k8s.io/kubernetes@v1.29.3/test/e2e/upgrades/node/apparmor.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package node 18 19 import ( 20 "context" 21 22 v1 "k8s.io/api/core/v1" 23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 "k8s.io/kubernetes/test/e2e/framework" 25 e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl" 26 e2epod "k8s.io/kubernetes/test/e2e/framework/pod" 27 e2esecurity "k8s.io/kubernetes/test/e2e/framework/security" 28 e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" 29 "k8s.io/kubernetes/test/e2e/upgrades" 30 31 "github.com/onsi/ginkgo/v2" 32 "github.com/onsi/gomega" 33 "github.com/onsi/gomega/gstruct" 34 ) 35 36 // AppArmorUpgradeTest tests that AppArmor profiles are enforced & usable across upgrades. 37 type AppArmorUpgradeTest struct { 38 pod *v1.Pod 39 } 40 41 // Name returns the tracking name of the test. 42 func (AppArmorUpgradeTest) Name() string { return "apparmor-upgrade" } 43 44 // Skip returns true when this test can be skipped. 45 func (AppArmorUpgradeTest) Skip(upgCtx upgrades.UpgradeContext) bool { 46 supportedImages := make(map[string]bool) 47 for _, d := range e2eskipper.AppArmorDistros { 48 supportedImages[d] = true 49 } 50 51 for _, vCtx := range upgCtx.Versions { 52 if !supportedImages[vCtx.NodeImage] { 53 return true 54 } 55 } 56 return false 57 } 58 59 // Setup creates a secret and then verifies that a pod can consume it. 60 func (t *AppArmorUpgradeTest) Setup(ctx context.Context, f *framework.Framework) { 61 ginkgo.By("Loading AppArmor profiles to nodes") 62 e2esecurity.LoadAppArmorProfiles(ctx, f.Namespace.Name, f.ClientSet) 63 64 // Create the initial test pod. 65 ginkgo.By("Creating a long-running AppArmor enabled pod.") 66 t.pod = e2esecurity.CreateAppArmorTestPod(ctx, f.Namespace.Name, f.ClientSet, e2epod.NewPodClient(f), false, false) 67 68 // Verify initial state. 69 t.verifyNodesAppArmorEnabled(ctx, f) 70 t.verifyNewPodSucceeds(ctx, f) 71 } 72 73 // Test waits for the upgrade to complete, and then verifies that a 74 // pod can still consume the secret. 75 func (t *AppArmorUpgradeTest) Test(ctx context.Context, f *framework.Framework, done <-chan struct{}, upgrade upgrades.UpgradeType) { 76 <-done 77 if upgrade == upgrades.MasterUpgrade { 78 t.verifyPodStillUp(ctx, f) 79 } 80 t.verifyNodesAppArmorEnabled(ctx, f) 81 t.verifyNewPodSucceeds(ctx, f) 82 } 83 84 // Teardown cleans up any remaining resources. 85 func (t *AppArmorUpgradeTest) Teardown(ctx context.Context, f *framework.Framework) { 86 // rely on the namespace deletion to clean up everything 87 ginkgo.By("Logging container failures") 88 e2ekubectl.LogFailedContainers(ctx, f.ClientSet, f.Namespace.Name, framework.Logf) 89 } 90 91 func (t *AppArmorUpgradeTest) verifyPodStillUp(ctx context.Context, f *framework.Framework) { 92 ginkgo.By("Verifying an AppArmor profile is continuously enforced for a pod") 93 pod, err := e2epod.NewPodClient(f).Get(ctx, t.pod.Name, metav1.GetOptions{}) 94 framework.ExpectNoError(err, "Should be able to get pod") 95 gomega.Expect(pod.Status.Phase).To(gomega.Equal(v1.PodRunning), "Pod should stay running") 96 gomega.Expect(pod.Status.ContainerStatuses[0].State.Running).NotTo(gomega.BeNil(), "Container should be running") 97 gomega.Expect(pod.Status.ContainerStatuses[0].RestartCount).To(gomega.BeZero(), "Container should not need to be restarted") 98 } 99 100 func (t *AppArmorUpgradeTest) verifyNewPodSucceeds(ctx context.Context, f *framework.Framework) { 101 ginkgo.By("Verifying an AppArmor profile is enforced for a new pod") 102 e2esecurity.CreateAppArmorTestPod(ctx, f.Namespace.Name, f.ClientSet, e2epod.NewPodClient(f), false, true) 103 } 104 105 func (t *AppArmorUpgradeTest) verifyNodesAppArmorEnabled(ctx context.Context, f *framework.Framework) { 106 ginkgo.By("Verifying nodes are AppArmor enabled") 107 nodes, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{}) 108 framework.ExpectNoError(err, "Failed to list nodes") 109 for _, node := range nodes.Items { 110 gomega.Expect(node.Status.Conditions).To(gstruct.MatchElements(conditionType, gstruct.IgnoreExtras, gstruct.Elements{ 111 "Ready": gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{ 112 "Message": gomega.ContainSubstring("AppArmor enabled"), 113 }), 114 })) 115 } 116 } 117 118 func conditionType(condition interface{}) string { 119 return string(condition.(v1.NodeCondition).Type) 120 }