github.com/chipaca/snappy@v0.0.0-20210104084008-1f06296fe8ad/interfaces/builtin/kubernetes_support_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 . "gopkg.in/check.v1" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/builtin" 28 "github.com/snapcore/snapd/interfaces/kmod" 29 "github.com/snapcore/snapd/interfaces/seccomp" 30 "github.com/snapcore/snapd/interfaces/udev" 31 "github.com/snapcore/snapd/snap" 32 "github.com/snapcore/snapd/snap/snaptest" 33 "github.com/snapcore/snapd/testutil" 34 ) 35 36 type KubernetesSupportInterfaceSuite struct { 37 iface interfaces.Interface 38 slotInfo *snap.SlotInfo 39 slot *interfaces.ConnectedSlot 40 plugInfo *snap.PlugInfo 41 plug *interfaces.ConnectedPlug 42 plugKubeletInfo *snap.PlugInfo 43 plugKubelet *interfaces.ConnectedPlug 44 plugKubeproxyInfo *snap.PlugInfo 45 plugKubeproxy *interfaces.ConnectedPlug 46 plugKubeAutobindInfo *snap.PlugInfo 47 plugKubeAutobind *interfaces.ConnectedPlug 48 plugBadInfo *snap.PlugInfo 49 plugBad *interfaces.ConnectedPlug 50 } 51 52 const k8sMockPlugSnapInfoYaml = `name: kubernetes-support 53 version: 0 54 plugs: 55 k8s-default: 56 interface: kubernetes-support 57 k8s-kubelet: 58 interface: kubernetes-support 59 flavor: kubelet 60 k8s-kubeproxy: 61 interface: kubernetes-support 62 flavor: kubeproxy 63 k8s-autobind-unix: 64 interface: kubernetes-support 65 flavor: autobind-unix 66 k8s-bad: 67 interface: kubernetes-support 68 flavor: bad 69 apps: 70 default: 71 plugs: [k8s-default] 72 kubelet: 73 plugs: [k8s-kubelet] 74 kubeproxy: 75 plugs: [k8s-kubeproxy] 76 kube-autobind-unix: 77 plugs: [k8s-autobind-unix] 78 ` 79 80 var _ = Suite(&KubernetesSupportInterfaceSuite{ 81 iface: builtin.MustInterface("kubernetes-support"), 82 }) 83 84 func (s *KubernetesSupportInterfaceSuite) SetUpTest(c *C) { 85 s.slotInfo = &snap.SlotInfo{ 86 Snap: &snap.Info{SuggestedName: "core", SnapType: snap.TypeOS}, 87 Name: "kubernetes-support", 88 Interface: "kubernetes-support", 89 } 90 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 91 plugSnap := snaptest.MockInfo(c, k8sMockPlugSnapInfoYaml, nil) 92 93 s.plugInfo = plugSnap.Plugs["k8s-default"] 94 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 95 96 s.plugKubeletInfo = plugSnap.Plugs["k8s-kubelet"] 97 s.plugKubelet = interfaces.NewConnectedPlug(s.plugKubeletInfo, nil, nil) 98 99 s.plugKubeproxyInfo = plugSnap.Plugs["k8s-kubeproxy"] 100 s.plugKubeproxy = interfaces.NewConnectedPlug(s.plugKubeproxyInfo, nil, nil) 101 102 s.plugKubeAutobindInfo = plugSnap.Plugs["k8s-autobind-unix"] 103 s.plugKubeAutobind = interfaces.NewConnectedPlug(s.plugKubeAutobindInfo, nil, nil) 104 105 s.plugBadInfo = plugSnap.Plugs["k8s-bad"] 106 s.plugBad = interfaces.NewConnectedPlug(s.plugBadInfo, nil, nil) 107 } 108 109 func (s *KubernetesSupportInterfaceSuite) TestName(c *C) { 110 c.Assert(s.iface.Name(), Equals, "kubernetes-support") 111 } 112 113 func (s *KubernetesSupportInterfaceSuite) TestSanitizeSlot(c *C) { 114 c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil) 115 } 116 117 func (s *KubernetesSupportInterfaceSuite) TestSanitizePlug(c *C) { 118 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil) 119 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeletInfo), IsNil) 120 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeproxyInfo), IsNil) 121 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugBadInfo), ErrorMatches, `kubernetes-support plug requires "flavor" to be either "kubelet", "kubeproxy" or "autobind-unix"`) 122 } 123 124 func (s *KubernetesSupportInterfaceSuite) TestKModConnectedPlug(c *C) { 125 // default should have kubeproxy modules 126 spec := &kmod.Specification{} 127 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 128 c.Assert(err, IsNil) 129 c.Assert(spec.Modules(), DeepEquals, map[string]bool{ 130 "llc": true, 131 "stp": true, 132 "ip_vs_rr": true, 133 "ip_vs_sh": true, 134 "ip_vs_wrr": true, 135 "libcrc32c": true, 136 }) 137 138 // kubeproxy should have its modules 139 spec = &kmod.Specification{} 140 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 141 c.Assert(err, IsNil) 142 c.Assert(spec.Modules(), DeepEquals, map[string]bool{ 143 "llc": true, 144 "stp": true, 145 "ip_vs_rr": true, 146 "ip_vs_sh": true, 147 "ip_vs_wrr": true, 148 "libcrc32c": true, 149 }) 150 151 // kubelet shouldn't have anything 152 spec = &kmod.Specification{} 153 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 154 c.Assert(err, IsNil) 155 c.Assert(spec.Modules(), DeepEquals, map[string]bool{}) 156 } 157 158 func (s *KubernetesSupportInterfaceSuite) TestAppArmorConnectedPlug(c *C) { 159 // default should have kubeproxy, kubelet and autobind rules 160 spec := &apparmor.Specification{} 161 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 162 c.Assert(err, IsNil) 163 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"}) 164 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 165 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n") 166 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubeproxy service\n") 167 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 168 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# kubelet mount rules\n") 169 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 170 c.Check(spec.UsesPtraceTrace(), Equals, true) 171 172 // kubeproxy should have its rules and