/* Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package node import ( "context" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/kubernetes/test/e2e/feature" "k8s.io/kubernetes/test/e2e/framework" e2epod "k8s.io/kubernetes/test/e2e/framework/pod" e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output" imageutils "k8s.io/kubernetes/test/utils/image" admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" ) // These tests exercise the Kubernetes expansion syntax $(VAR). // For more information, see: // https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/expansion.md var _ = SIGDescribe("Variable Expansion", func() { f := framework.NewDefaultFramework("var-expansion") f.NamespacePodSecurityLevel = admissionapi.LevelBaseline /* Release: v1.9 Testname: Environment variables, expansion Description: Create a Pod with environment variables. Environment variables defined using previously defined environment variables MUST expand to proper values. */ framework.ConformanceIt("should allow composing env vars into new env vars", f.WithNodeConformance(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "FOO", Value: "foo-value", }, { Name: "BAR", Value: "bar-value", }, { Name: "FOOBAR", Value: "$(FOO);;$(BAR)", }, } pod := newPod([]string{"sh", "-c", "env"}, envVars, nil, nil) e2epodoutput.TestContainerOutput(ctx, f, "env composition", pod, 0, []string{ "FOO=foo-value", "BAR=bar-value", "FOOBAR=foo-value;;bar-value", }) }) /* Release: v1.9 Testname: Environment variables, command expansion Description: Create a Pod with environment variables and container command using them. Container command using the defined environment variables MUST expand to proper values. */ framework.ConformanceIt("should allow substituting values in a container's command", f.WithNodeConformance(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "TEST_VAR", Value: "test-value", }, } pod := newPod([]string{"sh", "-c", "TEST_VAR=wrong echo \"$(TEST_VAR)\""}, envVars, nil, nil) e2epodoutput.TestContainerOutput(ctx, f, "substitution in container's command", pod, 0, []string{ "test-value", }) }) /* Release: v1.9 Testname: Environment variables, command argument expansion Description: Create a Pod with environment variables and container command arguments using them. Container command arguments using the defined environment variables MUST expand to proper values. */ framework.ConformanceIt("should allow substituting values in a container's args", f.WithNodeConformance(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "TEST_VAR", Value: "test-value", }, } pod := newPod([]string{"sh", "-c"}, envVars, nil, nil) pod.Spec.Containers[0].Args = []string{"TEST_VAR=wrong echo \"$(TEST_VAR)\""} e2epodoutput.TestContainerOutput(ctx, f, "substitution in container's args", pod, 0, []string{ "test-value", }) }) /* Release: v1.19 Testname: VolumeSubpathEnvExpansion, subpath expansion Description: Make sure a container's subpath can be set using an expansion of environment variables. */ framework.ConformanceIt("should allow substituting values in a volume subpath", func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "POD_NAME", Value: "foo", }, } mounts := []v1.VolumeMount{ { Name: "workdir1", MountPath: "/logscontainer", SubPathExpr: "$(POD_NAME)", }, { Name: "workdir1", MountPath: "/testcontainer", }, } volumes := []v1.Volume{ { Name: "workdir1", VolumeSource: v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{}, }, }, } pod := newPod([]string{}, envVars, mounts, volumes) envVars[0].Value = pod.ObjectMeta.Name pod.Spec.Containers[0].Command = []string{"sh", "-c", "test -d /testcontainer/" + pod.ObjectMeta.Name + ";echo $?"