Remove deprecated Kubelet security controls
Change-Id: I9f770e6780b60e881092690f6f177d726f474fe3
This commit is contained in:
chaowang
committed by
Davanum Srinivas
Davanum Srinivas
parent
f8d2b6b982
commit
9ba0d47465
@@ -41,7 +41,6 @@ import (
|
||||
"k8s.io/client-go/util/flowcontrol"
|
||||
"k8s.io/component-base/featuregate"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
"k8s.io/kubernetes/pkg/capabilities"
|
||||
cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
|
||||
"k8s.io/kubernetes/pkg/kubelet/cm"
|
||||
"k8s.io/kubernetes/pkg/kubelet/config"
|
||||
@@ -1098,230 +1097,12 @@ func TestGetContainerInfoForMirrorPods(t *testing.T) {
|
||||
require.NotNil(t, stats)
|
||||
}
|
||||
|
||||
func TestHostNetworkAllowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostNetworkSources: []string{kubetypes.ApiserverSource, kubetypes.FileSource},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostNetwork: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
kubelet.podManager.SetPods([]*v1.Pod{pod})
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.NoError(t, err, "expected pod infra creation to succeed")
|
||||
}
|
||||
|
||||
func TestHostNetworkDisallowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostNetworkSources: []string{},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostNetwork: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.Error(t, err, "expected pod infra creation to fail")
|
||||
}
|
||||
|
||||
func TestHostPIDAllowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostPIDSources: []string{kubetypes.ApiserverSource, kubetypes.FileSource},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostPID: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
kubelet.podManager.SetPods([]*v1.Pod{pod})
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.NoError(t, err, "expected pod infra creation to succeed")
|
||||
}
|
||||
|
||||
func TestHostPIDDisallowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostPIDSources: []string{},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostPID: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.Error(t, err, "expected pod infra creation to fail")
|
||||
}
|
||||
|
||||
func TestHostIPCAllowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostIPCSources: []string{kubetypes.ApiserverSource, kubetypes.FileSource},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostIPC: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
kubelet.podManager.SetPods([]*v1.Pod{pod})
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.NoError(t, err, "expected pod infra creation to succeed")
|
||||
}
|
||||
|
||||
func TestHostIPCDisallowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostIPCSources: []string{},
|
||||
},
|
||||
})
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo"},
|
||||
},
|
||||
HostIPC: true,
|
||||
})
|
||||
pod.Annotations[kubetypes.ConfigSourceAnnotationKey] = kubetypes.FileSource
|
||||
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.Error(t, err, "expected pod infra creation to fail")
|
||||
}
|
||||
|
||||
func TestPrivilegeContainerAllowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
AllowPrivileged: true,
|
||||
})
|
||||
privileged := true
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo", SecurityContext: &v1.SecurityContext{Privileged: &privileged}},
|
||||
},
|
||||
})
|
||||
|
||||
kubelet.podManager.SetPods([]*v1.Pod{pod})
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.NoError(t, err, "expected pod infra creation to succeed")
|
||||
}
|
||||
|
||||
func TestPrivilegedContainerDisallowed(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
AllowPrivileged: false,
|
||||
})
|
||||
privileged := true
|
||||
pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
|
||||
Containers: []v1.Container{
|
||||
{Name: "foo", SecurityContext: &v1.SecurityContext{Privileged: &privileged}},
|
||||
},
|
||||
})
|
||||
|
||||
err := kubelet.syncPod(syncPodOptions{
|
||||
pod: pod,
|
||||
podStatus: &kubecontainer.PodStatus{},
|
||||
updateType: kubetypes.SyncPodUpdate,
|
||||
})
|
||||
assert.Error(t, err, "expected pod infra creation to fail")
|
||||
}
|
||||
|
||||
func TestNetworkErrorsWithoutHostNetwork(t *testing.T) {
|
||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||
defer testKubelet.Cleanup()
|
||||
kubelet := testKubelet.kubelet
|
||||
|
||||
kubelet.runtimeState.setNetworkState(fmt.Errorf("simulated network error"))
|
||||
capabilities.SetForTests(capabilities.Capabilities{
|
||||
PrivilegedSources: capabilities.PrivilegedSources{
|
||||
HostNetworkSources: []string{kubetypes.ApiserverSource, kubetypes.FileSource},
|
||||
},
|
||||
})
|
||||
|
||||
pod := podWithUIDNameNsSpec("12345678", "hostnetwork", "new", v1.PodSpec{
|
||||
HostNetwork: false,
|
||||
|
||||
Reference in New Issue
Block a user