Move privilege e2e test to common
This commit is contained in:
		| @@ -27,6 +27,7 @@ import ( | |||||||
| ) | ) | ||||||
|  |  | ||||||
| // PrivilegedPodTestConfig is configuration struct for privileged pod test | // PrivilegedPodTestConfig is configuration struct for privileged pod test | ||||||
|  | // TODO: Merge with tests in security_context.go | ||||||
| type PrivilegedPodTestConfig struct { | type PrivilegedPodTestConfig struct { | ||||||
| 	f *framework.Framework | 	f *framework.Framework | ||||||
|  |  | ||||||
|   | |||||||
| @@ -271,6 +271,19 @@ var _ = framework.KubeDescribe("Security Context", func() { | |||||||
| 				framework.Failf("unprivileged container shouldn't be able to create dummy device") | 				framework.Failf("unprivileged container shouldn't be able to create dummy device") | ||||||
| 			} | 			} | ||||||
| 		}) | 		}) | ||||||
|  |  | ||||||
|  | 		ginkgo.It("should run the container as privileged when true [LinuxOnly] [NodeFeature:HostAccess]", func() { | ||||||
|  | 			podName := createAndWaitUserPod(true) | ||||||
|  | 			logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) | ||||||
|  | 			if err != nil { | ||||||
|  | 				framework.Failf("GetPodLogs for pod %q failed: %v", podName, err) | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  | 			framework.Logf("Got logs for pod %q: %q", podName, logs) | ||||||
|  | 			if strings.Contains(logs, "Operation not permitted") { | ||||||
|  | 				framework.Failf("privileged container should be able to create dummy device") | ||||||
|  | 			} | ||||||
|  | 		}) | ||||||
| 	}) | 	}) | ||||||
|  |  | ||||||
| 	ginkgo.Context("when creating containers with AllowPrivilegeEscalation", func() { | 	ginkgo.Context("when creating containers with AllowPrivilegeEscalation", func() { | ||||||
|   | |||||||
| @@ -350,50 +350,4 @@ var _ = framework.KubeDescribe("Security Context", func() { | |||||||
| 			} | 			} | ||||||
| 		}) | 		}) | ||||||
| 	}) | 	}) | ||||||
|  |  | ||||||
| 	ginkgo.Context("When creating a pod with privileged", func() { |  | ||||||
| 		makeUserPod := func(podName, image string, command []string, privileged bool) *v1.Pod { |  | ||||||
| 			return &v1.Pod{ |  | ||||||
| 				ObjectMeta: metav1.ObjectMeta{ |  | ||||||
| 					Name: podName, |  | ||||||
| 				}, |  | ||||||
| 				Spec: v1.PodSpec{ |  | ||||||
| 					RestartPolicy: v1.RestartPolicyNever, |  | ||||||
| 					Containers: []v1.Container{ |  | ||||||
| 						{ |  | ||||||
| 							Image:   image, |  | ||||||
| 							Name:    podName, |  | ||||||
| 							Command: command, |  | ||||||
| 							SecurityContext: &v1.SecurityContext{ |  | ||||||
| 								Privileged: &privileged, |  | ||||||
| 							}, |  | ||||||
| 						}, |  | ||||||
| 					}, |  | ||||||
| 				}, |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
| 		createAndWaitUserPod := func(privileged bool) string { |  | ||||||
| 			podName := fmt.Sprintf("busybox-privileged-%v-%s", privileged, uuid.NewUUID()) |  | ||||||
| 			podClient.Create(makeUserPod(podName, |  | ||||||
| 				busyboxImage, |  | ||||||
| 				[]string{"sh", "-c", "ip link add dummy0 type dummy || true"}, |  | ||||||
| 				privileged, |  | ||||||
| 			)) |  | ||||||
| 			podClient.WaitForSuccess(podName, framework.PodStartTimeout) |  | ||||||
| 			return podName |  | ||||||
| 		} |  | ||||||
|  |  | ||||||
| 		ginkgo.It("should run the container as privileged when true [NodeFeature:HostAccess]", func() { |  | ||||||
| 			podName := createAndWaitUserPod(true) |  | ||||||
| 			logs, err := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podName, podName) |  | ||||||
| 			if err != nil { |  | ||||||
| 				framework.Failf("GetPodLogs for pod %q failed: %v", podName, err) |  | ||||||
| 			} |  | ||||||
|  |  | ||||||
| 			framework.Logf("Got logs for pod %q: %q", podName, logs) |  | ||||||
| 			if strings.Contains(logs, "Operation not permitted") { |  | ||||||
| 				framework.Failf("privileged container should be able to create dummy device") |  | ||||||
| 			} |  | ||||||
| 		}) |  | ||||||
| 	}) |  | ||||||
| }) | }) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Jefftree
					Jefftree