containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

play kube: fix segfault 

when securityContext wasn't specified in yaml.
add a test as well

Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
Peter Hunt 2019-09-06 08:41:02 -04:00
parent b962b1e353
commit 9259693826
2 changed files with 52 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
pkg/adapter/pods.go
View File

@ -683,25 +683,27 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
containerConfig.User = imageData.Config.User containerConfig.User = imageData.Config.User
} }
if containerConfig.SecurityOpts != nil { if containerYAML.SecurityContext != nil {
if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { if containerConfig.SecurityOpts != nil {
containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil {
} containerConfig.ReadOnlyRootfs = *containerYAML.SecurityContext.ReadOnlyRootFilesystem
if containerYAML.SecurityContext.Privileged != nil { }
containerConfig.Privileged = *containerYAML.SecurityContext.Privileged if containerYAML.SecurityContext.Privileged != nil {
} containerConfig.Privileged = *containerYAML.SecurityContext.Privileged
}
if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
} }
}
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
} }
for _, capability := range caps.Drop { if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability)) for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
}
for _, capability := range caps.Drop {
containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
}
} }
} }

46
test/e2e/play_kube_test.go
View File

@ -40,6 +40,7 @@ spec:
image: {{ .Image }} image: {{ .Image }}
name: {{ .Name }} name: {{ .Name }}
resources: {} resources: {}
{{ if .SecurityContext }}
securityContext: securityContext:
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
{{ if .Caps }} {{ if .Caps }}
@ -60,6 +61,7 @@ spec:
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
workingDir: / workingDir: /
{{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}
status: {} status: {}
@ -72,12 +74,13 @@ type Pod struct {
} }
type Container struct { type Container struct {
Cmd []string Cmd []string
Image string Image string
Name string Name string
Caps bool SecurityContext bool
CapAdd []string Caps bool
CapDrop []string CapAdd []string
CapDrop []string
} }
func generateKubeYaml(name string, hostname string, ctrs []Container, fileName string) error { func generateKubeYaml(name string, hostname string, ctrs []Container, fileName string) error {
@ -126,7 +129,7 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test correct command", func() { It("podman play kube test correct command", func() {
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"top"} ctrCmd := []string{"top"}
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@ -145,7 +148,7 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test correct output", func() { It("podman play kube test correct output", func() {
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"echo", "hello"} ctrCmd := []string{"echo", "hello"}
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@ -170,7 +173,7 @@ var _ = Describe("Podman generate kube", func() {
podName := "test" podName := "test"
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"top"} ctrCmd := []string{"top"}
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml(podName, "", []Container{testContainer}, tempFile) err := generateKubeYaml(podName, "", []Container{testContainer}, tempFile)
@ -190,7 +193,7 @@ var _ = Describe("Podman generate kube", func() {
hostname := "myhostname" hostname := "myhostname"
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"top"} ctrCmd := []string{"top"}
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", hostname, []Container{testContainer}, tempFile) err := generateKubeYaml("test", hostname, []Container{testContainer}, tempFile)
@ -210,7 +213,7 @@ var _ = Describe("Podman generate kube", func() {
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"} ctrCmd := []string{"cat", "/proc/self/status"}
capAdd := "CAP_SYS_ADMIN" capAdd := "CAP_SYS_ADMIN"
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capAdd}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@ -230,7 +233,7 @@ var _ = Describe("Podman generate kube", func() {
ctrName := "testCtr" ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"} ctrCmd := []string{"cat", "/proc/self/status"}
capDrop := "CAP_SYS_ADMIN" capDrop := "CAP_SYS_ADMIN"
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil} testContainer := Container{ctrCmd, ALPINE, ctrName, true, true, []string{capDrop}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile) err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
@ -245,4 +248,23 @@ var _ = Describe("Podman generate kube", func() {
Expect(inspect.ExitCode()).To(Equal(0)) Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(capDrop)) Expect(inspect.OutputToString()).To(ContainSubstring(capDrop))
}) })
It("podman play kube no security context", func() {
// expect play kube to not fail if no security context is specified
ctrName := "testCtr"
ctrCmd := "ls"
testContainer := Container{[]string{ctrCmd}, ALPINE, ctrName, false, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml("test", "", []Container{testContainer}, tempFile)
Expect(err).To(BeNil())
kube := podmanTest.Podman([]string{"play", "kube", tempFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))
inspect := podmanTest.Podman([]string{"inspect", ctrName})
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
})
}) })