github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix AppArmor unloaded profile e2e test

Browse Source 
With the removal of the kubelet AppArmor profile validation in
https://github.com/kubernetes/kubernetes/pull/97966 we passed the
responsibility of the desired behavior to the container runtime.
Therefore we have to change the e2e test which silently broke after the
PR merge.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert 2022-01-10 12:07:50 +01:00
parent ba82add41a
commit fcca81aeae
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
test/e2e_node/apparmor_test.go
View File

@ -38,6 +38,7 @@ import (
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
watchtools "k8s.io/client-go/tools/watch" watchtools "k8s.io/client-go/tools/watch"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/kubelet/kuberuntime"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@ -57,7 +58,7 @@ var _ = SIGDescribe("AppArmor [Feature:AppArmor][NodeFeature:AppArmor]", func()
ginkgo.It("should reject an unloaded profile", func() { ginkgo.It("should reject an unloaded profile", func() {
status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile") status := runAppArmorTest(f, false, v1.AppArmorBetaProfileNamePrefix+"non-existent-profile")
expectSoftRejection(status) gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor"))
}) })
ginkgo.It("should enforce a profile blocking writes", func() { ginkgo.It("should enforce a profile blocking writes", func() {
status := runAppArmorTest(f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write") status := runAppArmorTest(f, true, v1.AppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
@ -190,6 +191,10 @@ func runAppArmorTest(f *framework.Framework, shouldRun bool, profile string) v1.
if t.Status.Reason == "AppArmor" { if t.Status.Reason == "AppArmor" {
return true, nil return true, nil
} }
// Loading a profile not available on disk should return a container creation error
if len(t.Status.ContainerStatuses) > 0 && t.Status.ContainerStatuses[0].State.Waiting.Reason == kuberuntime.ErrCreateContainer.Error() {
return true, nil
}
} }
return false, nil return false, nil
}) })