} e2epodoutput.TestContainerOutput(ctx, f, "substitution in volume subpath", pod, 0, []string{ "0", }) }) /* Release: v1.19 Testname: VolumeSubpathEnvExpansion, subpath with backticks Description: Make sure a container's subpath can not be set using an expansion of environment variables when backticks are supplied. */ framework.ConformanceIt("should fail substituting values in a volume subpath with backticks", f.WithSlow(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "POD_NAME", Value: "..", }, } mounts := []v1.VolumeMount{ { Name: "workdir1", MountPath: "/logscontainer", SubPathExpr: "$(POD_NAME)", }, } volumes := []v1.Volume{ { Name: "workdir1", VolumeSource: v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{}, }, }, } pod := newPod(nil, envVars, mounts, volumes) // Pod should fail testPodFailSubpath(ctx, f, pod) }) /* Release: v1.19 Testname: VolumeSubpathEnvExpansion, subpath with absolute path Description: Make sure a container's subpath can not be set using an expansion of environment variables when absolute path is supplied. */ framework.ConformanceIt("should fail substituting values in a volume subpath with absolute path", f.WithSlow(), func(ctx context.Context) { absolutePath := "/tmp" if framework.NodeOSDistroIs("windows") { // Windows does not typically have a C:\tmp folder. absolutePath = "C:\\Users" } envVars := []v1.EnvVar{ { Name: "POD_NAME", Value: absolutePath, }, } mounts := []v1.VolumeMount{ { Name: "workdir1", MountPath: "/logscontainer", SubPathExpr: "$(POD_NAME)", }, } volumes := []v1.Volume{ { Name: "workdir1", VolumeSource: v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{}, }, }, } pod := newPod(nil, envVars, mounts, volumes) // Pod should fail testPodFailSubpath(ctx, f, pod) }) /* Release: v1.19 Testname: VolumeSubpathEnvExpansion, subpath ready from failed state Description: Verify that a failing subpath expansion can be modified during the lifecycle of a container. */ framework.ConformanceIt("should verify that a failing subpath expansion can be modified during the lifecycle of a container", f.WithSlow(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "POD_NAME", Value: "foo", }, { Name: "ANNOTATION", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "metadata.annotations['mysubpath']", }, }, }, } mounts := []v1.VolumeMount{ { Name: "workdir1", MountPath: "/subpath_mount", SubPathExpr: "$(ANNOTATION)/$(POD_NAME)", }, { Name: "workdir1", MountPath: "/volume_mount", }, } volumes := []v1.Volume{ { Name: "workdir1", VolumeSource: v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{}, }, }, } pod := newPod([]string{"sh", "-c", "tail -f /dev/null"}, envVars, mounts, volumes) pod.ObjectMeta.Annotations = map[string]string{"notmysubpath": "mypath"} ginkgo.By("creating the pod with failed condition") podClient := e2epod.NewPodClient(f) pod = podClient.Create(ctx, pod) getPod := e2epod.Get(f.ClientSet, pod) gomega.Consistently(ctx, getPod).WithTimeout(framework.PodStartShortTimeout).Should(e2epod.BeInPhase(v1.PodPending)) ginkgo.By("updating the pod") podClient.Update(ctx, pod.ObjectMeta.Name, func(pod *v1.Pod) { if pod.ObjectMeta.Annotations == nil { pod.ObjectMeta.Annotations = make(map[string]string) } pod.ObjectMeta.Annotations["mysubpath"] = "mypath" }) ginkgo.By("waiting for pod running") err := e2epod.WaitTimeoutForPodRunningInNamespace(ctx, f.ClientSet, pod.Name, pod.Namespace, framework.PodStartShortTimeout) framework.ExpectNoError(err, "while waiting for pod to be running") ginkgo.By("deleting the pod gracefully") err = e2epod.DeletePodWithWait(ctx, f.ClientSet, pod) framework.ExpectNoError(err, "failed to delete pod") }) /* Release: v1.19 Testname: VolumeSubpathEnvExpansion, subpath test writes Description: Verify that a subpath expansion can be used to write files into subpaths. 