seccompdefault_test.go

Documentation: k8s.io/kubernetes/test/e2e_node

     1  //go:build linux
     2  // +build linux
     3  
     4  /*
     5  Copyright 2022 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package e2enode
    21  
    22  import (
    23  	"context"
    24  
    25  	"github.com/onsi/ginkgo/v2"
    26  
    27  	v1 "k8s.io/api/core/v1"
    28  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29  	"k8s.io/apimachinery/pkg/util/uuid"
    30  	admissionapi "k8s.io/pod-security-admission/api"
    31  
    32  	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
    33  	"k8s.io/kubernetes/test/e2e/feature"
    34  	"k8s.io/kubernetes/test/e2e/framework"
    35  	e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
    36  )
    37  
    38  // SeccompProcStatusField is the field of /proc/$PID/status referencing the seccomp filter type.
    39  const SeccompProcStatusField = "Seccomp:"
    40  
    41  // ProcSelfStatusPath is the path to /proc/self/status.
    42  const ProcSelfStatusPath = "/proc/self/status"
    43  
    44  // Serial because the test updates kubelet configuration.
    45  var _ = SIGDescribe("SeccompDefault", framework.WithSerial(), feature.SeccompDefault, "[LinuxOnly]", func() {
    46  	f := framework.NewDefaultFramework("seccompdefault-test")
    47  	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
    48  
    49  	ginkgo.Context("with SeccompDefault enabled", func() {
    50  		tempSetCurrentKubeletConfig(f, func(ctx context.Context, cfg *kubeletconfig.KubeletConfiguration) {
    51  			cfg.SeccompDefault = true
    52  		})
    53  
    54  		newPod := func(securityContext *v1.SecurityContext) *v1.Pod {
    55  			name := "seccompdefault-test-" + string(uuid.NewUUID())
    56  			return &v1.Pod{
    57  				ObjectMeta: metav1.ObjectMeta{Name: name},
    58  				Spec: v1.PodSpec{
    59  					RestartPolicy: v1.RestartPolicyNever,
    60  					Containers: []v1.Container{
    61  						{
    62  							Name:            name,
    63  							Image:           busyboxImage,
    64  							Command:         []string{"grep", SeccompProcStatusField, ProcSelfStatusPath},
    65  							SecurityContext: securityContext,
    66  						},
    67  					},
    68  				},
    69  			}
    70  		}
    71  
    72  		ginkgo.It("should use the default seccomp profile when unspecified", func(ctx context.Context) {
    73  			pod := newPod(nil)
    74  			e2eoutput.TestContainerOutput(ctx, f, "SeccompDefault", pod, 0, []string{"2"})
    75  		})
    76  
    77  		ginkgo.It("should use unconfined when specified", func(ctx context.Context) {
    78  			pod := newPod(&v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}})
    79  			e2eoutput.TestContainerOutput(ctx, f, "SeccompDefault-unconfined", pod, 0, []string{"0"})
    80  		})
    81  	})
    82  })
    83
View as plain text