Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: extended: avoid using docker directly #16408

Merged
merged 1 commit into from
Oct 30, 2017
Merged

test: extended: avoid using docker directly #16408

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 21 additions & 38 deletions test/extended/security/supplemental_groups.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,29 +8,33 @@ import (
g "github.com/onsi/ginkgo"
o "github.com/onsi/gomega"

exutil "github.com/openshift/origin/test/extended/util"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kapiv1 "k8s.io/kubernetes/pkg/api/v1"
e2e "k8s.io/kubernetes/test/e2e/framework"
)

testutil "github.com/openshift/origin/test/util"
const (
supplementalGroupsPod = "supplemental-groups"
)

var _ = g.Describe("[security] supplemental groups", func() {
defer g.GinkgoRecover()

var (
f = e2e.NewDefaultFramework("security-supgroups")
oc = exutil.NewCLI("sup-groups", exutil.KubeConfigPath())
f = oc.KubeFramework()
)

g.Describe("[Conformance]Ensure supplemental groups propagate to docker", func() {
g.It("should propagate requested groups to the docker host config [local]", func() {
g.By("getting the docker client")
dockerCli, err := testutil.NewDockerClient()
o.Expect(err).NotTo(o.HaveOccurred())
g.It("should propagate requested groups to the container [local]", func() {

fsGroup := int64(1111)
supGroup := int64(2222)

_, err := oc.AsAdmin().Run("adm").Args("policy", "add-scc-to-user", "anyuid", oc.Username()).Output()
o.Expect(err).NotTo(o.HaveOccurred())

// create a pod that is requesting supplemental groups. We request specific sup groups
// so that we can check for the exact values later and not rely on SCC allocation.
g.By("creating a pod that requests supplemental groups")
Expand All @@ -52,50 +56,29 @@ var _ = g.Describe("[security] supplemental groups", func() {
err = f.WaitForPodRunning(submittedPod.Name)
o.Expect(err).NotTo(o.HaveOccurred())

// find the docker id of our running container.
g.By("finding the docker container id on the pod")
retrievedPod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(submittedPod.Name, metav1.GetOptions{})
o.Expect(err).NotTo(o.HaveOccurred())
containerID, err := getContainerID(retrievedPod)
o.Expect(err).NotTo(o.HaveOccurred())

// now check the host config of the container which should have been updated by the
// kubelet. If that is good then ensure we have the groups we expected.
g.By("inspecting the container")
dockerContainer, err := dockerCli.InspectContainer(containerID)
out, stderr, err := oc.Run("exec").Args("-p", supplementalGroupsPod, "--", "/usr/bin/id", "-G").Outputs()
if err != nil {
logs, _ := oc.Run("logs").Args(supplementalGroupsPod).Output()
e2e.Failf("Failed to get groups: \n%q, %q, pod logs: \n%q", out, stderr, logs)
}
o.Expect(err).NotTo(o.HaveOccurred())

g.By("ensuring the host config has GroupAdd")
groupAdd := dockerContainer.HostConfig.GroupAdd
o.Expect(groupAdd).ToNot(o.BeEmpty(), fmt.Sprintf("groupAdd on host config was %v", groupAdd))

g.By("ensuring the groups are set")
split := strings.Split(out, " ")
o.Expect(split).ToNot(o.BeEmpty(), fmt.Sprintf("no groups in pod: %v", out))
group := strconv.FormatInt(fsGroup, 10)
o.Expect(groupAdd).To(o.ContainElement(group), fmt.Sprintf("fsGroup %v should exist on host config: %v", fsGroup, groupAdd))

o.Expect(split).To(o.ContainElement(group), fmt.Sprintf("fsGroup %v should exist in pod's groups: %v", fsGroup, out))
group = strconv.FormatInt(supGroup, 10)
o.Expect(groupAdd).To(o.ContainElement(group), fmt.Sprintf("supGroup %v should exist on host config: %v", supGroup, groupAdd))
o.Expect(split).To(o.ContainElement(group), fmt.Sprintf("supGroup %v should exist in pod's groups: %v", supGroup, out))
})

})
})

// getContainerID is a helper to parse the docker container id from a status.
func getContainerID(p *kapiv1.Pod) (string, error) {
for _, status := range p.Status.ContainerStatuses {
if len(status.ContainerID) > 0 {
containerID := strings.Replace(status.ContainerID, "docker://", "", -1)
return containerID, nil
}
}
return "", fmt.Errorf("unable to find container id on pod")
}

// supGroupPod generates the pod requesting supplemental groups.
func supGroupPod(fsGroup int64, supGroup int64) *kapiv1.Pod {
return &kapiv1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "supplemental-groups",
Name: supplementalGroupsPod,
},
Spec: kapiv1.PodSpec{
SecurityContext: &kapiv1.PodSecurityContext{
Expand All @@ -104,7 +87,7 @@ func supGroupPod(fsGroup int64, supGroup int64) *kapiv1.Pod {
},
Containers: []kapiv1.Container{
{
Name: "supplemental-groups",
Name: supplementalGroupsPod,
Image: "openshift/origin-pod",
},
},
Expand Down