autobind rules 173 spec = &apparmor.Specification{} 174 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 175 c.Assert(err, IsNil) 176 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubeproxy"}) 177 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 178 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow running as the kubeproxy service\n") 179 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# Allow running as the kubelet service\n") 180 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 181 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# kubelet mount rules\n") 182 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 183 c.Check(spec.UsesPtraceTrace(), Equals, false) 184 185 // kubelet should have its rules and autobind rules 186 spec = &apparmor.Specification{} 187 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 188 c.Assert(err, IsNil) 189 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"}) 190 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 191 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n") 192 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), Not(testutil.Contains), "# Allow running as the kubeproxy service\n") 193 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 194 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# kubelet mount rules\n") 195 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 196 c.Check(spec.UsesPtraceTrace(), Equals, true) 197 198 // kube-autobind-unix should have only its autobind rules 199 spec = &apparmor.Specification{} 200 err = spec.AddConnectedPlug(s.iface, s.plugKubeAutobind, s.slot) 201 c.Assert(err, IsNil) 202 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kube-autobind-unix"}) 203 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Common rules for running as a kubernetes node\n") 204 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Allow running as the kubelet service\n") 205 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Allow running as the kubeproxy service\n") 206 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Common rules for kubernetes use of systemd_run\n") 207 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# kubelet mount rules\n") 208 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 209 c.Check(spec.UsesPtraceTrace(), Equals, false) 210 } 211 212 func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) { 213 // default should have kubelet rules 214 spec := &seccomp.Specification{} 215 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 216 c.Assert(err, IsNil) 217 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"}) 218 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n") 219 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 220 221 // kubeproxy should have the autobind rules 222 spec = &seccomp.Specification{} 223 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 224 c.Assert(err, IsNil) 225 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubeproxy"}) 226 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# Allow running as the kubelet service\n") 227 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 228 229 // kubelet should have its rules and the autobind rules 230 spec = &seccomp.Specification{} 231 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 232 c.Assert(err, IsNil) 233 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"}) 234 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n") 235 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 236 237 // kube-autobind-unix should have the autobind rules 238 spec = &seccomp.Specification{} 239 err = spec.AddConnectedPlug(s.iface, s.plugKubeAutobind, s.slot) 240 c.Assert(err, IsNil) 241 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kube-autobind-unix"}) 242 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Allow running as the kubelet service\n") 243 c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n") 244 } 245 246 func (s *KubernetesSupportInterfaceSuite) TestUDevConnectedPlug(c *C) { 247 // default should have kubelet rules 248 spec := &udev.Specification{} 249 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 250 c.Assert(err, IsNil) 251 c.Assert(spec.Snippets(), HasLen, 2) 252 c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support 253 KERNEL=="kmsg", TAG+="snap_kubernetes-support_default"`) 254 c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_default", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_default $devpath $major:$minor"`) 255 256 // kubeproxy should not have any rules 257 spec = &udev.Specification{} 258 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 259 c.Assert(err, IsNil) 260 c.Assert(spec.Snippets(), HasLen, 0) 261 262 // kubelet should have only its rules 263 spec = &udev.Specification{} 264 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 265 c.Assert(err, IsNil) 266 c.Assert(spec.Snippets(), HasLen, 2) 267 c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support 268 KERNEL=="kmsg", TAG+="snap_kubernetes-support_kubelet"`) 269 c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_kubelet", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_kubelet $devpath $major:$minor"`) 270 } 271 272 func (s *KubernetesSupportInterfaceSuite) TestInterfaces(c *C) { 273 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 274 }