summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--pkg/adapter/pods.go34
-rw-r--r--test/e2e/play_kube_test.go46
2 files changed, 52 insertions, 28 deletions
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index ded805de2..70293a2c5 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -683,25 +683,27 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
containerConfig.User = imageData.Config.User
}
- if containerConfig.SecurityOpts != nil {
- if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
- containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
- }
- if containerYAML.SecurityContext.Privileged != nil {
- containerConfig.Privileged = *containerYAML.SecurityContext.Privileged
- }
+ if containerYAML.SecurityContext != nil {
+ if containerConfig.SecurityOpts != nil {
+ if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
+ containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
+ }
+ if containerYAML.SecurityContext.Privileged != nil {
+ containerConfig.Privileged = *containerYAML.SecurityContext.Privileged
+ }
- if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
- containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
- }
+ if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
+ containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
+ }
- }
- if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
- for _, capability := range caps.Add {
- containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
}
- for _, capability := range caps.Drop {
- containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
+ if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+ for _, capability := range caps.Add {
+ containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
+ }
+ for _, capability := range caps.Drop {
+ containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
+ }
}
}
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index af3cab379..5d59f0eb0 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -40,6 +40,7 @@ spec:
image: {{ .Image }}
name: {{ .Name }}
resources: {}
+ {{ if .SecurityContext }}
securityContext:
allowPrivilegeEscalation: true
{{ if .Caps }}
@@ -60,6 +61,7 @@ spec:
privileged: false
readOnlyRootFilesystem: false
workingDir: /
+ {{ end }}
{{ end }}
{{ end }}
status: {}
@@ -72,12 +74,13 @@ type Pod struct {
}
type Container struct {
- Cmd []string
- Image string
- Name string
- Caps bool
- CapAdd []string
- CapDrop []string
+ Cmd []string
+ Image string
+ Name string
+ SecurityContext bool
+ Caps bool
+ CapAdd []string
+ CapDrop []string
}
func generateKubeYaml(name string, hostname string, ctrs []Container, fileName string) error {
@@ -126,7 +129,7 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test correct command", func() {
ctrName := "testCtr"
ctrCmd := []string{"top"}
- testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@@ -145,7 +148,7 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test correct output", func() {
ctrName := "testCtr"
ctrCmd := []string{"echo", "hello"}
- testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@@ -170,7 +173,7 @@ var _ = Describe("Podman generate kube", func() {
podName := "test"
ctrName := "testCtr"
ctrCmd := []string{"top"}
- testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml(podName, "", []Container{testContainer}, tempFile)
@@ -190,7 +193,7 @@ var _ = Describe("Podman generate kube", func() {
hostname := "myhostname"
ctrName := "testCtr"
ctrCmd := []string{"top"}
- testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", hostname, []Container{testContainer}, tempFile)
@@ -210,7 +213,7 @@ var _ = Describe("Podman generate kube", func() {
ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"}
capAdd := "CAP_SYS_ADMIN"
- testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capAdd}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@@ -230,7 +233,7 @@ var _ = Describe("Podman generate kube", func() {
ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"}
capDrop := "CAP_SYS_ADMIN"
- testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capDrop}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@@ -245,4 +248,23 @@ var _ = Describe("Podman generate kube", func() {
Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(capDrop))
})
+
+ It("podman play kube no security context", func() {
+ // expect play kube to not fail if no security context is specified
+ ctrName := "testCtr"
+ ctrCmd := "ls"
+ testContainer := Container{[]string{ctrCmd}, ALPINE, ctrName, false, false, nil, nil}
+ tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+ err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ })
})