context) {
|
||||
ginkgo.By("Creating a pod with SELinux options")
|
||||
// It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux
|
||||
// security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the
|
||||
@@ -160,30 +160,6 @@ var _ = sigDescribe(feature.Windows, "SecurityContext", skipUnlessWindows(func()
|
||||
f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name)
|
||||
})
|
||||
|
||||
ginkgo.It("should ignore ProcMount Specific SecurityContext if set", func(ctx context.Context) {
|
||||
ginkgo.By("Creating a pod with ProcMount options")
|
||||
// It is sufficient to show that the pod comes up here. Since we're stripping the SELinux and other linux
|
||||
// security contexts in apiserver and not updating the pod object in the apiserver, we cannot validate the
|
||||
// pod object to not have those security contexts. However the pod coming to running state is a sufficient
|
||||
// enough condition for us to validate since prior to https://github.com/kubernetes/kubernetes/pull/93475
|
||||
// the pod would have failed to come up.
|
||||
windowsPodWithSELinux := createTestPod(f, imageutils.GetE2EImage(imageutils.Agnhost), windowsOS)
|
||||
windowsPodWithSELinux.Spec.Containers[0].Args = []string{"test-webserver-with-selinux"}
|
||||
windowsPodWithSELinux.Spec.SecurityContext = &v1.PodSecurityContext{}
|
||||
pmt := v1.UnmaskedProcMount
|
||||
containerUserName := "ContainerAdministrator"
|
||||
windowsPodWithSELinux.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
|
||||
ProcMount: &pmt,
|
||||
WindowsOptions: &v1.WindowsSecurityContextOptions{RunAsUserName: &containerUserName}}
|
||||
windowsPodWithSELinux.Spec.Tolerations = []v1.Toleration{{Key: "os", Value: "Windows"}}
|
||||
windowsPodWithSELinux, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx,
|
||||
windowsPodWithSELinux, metav1.CreateOptions{})
|
||||
framework.ExpectNoError(err)
|
||||
framework.Logf("Created pod %v", windowsPodWithSELinux)
|
||||
framework.ExpectNoError(e2epod.WaitForPodNameRunningInNamespace(ctx, f.ClientSet, windowsPodWithSELinux.Name,
|
||||
f.Namespace.Name), "failed to wait for pod %s to be running", windowsPodWithSELinux.Name)
|
||||
})
|
||||
|
||||
ginkgo.It("should not be able to create pods with containers running as ContainerAdministrator when runAsNonRoot is true", func(ctx context.Context) {
|
||||
ginkgo.By("Creating a pod")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user