1. valid subpathexpr starts a container running 2. test for valid subpath writes 3. successful expansion of the subpathexpr isn't required for volume cleanup */ framework.ConformanceIt("should succeed in writing subpaths in container", f.WithSlow(), func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "POD_NAME", Value: "foo", }, { Name: "ANNOTATION", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "metadata.annotations['mysubpath']", }, }, }, } mounts := []v1.VolumeMount{ { Name: "workdir1", MountPath: "/subpath_mount", SubPathExpr: "$(ANNOTATION)/$(POD_NAME)", }, { Name: "workdir1", MountPath: "/volume_mount", }, } volumes := []v1.Volume{ { Name: "workdir1", VolumeSource: v1.VolumeSource{ EmptyDir: &v1.EmptyDirVolumeSource{}, }, }, } pod := newPod([]string{"sh", "-c", "tail -f /dev/null"}, envVars, mounts, volumes) pod.ObjectMeta.Annotations = map[string]string{"mysubpath": "mypath"} ginkgo.By("creating the pod") podClient := e2epod.NewPodClient(f) pod = podClient.Create(ctx, pod) ginkgo.By("waiting for pod running") err := e2epod.WaitTimeoutForPodRunningInNamespace(ctx, f.ClientSet, pod.Name, pod.Namespace, framework.PodStartShortTimeout) framework.ExpectNoError(err, "while waiting for pod to be running") ginkgo.By("creating a file in subpath") cmd := "touch /volume_mount/mypath/foo/test.log" _, _, err = e2epod.ExecShellInPodWithFullOutput(ctx, f, pod.Name, cmd) if err != nil { framework.Failf("expected to be able to write to subpath") } ginkgo.By("test for file in mounted path") cmd = "test -f /subpath_mount/test.log" _, _, err = e2epod.ExecShellInPodWithFullOutput(ctx, f, pod.Name, cmd) if err != nil { framework.Failf("expected to be able to verify file") } ginkgo.By("updating the annotation value") podClient.Update(ctx, pod.ObjectMeta.Name, func(pod *v1.Pod) { pod.ObjectMeta.Annotations["mysubpath"] = "mynewpath" }) ginkgo.By("waiting for annotated pod running") err = e2epod.WaitTimeoutForPodRunningInNamespace(ctx, f.ClientSet, pod.Name, pod.Namespace, framework.PodStartShortTimeout) framework.ExpectNoError(err, "while waiting for annotated pod to be running") ginkgo.By("deleting the pod gracefully") err = e2epod.DeletePodWithWait(ctx, f.ClientSet, pod) framework.ExpectNoError(err, "failed to delete pod") }) /* Release: v1.30 Testname: Environment variables, expansion Description: Create a Pod with environment variables. Environment variables defined using previously defined environment variables MUST expand to proper values. Allow almost all printable ASCII characters in environment variables. */ framework.It("allow almost all printable ASCII characters as environment variable names", feature.RelaxedEnvironmentVariableValidation, func(ctx context.Context) { envVars := []v1.EnvVar{ { Name: "!\"#$%&'()", Value: "value-1", }, { Name: "* +,-./0123456789", Value: "value-2", }, { Name: ":;<>?@", Value: "value-3", }, { Name: "[\\]^_`{}|~", Value: "value-4", }, } pod := newPod([]string{"sh", "-c", "env"}, envVars, nil, nil) e2epodoutput.TestContainerOutput(ctx, f, "env composition", pod, 0, []string{ "!\"#$%&'()=value-1", "* +,-./0123456789=value-2", ":;<>?@=value-3", "[\\]^_`{}|~=value-4", }) }) }) func testPodFailSubpath(ctx context.Context, f *framework.Framework, pod *v1.Pod) { podClient := e2epod.NewPodClient(f) pod = podClient.Create(ctx, pod) ginkgo.DeferCleanup(e2epod.DeletePodWithWait, f.ClientSet, pod) err := e2epod.WaitForPodContainerToFail(ctx, f.ClientSet, pod.Namespace, pod.Name, 0, "CreateContainerConfigError", framework.PodStartShortTimeout) framework.ExpectNoError(err, "while waiting for the pod container to fail") } func newPod(command []string, envVars []v1.EnvVar, mounts []v1.VolumeMount, volumes []v1.Volume) *v1.Pod { podName := "var-expansion-" + string(uuid.NewUUID()) return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: podName, Labels: map[string]string{"name": podName}, }, Spec: v1.PodSpec{ Containers: []v1.Container{newContainer("dapi-container", command, envVars, mounts)}, RestartPolicy: v1.RestartPolicyNever, Volumes: volumes, }, } } func newContainer(containerName string, command []string, envVars []v1.EnvVar, mounts []v1.VolumeMount) v1.Container { return v1.Container{ Name: containerName, Image: imageutils.GetE2EImage(imageutils.BusyBox), Command: command, Env: envVars, VolumeMounts: mounts, } }