containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9205 from st1971/issue-8710 

play kube selinux label issue
This commit is contained in:
OpenShift Merge Robot 2021-02-05 12:25:55 -05:00 committed by GitHub
parent c421127dd7 6c713984ef
commit 69ddbde983
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 65 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/specgen/generate/kube/kube.go
View File

@ -282,16 +282,16 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil {
if seopt.User != "" { if seopt.User != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.User)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
} }
if seopt.Role != "" { if seopt.Role != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Role)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Role))
} }
if seopt.Type != "" { if seopt.Type != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Type)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("type:%s", seopt.Type))
} }
if seopt.Level != "" { if seopt.Level != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Level)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
} }
} }
if caps := containerYAML.SecurityContext.Capabilities; caps != nil { if caps := containerYAML.SecurityContext.Capabilities; caps != nil {

62
test/e2e/play_kube_test.go
View File

@ -13,6 +13,7 @@ import (
. "github.com/containers/podman/v2/test/utils" . "github.com/containers/podman/v2/test/utils"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
"github.com/opencontainers/selinux/go-selinux"
) )
var unknownKindYaml = ` var unknownKindYaml = `
@ -26,6 +27,49 @@ spec:
hostname: unknown hostname: unknown
` `
var selinuxLabelPodYaml = `
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-02-02T22:18:20Z"
labels:
app: label-pod
name: label-pod
spec:
containers:
- command:
- top
- -d
- "1.5"
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: TERM
value: xterm
- name: container
value: podman
- name: HOSTNAME
value: label-pod
image: quay.io/libpod/alpine:latest
name: test
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
privileged: false
readOnlyRootFilesystem: false
seLinuxOptions:
user: unconfined_u
role: system_r
type: spc_t
level: s0
workingDir: /
status: {}
`
var configMapYamlTemplate = ` var configMapYamlTemplate = `
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -803,6 +847,24 @@ var _ = Describe("Podman play kube", func() {
}) })
It("podman play kube fail with custom selinux label", func() {
if !selinux.GetEnabled() {
Skip("SELinux not enabled")
}
err := writeYaml(selinuxLabelPodYaml, kubeYaml)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", kubeYaml})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))
inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"})
inspect.WaitWithDefaultTimeout()
label := inspect.OutputToString()
Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0"))
})
It("podman play kube fail with nonexistent authfile", func() { It("podman play kube fail with nonexistent authfile", func() {
err := generateKubeYaml("pod", getPod(), kubeYaml) err := generateKubeYaml("pod", getPod(), kubeYaml)
Expect(err).To(BeNil()) Expect(err).To(BeNil())