diff options
author | Peter Hunt <pehunt@redhat.com> | 2019-11-15 15:49:42 -0500 |
---|---|---|
committer | Peter Hunt <pehunt@redhat.com> | 2019-11-18 10:11:35 -0500 |
commit | 8d585ccfa89e4f4e1eabf652528d3f7306af3268 (patch) | |
tree | b2cf161144a7d38dd07c7806ac8c0d48bfe3cf28 /test/e2e/play_kube_test.go | |
parent | db32ed1ae8374aac9c4058607ad9cf294505c952 (diff) | |
download | podman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.tar.gz podman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.tar.bz2 podman-8d585ccfa89e4f4e1eabf652528d3f7306af3268.zip |
play kube: handle seccomp labels
Add handling of seccomp annotations to play kube at both container and pod levels.
also add a test
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Diffstat (limited to 'test/e2e/play_kube_test.go')
-rw-r--r-- | test/e2e/play_kube_test.go | 71 |
1 files changed, 67 insertions, 4 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 416c64b5a..29c60d7ac 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -3,6 +3,7 @@ package integration import ( + "fmt" "os" "path/filepath" "text/template" @@ -20,6 +21,13 @@ metadata: labels: app: {{ .Name }} name: {{ .Name }} +{{ with .Annotations }} + annotations: + {{ range $key, $value := . }} + {{ $key }}: {{ $value }} + {{ end }} +{{ end }} + spec: hostname: {{ .Hostname }} containers: @@ -72,6 +80,7 @@ var ( defaultCtrCmd = []string{"top"} defaultCtrImage = ALPINE defaultPodName = "testPod" + seccompPwdEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) ) func generateKubeYaml(pod *Pod, fileName string) error { @@ -95,16 +104,17 @@ func generateKubeYaml(pod *Pod, fileName string) error { // Pod describes the options a kube yaml can be configured at pod level type Pod struct { - Name string - Hostname string - Ctrs []*Ctr + Name string + Hostname string + Ctrs []*Ctr + Annotations map[string]string } // getPod takes a list of podOptions and returns a pod with sane defaults // and the configured options // if no containers are added, it will add the default container func getPod(options ...podOption) *Pod { - p := Pod{defaultPodName, "", make([]*Ctr, 0)} + p := Pod{defaultPodName, "", make([]*Ctr, 0), make(map[string]string)} for _, option := range options { option(&p) } @@ -128,6 +138,12 @@ func withCtr(c *Ctr) podOption { } } +func withAnnotation(k, v string) podOption { + return func(pod *Pod) { + pod.Annotations[k] = v + } +} + // Ctr describes the options a kube yaml can be configured at container level type Ctr struct { Name string @@ -330,4 +346,51 @@ var _ = Describe("Podman generate kube", func() { inspect.WaitWithDefaultTimeout() Expect(inspect.ExitCode()).To(Equal(0)) }) + + It("podman play kube seccomp container level", func() { + // expect play kube is expected to set a seccomp label if it's applied as an annotation + jsonFile, err := podmanTest.CreateSeccompJson(seccompPwdEPERM) + if err != nil { + fmt.Println(err) + Skip("Failed to prepare seccomp.json for test.") + } + + ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName + ctr := getCtr(withCmd([]string{"pwd"})) + + err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost:"+jsonFile)), kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + logs := podmanTest.Podman([]string{"logs", defaultCtrName}) + logs.WaitWithDefaultTimeout() + Expect(logs.ExitCode()).To(Equal(0)) + Expect(logs.OutputToString()).To(ContainSubstring("Operation not permitted")) + }) + + It("podman play kube seccomp pod level", func() { + // expect play kube is expected to set a seccomp label if it's applied as an annotation + jsonFile, err := podmanTest.CreateSeccompJson(seccompPwdEPERM) + if err != nil { + fmt.Println(err) + Skip("Failed to prepare seccomp.json for test.") + } + + ctr := getCtr(withCmd([]string{"pwd"})) + + err = generateKubeYaml(getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost:"+jsonFile)), kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + logs := podmanTest.Podman([]string{"logs", defaultCtrName}) + logs.WaitWithDefaultTimeout() + Expect(logs.ExitCode()).To(Equal(0)) + Expect(logs.OutputToString()).To(ContainSubstring("Operation not permitted")) + }) }) |