c903c29c3b
CreatePod and MakePod only accepted an `isPrivileged` boolean, which made it impossible to write tests using those helpers which work in a default framework.Framework, because the default there is LevelRestricted. The simple boolean gets replaced with admissionapi.Level. Passing LevelRestricted does the same as calling e2epod.MixinRestrictedPodSecurity. Instead of explicitly passing a constant to these modified helpers, most tests get updated to pass f.NamespacePodSecurityLevel. This has the advantage that if that level gets lowered in the future, tests only need to be updated in one place. In some cases, helpers taking client+namespace+timeouts parameters get replaced with passing the Framework instance to get access to f.NamespacePodSecurityEnforceLevel. These helpers don't need separate parameters because in practice all they ever used where the values from the Framework instance.
129 lines
5.9 KiB
Go
129 lines
5.9 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package storage
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/onsi/ginkgo/v2"
|
|
v1 "k8s.io/api/core/v1"
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/kubernetes/test/e2e/framework"
|
|
"k8s.io/kubernetes/test/e2e/storage/testsuites"
|
|
"k8s.io/kubernetes/test/e2e/storage/utils"
|
|
admissionapi "k8s.io/pod-security-admission/api"
|
|
)
|
|
|
|
var _ = utils.SIGDescribe("Subpath", func() {
|
|
f := framework.NewDefaultFramework("subpath")
|
|
f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
|
|
|
|
ginkgo.Context("Atomic writer volumes", func() {
|
|
var err error
|
|
|
|
ginkgo.BeforeEach(func(ctx context.Context) {
|
|
ginkgo.By("Setting up data")
|
|
secret := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "my-secret"}, Data: map[string][]byte{"secret-key": []byte("secret-value")}}
|
|
_, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, secret, metav1.CreateOptions{})
|
|
if err != nil && !apierrors.IsAlreadyExists(err) {
|
|
framework.ExpectNoError(err, "while creating secret")
|
|
}
|
|
|
|
configmap := &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "my-configmap"}, Data: map[string]string{"configmap-key": "configmap-value"}}
|
|
_, err = f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Create(ctx, configmap, metav1.CreateOptions{})
|
|
if err != nil && !apierrors.IsAlreadyExists(err) {
|
|
framework.ExpectNoError(err, "while creating configmap")
|
|
}
|
|
})
|
|
|
|
/*
|
|
Release: v1.12
|
|
Testname: SubPath: Reading content from a secret volume.
|
|
Description: Containers in a pod can read content from a secret mounted volume which was configured with a subpath.
|
|
*/
|
|
framework.ConformanceIt("should support subpaths with secret pod", func(ctx context.Context) {
|
|
pod := testsuites.SubpathTestPod(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}}, f.NamespacePodSecurityLevel)
|
|
testsuites.TestBasicSubpath(ctx, f, "secret-value", pod)
|
|
})
|
|
|
|
/*
|
|
Release: v1.12
|
|
Testname: SubPath: Reading content from a configmap volume.
|
|
Description: Containers in a pod can read content from a configmap mounted volume which was configured with a subpath.
|
|
*/
|
|
framework.ConformanceIt("should support subpaths with configmap pod", func(ctx context.Context) {
|
|
pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, f.NamespacePodSecurityLevel)
|
|
testsuites.TestBasicSubpath(ctx, f, "configmap-value", pod)
|
|
})
|
|
|
|
/*
|
|
Release: v1.12
|
|
Testname: SubPath: Reading content from a configmap volume.
|
|
Description: Containers in a pod can read content from a configmap mounted volume which was configured with a subpath and also using a mountpath that is a specific file.
|
|
*/
|
|
framework.ConformanceIt("should support subpaths with configmap pod with mountPath of existing file", func(ctx context.Context) {
|
|
pod := testsuites.SubpathTestPod(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, f.NamespacePodSecurityLevel)
|
|
file := "/etc/resolv.conf"
|
|
pod.Spec.Containers[0].VolumeMounts[0].MountPath = file
|
|
testsuites.TestBasicSubpathFile(ctx, f, "configmap-value", pod, file)
|
|
})
|
|
|
|
/*
|
|
Release: v1.12
|
|
Testname: SubPath: Reading content from a downwardAPI volume.
|
|
Description: Containers in a pod can read content from a downwardAPI mounted volume which was configured with a subpath.
|
|
*/
|
|
framework.ConformanceIt("should support subpaths with downward pod", func(ctx context.Context) {
|
|
pod := testsuites.SubpathTestPod(f, "downward/podname", "downwardAPI", &v1.VolumeSource{
|
|
DownwardAPI: &v1.DownwardAPIVolumeSource{
|
|
Items: []v1.DownwardAPIVolumeFile{{Path: "downward/podname", FieldRef: &v1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}},
|
|
},
|
|
}, f.NamespacePodSecurityLevel)
|
|
testsuites.TestBasicSubpath(ctx, f, pod.Name, pod)
|
|
})
|
|
|
|
/*
|
|
Release: v1.12
|
|
Testname: SubPath: Reading content from a projected volume.
|
|
Description: Containers in a pod can read content from a projected mounted volume which was configured with a subpath.
|
|
*/
|
|
framework.ConformanceIt("should support subpaths with projected pod", func(ctx context.Context) {
|
|
pod := testsuites.SubpathTestPod(f, "projected/configmap-key", "projected", &v1.VolumeSource{
|
|
Projected: &v1.ProjectedVolumeSource{
|
|
Sources: []v1.VolumeProjection{
|
|
{ConfigMap: &v1.ConfigMapProjection{
|
|
LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"},
|
|
Items: []v1.KeyToPath{{Path: "projected/configmap-key", Key: "configmap-key"}},
|
|
}},
|
|
},
|
|
},
|
|
}, f.NamespacePodSecurityLevel)
|
|
testsuites.TestBasicSubpath(ctx, f, "configmap-value", pod)
|
|
})
|
|
|
|
})
|
|
|
|
ginkgo.Context("Container restart", func() {
|
|
ginkgo.It("should verify that container can restart successfully after configmaps modified", func(ctx context.Context) {
|
|
configmapToModify := &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "my-configmap-to-modify"}, Data: map[string]string{"configmap-key": "configmap-value"}}
|
|
configmapModified := &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "my-configmap-to-modify"}, Data: map[string]string{"configmap-key": "configmap-modified-value"}}
|
|
testsuites.TestPodContainerRestartWithConfigmapModified(ctx, f, configmapToModify, configmapModified)
|
|
})
|
|
})
|
|
})
|