github.com/kata-containers/tests@v0.0.0-20240307153542-772105b56064/integration/kubernetes/k8s-caps.bats (about) 1 #!/usr/bin/env bats 2 # 3 # Copyright (c) 2021 Apple Inc. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh" 9 load "${BATS_TEST_DIRNAME}/tests_common.sh" 10 11 setup() { 12 pod_name="pod-caps" 13 get_pod_config_dir 14 # We expect the capabilities mask to very per distribution, runtime 15 # configuration. Even for this, we should expect a few common items to 16 # not be set in the mask unless we are failing to apply capabilities. If 17 # we fail to configure, we'll see all bits set for permitted: 0x03fffffffff 18 # We do expect certain parts of the mask to be common when we set appropriately: 19 # b20..b23 should be cleared for all (no CAP_SYS_{PACCT, ADMIN, NICE, BOOT}) 20 # b0..b11 are consistent across the distros: 21 # 0x5fb: 0101 1111 1011 22 # | | \- should be cleared (CAP_DAC_READ_SEARCH) 23 # | \- should be cleared (CAP_LINUX_IMMUTABLE) 24 # \- should be cleared (CAP_NET_BROADCAST) 25 # Example match: 26 # CapPrm: 00000000a80425fb 27 expected="CapPrm.*..0..5fb$" 28 } 29 30 @test "Check capabilities of pod" { 31 # Create pod 32 kubectl create -f "${pod_config_dir}/pod-caps.yaml" 33 # Check pod creation 34 kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" 35 36 # Verify expected capabilities for the running container. Add retry to ensure 37 # that the container had time to execute: 38 wait_time=5 39 sleep_time=1 40 cmd="kubectl logs $pod_name | grep -q $expected" 41 waitForProcess "$wait_time" "$sleep_time" "$cmd" 42 43 # Verify expected capabilities from exec context: 44 kubectl exec "$pod_name" -- sh -c "cat /proc/self/status" | grep -q "$expected" 45 } 46 47 teardown() { 48 # Debugging information 49 echo "expected capability mask:" 50 echo "$expected" 51 echo "observed: " 52 kubectl logs "pod/$pod_name" 53 kubectl exec "$pod_name" -- sh -c "cat /proc/self/status | grep Cap" 54 kubectl delete pod "$pod_name" 55 }