summaryrefslogtreecommitdiff
path: root/test/e2e/play_kube_test.go
diff options
context:
space:
mode:
authorSteven Taylor <steven@taylormuff.co.uk>2021-02-03 00:27:48 +0000
committerMatthew Heon <matthew.heon@pm.me>2021-02-05 13:52:49 -0500
commit204239169a59d790c2732947f39484d1bb6114a8 (patch)
treeed7da72ea7021f4178079c2c7ad344c881760e10 /test/e2e/play_kube_test.go
parent572b0803c7d5e5379e8d7ac5c133eb9c2c4a3ccf (diff)
downloadpodman-204239169a59d790c2732947f39484d1bb6114a8.tar.gz
podman-204239169a59d790c2732947f39484d1bb6114a8.tar.bz2
podman-204239169a59d790c2732947f39484d1bb6114a8.zip
play kube selinux label test case
test case added to e2e test suite to validate process label being correctly set on play kube Signed-off-by: Steven Taylor <steven@taylormuff.co.uk>
Diffstat (limited to 'test/e2e/play_kube_test.go')
-rw-r--r--test/e2e/play_kube_test.go58
1 files changed, 58 insertions, 0 deletions
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index 5930462d5..9fbedc073 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -26,6 +26,49 @@ spec:
hostname: unknown
`
+var selinuxLabelPodYaml = `
+apiVersion: v1
+kind: Pod
+metadata:
+ creationTimestamp: "2021-02-02T22:18:20Z"
+ labels:
+ app: label-pod
+ name: label-pod
+spec:
+ containers:
+ - command:
+ - top
+ - -d
+ - "1.5"
+ env:
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ - name: TERM
+ value: xterm
+ - name: container
+ value: podman
+ - name: HOSTNAME
+ value: label-pod
+ image: quay.io/libpod/alpine:latest
+ name: test
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ drop:
+ - CAP_MKNOD
+ - CAP_NET_RAW
+ - CAP_AUDIT_WRITE
+ privileged: false
+ readOnlyRootFilesystem: false
+ seLinuxOptions:
+ user: unconfined_u
+ role: system_r
+ type: spc_t
+ level: s0
+ workingDir: /
+status: {}
+`
+
var configMapYamlTemplate = `
apiVersion: v1
kind: ConfigMap
@@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() {
})
+ It("podman play kube fail with custom selinux label", func() {
+ err := writeYaml(selinuxLabelPodYaml, kubeYaml)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"})
+ inspect.WaitWithDefaultTimeout()
+ label := inspect.OutputToString()
+
+ Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0"))
+ })
+
It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil())