diff options
author | Steven Taylor <steven@taylormuff.co.uk> | 2021-02-03 00:27:48 +0000 |
---|---|---|
committer | Matthew Heon <matthew.heon@pm.me> | 2021-02-05 13:52:49 -0500 |
commit | 204239169a59d790c2732947f39484d1bb6114a8 (patch) | |
tree | ed7da72ea7021f4178079c2c7ad344c881760e10 | |
parent | 572b0803c7d5e5379e8d7ac5c133eb9c2c4a3ccf (diff) | |
download | podman-204239169a59d790c2732947f39484d1bb6114a8.tar.gz podman-204239169a59d790c2732947f39484d1bb6114a8.tar.bz2 podman-204239169a59d790c2732947f39484d1bb6114a8.zip |
play kube selinux label test case
test case added to e2e test suite to validate process label being correctly set
on play kube
Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
-rw-r--r-- | test/e2e/play_kube_test.go | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 5930462d5..9fbedc073 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -26,6 +26,49 @@ spec: hostname: unknown ` +var selinuxLabelPodYaml = ` +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: "2021-02-02T22:18:20Z" + labels: + app: label-pod + name: label-pod +spec: + containers: + - command: + - top + - -d + - "1.5" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + - name: HOSTNAME + value: label-pod + image: quay.io/libpod/alpine:latest + name: test + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - CAP_MKNOD + - CAP_NET_RAW + - CAP_AUDIT_WRITE + privileged: false + readOnlyRootFilesystem: false + seLinuxOptions: + user: unconfined_u + role: system_r + type: spc_t + level: s0 + workingDir: / +status: {} +` + var configMapYamlTemplate = ` apiVersion: v1 kind: ConfigMap @@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() { }) + It("podman play kube fail with custom selinux label", func() { + err := writeYaml(selinuxLabelPodYaml, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"}) + inspect.WaitWithDefaultTimeout() + label := inspect.OutputToString() + + Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0")) + }) + It("podman play kube fail with nonexistent authfile", func() { err := generateKubeYaml("pod", getPod(), kubeYaml) Expect(err).To(BeNil()) |