github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/kubernetes_support_test.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin_test 21 22 import ( 23 . "gopkg.in/check.v1" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/builtin" 28 "github.com/snapcore/snapd/interfaces/kmod" 29 "github.com/snapcore/snapd/interfaces/seccomp" 30 "github.com/snapcore/snapd/interfaces/udev" 31 "github.com/snapcore/snapd/snap" 32 "github.com/snapcore/snapd/snap/snaptest" 33 "github.com/snapcore/snapd/testutil" 34 ) 35 36 type KubernetesSupportInterfaceSuite struct { 37 iface interfaces.Interface 38 slotInfo *snap.SlotInfo 39 slot *interfaces.ConnectedSlot 40 plugInfo *snap.PlugInfo 41 plug *interfaces.ConnectedPlug 42 plugKubeletInfo *snap.PlugInfo 43 plugKubelet *interfaces.ConnectedPlug 44 plugKubeproxyInfo *snap.PlugInfo 45 plugKubeproxy *interfaces.ConnectedPlug 46 plugBadInfo *snap.PlugInfo 47 plugBad *interfaces.ConnectedPlug 48 } 49 50 const k8sMockPlugSnapInfoYaml = `name: kubernetes-support 51 version: 0 52 plugs: 53 k8s-default: 54 interface: kubernetes-support 55 k8s-kubelet: 56 interface: kubernetes-support 57 flavor: kubelet 58 k8s-kubeproxy: 59 interface: kubernetes-support 60 flavor: kubeproxy 61 k8s-bad: 62 interface: kubernetes-support 63 flavor: bad 64 apps: 65 default: 66 plugs: [k8s-default] 67 kubelet: 68 plugs: [k8s-kubelet] 69 kubeproxy: 70 plugs: [k8s-kubeproxy] 71 ` 72 73 var _ = Suite(&KubernetesSupportInterfaceSuite{ 74 iface: builtin.MustInterface("kubernetes-support"), 75 }) 76 77 func (s *KubernetesSupportInterfaceSuite) SetUpTest(c *C) { 78 s.slotInfo = &snap.SlotInfo{ 79 Snap: &snap.Info{SuggestedName: "core", SnapType: snap.TypeOS}, 80 Name: "kubernetes-support", 81 Interface: "kubernetes-support", 82 } 83 s.slot = interfaces.NewConnectedSlot(s.slotInfo, nil, nil) 84 plugSnap := snaptest.MockInfo(c, k8sMockPlugSnapInfoYaml, nil) 85 86 s.plugInfo = plugSnap.Plugs["k8s-default"] 87 s.plug = interfaces.NewConnectedPlug(s.plugInfo, nil, nil) 88 89 s.plugKubeletInfo = plugSnap.Plugs["k8s-kubelet"] 90 s.plugKubelet = interfaces.NewConnectedPlug(s.plugKubeletInfo, nil, nil) 91 92 s.plugKubeproxyInfo = plugSnap.Plugs["k8s-kubeproxy"] 93 s.plugKubeproxy = interfaces.NewConnectedPlug(s.plugKubeproxyInfo, nil, nil) 94 95 s.plugBadInfo = plugSnap.Plugs["k8s-bad"] 96 s.plugBad = interfaces.NewConnectedPlug(s.plugBadInfo, nil, nil) 97 } 98 99 func (s *KubernetesSupportInterfaceSuite) TestName(c *C) { 100 c.Assert(s.iface.Name(), Equals, "kubernetes-support") 101 } 102 103 func (s *KubernetesSupportInterfaceSuite) TestSanitizeSlot(c *C) { 104 c.Assert(interfaces.BeforePrepareSlot(s.iface, s.slotInfo), IsNil) 105 } 106 107 func (s *KubernetesSupportInterfaceSuite) TestSanitizePlug(c *C) { 108 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugInfo), IsNil) 109 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeletInfo), IsNil) 110 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugKubeproxyInfo), IsNil) 111 c.Assert(interfaces.BeforePreparePlug(s.iface, s.plugBadInfo), ErrorMatches, `kubernetes-support plug requires "flavor" to be either "kubelet" or "kubeproxy"`) 112 } 113 114 func (s *KubernetesSupportInterfaceSuite) TestKModConnectedPlug(c *C) { 115 // default should have kubeproxy modules 116 spec := &kmod.Specification{} 117 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 118 c.Assert(err, IsNil) 119 c.Assert(spec.Modules(), DeepEquals, map[string]bool{ 120 "llc": true, 121 "stp": true, 122 "ip_vs_rr": true, 123 "ip_vs_sh": true, 124 "ip_vs_wrr": true, 125 "libcrc32c": true, 126 }) 127 128 // kubeproxy should have its modules 129 spec = &kmod.Specification{} 130 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 131 c.Assert(err, IsNil) 132 c.Assert(spec.Modules(), DeepEquals, map[string]bool{ 133 "llc": true, 134 "stp": true, 135 "ip_vs_rr": true, 136 "ip_vs_sh": true, 137 "ip_vs_wrr": true, 138 "libcrc32c": true, 139 }) 140 141 // kubelet shouldn't have anything 142 spec = &kmod.Specification{} 143 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 144 c.Assert(err, IsNil) 145 c.Assert(spec.Modules(), DeepEquals, map[string]bool{}) 146 } 147 148 func (s *KubernetesSupportInterfaceSuite) TestAppArmorConnectedPlug(c *C) { 149 // default should have kubeproxy and kubelet rules 150 spec := &apparmor.Specification{} 151 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 152 c.Assert(err, IsNil) 153 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"}) 154 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 155 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n") 156 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubeproxy service\n") 157 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 158 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# kubelet mount rules\n") 159 c.Check(spec.UsesPtraceTrace(), Equals, true) 160 161 // kubeproxy should have only its rules 162 spec = &apparmor.Specification{} 163 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 164 c.Assert(err, IsNil) 165 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubeproxy"}) 166 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 167 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow running as the kubeproxy service\n") 168 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# Allow running as the kubelet service\n") 169 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 170 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# kubelet mount rules\n") 171 c.Check(spec.UsesPtraceTrace(), Equals, false) 172 173 // kubelet should have only its rules 174 spec = &apparmor.Specification{} 175 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 176 c.Assert(err, IsNil) 177 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"}) 178 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for running as a kubernetes node\n") 179 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n") 180 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), Not(testutil.Contains), "# Allow running as the kubeproxy service\n") 181 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Common rules for kubernetes use of systemd_run\n") 182 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# kubelet mount rules\n") 183 c.Check(spec.UsesPtraceTrace(), Equals, true) 184 } 185 186 func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) { 187 // default should have kubelet rules 188 spec := &seccomp.Specification{} 189 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 190 c.Assert(err, IsNil) 191 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"}) 192 c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n") 193 194 // kubeproxy should not have any rules 195 spec = &seccomp.Specification{} 196 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 197 c.Assert(err, IsNil) 198 c.Assert(spec.SecurityTags(), HasLen, 0) 199 200 // kubelet should have only its rules 201 spec = &seccomp.Specification{} 202 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 203 c.Assert(err, IsNil) 204 c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"}) 205 c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n") 206 } 207 208 func (s *KubernetesSupportInterfaceSuite) TestUDevConnectedPlug(c *C) { 209 // default should have kubelet rules 210 spec := &udev.Specification{} 211 err := spec.AddConnectedPlug(s.iface, s.plug, s.slot) 212 c.Assert(err, IsNil) 213 c.Assert(spec.Snippets(), HasLen, 2) 214 c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support 215 KERNEL=="kmsg", TAG+="snap_kubernetes-support_default"`) 216 c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_default", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_default $devpath $major:$minor"`) 217 218 // kubeproxy should not have any rules 219 spec = &udev.Specification{} 220 err = spec.AddConnectedPlug(s.iface, s.plugKubeproxy, s.slot) 221 c.Assert(err, IsNil) 222 c.Assert(spec.Snippets(), HasLen, 0) 223 224 // kubelet should have only its rules 225 spec = &udev.Specification{} 226 err = spec.AddConnectedPlug(s.iface, s.plugKubelet, s.slot) 227 c.Assert(err, IsNil) 228 c.Assert(spec.Snippets(), HasLen, 2) 229 c.Assert(spec.Snippets(), testutil.Contains, `# kubernetes-support 230 KERNEL=="kmsg", TAG+="snap_kubernetes-support_kubelet"`) 231 c.Assert(spec.Snippets(), testutil.Contains, `TAG=="snap_kubernetes-support_kubelet", RUN+="/usr/lib/snapd/snap-device-helper $env{ACTION} snap_kubernetes-support_kubelet $devpath $major:$minor"`) 232 } 233 234 func (s *KubernetesSupportInterfaceSuite) TestInterfaces(c *C) { 235 c.Check(builtin.Interfaces(), testutil.DeepContains, s.iface) 236 }