github.com/kata-containers/tests@v0.0.0-20240307153542-772105b56064/integration/kubernetes/k8s-ro-volume.bats

github.com/kata-containers/tests@v0.0.0-20240307153542-772105b56064/integration/kubernetes/k8s-ro-volume.bats (about)

     1  #!/usr/bin/env bats
     2  #
     3  # Copyright (c) 2021 Ant Group
     4  #
     5  # SPDX-License-Identifier: Apache-2.0
     6  #
     7  
     8  load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
     9  load "${BATS_TEST_DIRNAME}/tests_common.sh"
    10  
    11  setup() {
    12  	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
    13  	pod_name="test-readonly-volume"
    14  	container_name="busybox-ro-volume-container"
    15  	tmp_file="ro-volume-test-foobarfoofoo"
    16  	ro_volume_suffix="-tmp"
    17  	get_pod_config_dir
    18  }
    19  
    20  @test "Test readonly volume for pods" {
    21  	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
    22  	# Create pod
    23  	kubectl create -f "${pod_config_dir}/pod-readonly-volume.yaml"
    24  
    25  	# Check pod creation
    26  	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
    27  
    28  	# Validate readonly volume mount inside pod
    29  	check_cmd="mount|grep /tmp"
    30  	kubectl exec $pod_name -- sh -c "$check_cmd" | grep '\<ro\>'
    31  
    32  	# Validate readonly volume mount in the guest
    33  	pod_id=$(sudo -E crictl pods -q -s Ready --name $pod_name)
    34  	sudo ./ro-volume-exp.sh $pod_id $ro_volume_suffix $tmp_file || true
    35  
    36  	# runtime-rs host path
    37  	rw="/run/kata-containers/shared/sandboxes/$pod_id/rw/"
    38  	ro="/run/kata-containers/shared/sandboxes/$pod_id/ro/"
    39  	
    40  	# runtime-go host path
    41  	shared_mounts="/run/kata-containers/shared/sandboxes/$pod_id/shared/"
    42  	host_mounts="/run/kata-containers/shared/sandboxes/$pod_id/mounts/"
    43  
    44  	pid=$(ps -ef | grep $pod_id | grep -v grep | awk '{print $2}')
    45  	if [[ "${KATA_HYPERVISOR}" == "dragonball" ]]; then
    46  		sudo nsenter -t $pid -m ls -lR $rw | grep $tmp_file && echo "should not find $tmp_file in shared mounts" && false
    47  		sudo nsenter -t $pid -m ls -lR $ro | grep $tmp_file && echo "should not find $tmp_file in host mounts" && false
    48  	else	
    49  		sudo ls -lR $shared_mounts | grep $tmp_file && echo "should not find $tmp_file in shared mounts" && false
    50  		sudo ls -lR $host_mounts | grep $tmp_file && echo "should not find $tmp_file in host mounts" && false
    51  	fi
    52  
    53  	# Validate readonly volume mount on the host
    54  	if [[ "${KATA_HYPERVISOR}" == "dragonball" ]]; then
    55  		sudo nsenter -t $pid -m mount | grep $rw | grep -- $ro_volume_suffix | grep '\<ro\>'
    56  		sudo nsenter -t $pid -m mount | grep $ro | grep -- $ro_volume_suffix | grep '\<ro\>'
    57  	else 
    58  		container_id=$(sudo -E crictl ps -q --state Running --name $container_name)
    59  		mount | grep $shared_mounts | grep $container_id | grep -- $ro_volume_suffix | grep '\<ro\>'
    60  		mount | grep $host_mounts | grep $container_id | grep -- $ro_volume_suffix | grep '\<ro\>'
    61  	fi
    62  }
    63  
    64  teardown() {
    65  	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
    66  	kubectl delete pod "$pod_name"
    67  }