k8s.io/kubernetes@v1.29.3/test/e2e/upgrades/node/apparmor.go (about)

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package node
    18  
    19  import (
    20  	"context"
    21  
    22  	v1 "k8s.io/api/core/v1"
    23  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    24  	"k8s.io/kubernetes/test/e2e/framework"
    25  	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
    26  	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
    27  	e2esecurity "k8s.io/kubernetes/test/e2e/framework/security"
    28  	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
    29  	"k8s.io/kubernetes/test/e2e/upgrades"
    30  
    31  	"github.com/onsi/ginkgo/v2"
    32  	"github.com/onsi/gomega"
    33  	"github.com/onsi/gomega/gstruct"
    34  )
    35  
    36  // AppArmorUpgradeTest tests that AppArmor profiles are enforced & usable across upgrades.
    37  type AppArmorUpgradeTest struct {
    38  	pod *v1.Pod
    39  }
    40  
    41  // Name returns the tracking name of the test.
    42  func (AppArmorUpgradeTest) Name() string { return "apparmor-upgrade" }
    43  
    44  // Skip returns true when this test can be skipped.
    45  func (AppArmorUpgradeTest) Skip(upgCtx upgrades.UpgradeContext) bool {
    46  	supportedImages := make(map[string]bool)
    47  	for _, d := range e2eskipper.AppArmorDistros {
    48  		supportedImages[d] = true
    49  	}
    50  
    51  	for _, vCtx := range upgCtx.Versions {
    52  		if !supportedImages[vCtx.NodeImage] {
    53  			return true
    54  		}
    55  	}
    56  	return false
    57  }
    58  
    59  // Setup creates a secret and then verifies that a pod can consume it.
    60  func (t *AppArmorUpgradeTest) Setup(ctx context.Context, f *framework.Framework) {
    61  	ginkgo.By("Loading AppArmor profiles to nodes")
    62  	e2esecurity.LoadAppArmorProfiles(ctx, f.Namespace.Name, f.ClientSet)
    63  
    64  	// Create the initial test pod.
    65  	ginkgo.By("Creating a long-running AppArmor enabled pod.")
    66  	t.pod = e2esecurity.CreateAppArmorTestPod(ctx, f.Namespace.Name, f.ClientSet, e2epod.NewPodClient(f), false, false)
    67  
    68  	// Verify initial state.
    69  	t.verifyNodesAppArmorEnabled(ctx, f)
    70  	t.verifyNewPodSucceeds(ctx, f)
    71  }
    72  
    73  // Test waits for the upgrade to complete, and then verifies that a
    74  // pod can still consume the secret.
    75  func (t *AppArmorUpgradeTest) Test(ctx context.Context, f *framework.Framework, done <-chan struct{}, upgrade upgrades.UpgradeType) {
    76  	<-done
    77  	if upgrade == upgrades.MasterUpgrade {
    78  		t.verifyPodStillUp(ctx, f)
    79  	}
    80  	t.verifyNodesAppArmorEnabled(ctx, f)
    81  	t.verifyNewPodSucceeds(ctx, f)
    82  }
    83  
    84  // Teardown cleans up any remaining resources.
    85  func (t *AppArmorUpgradeTest) Teardown(ctx context.Context, f *framework.Framework) {
    86  	// rely on the namespace deletion to clean up everything
    87  	ginkgo.By("Logging container failures")
    88  	e2ekubectl.LogFailedContainers(ctx, f.ClientSet, f.Namespace.Name, framework.Logf)
    89  }
    90  
    91  func (t *AppArmorUpgradeTest) verifyPodStillUp(ctx context.Context, f *framework.Framework) {
    92  	ginkgo.By("Verifying an AppArmor profile is continuously enforced for a pod")
    93  	pod, err := e2epod.NewPodClient(f).Get(ctx, t.pod.Name, metav1.GetOptions{})
    94  	framework.ExpectNoError(err, "Should be able to get pod")
    95  	gomega.Expect(pod.Status.Phase).To(gomega.Equal(v1.PodRunning), "Pod should stay running")
    96  	gomega.Expect(pod.Status.ContainerStatuses[0].State.Running).NotTo(gomega.BeNil(), "Container should be running")
    97  	gomega.Expect(pod.Status.ContainerStatuses[0].RestartCount).To(gomega.BeZero(), "Container should not need to be restarted")
    98  }
    99  
   100  func (t *AppArmorUpgradeTest) verifyNewPodSucceeds(ctx context.Context, f *framework.Framework) {
   101  	ginkgo.By("Verifying an AppArmor profile is enforced for a new pod")
   102  	e2esecurity.CreateAppArmorTestPod(ctx, f.Namespace.Name, f.ClientSet, e2epod.NewPodClient(f), false, true)
   103  }
   104  
   105  func (t *AppArmorUpgradeTest) verifyNodesAppArmorEnabled(ctx context.Context, f *framework.Framework) {
   106  	ginkgo.By("Verifying nodes are AppArmor enabled")
   107  	nodes, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
   108  	framework.ExpectNoError(err, "Failed to list nodes")
   109  	for _, node := range nodes.Items {
   110  		gomega.Expect(node.Status.Conditions).To(gstruct.MatchElements(conditionType, gstruct.IgnoreExtras, gstruct.Elements{
   111  			"Ready": gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
   112  				"Message": gomega.ContainSubstring("AppArmor enabled"),
   113  			}),
   114  		}))
   115  	}
   116  }
   117  
   118  func conditionType(condition interface{}) string {
   119  	return string(condition.(v1.NodeCondition).Type)
   120  }