k8s.io/kubernetes@v1.29.3/test/e2e_node/seccompdefault_test.go (about) 1 //go:build linux 2 // +build linux 3 4 /* 5 Copyright 2022 The Kubernetes Authors. 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 */ 19 20 package e2enode 21 22 import ( 23 "context" 24 25 "github.com/onsi/ginkgo/v2" 26 27 v1 "k8s.io/api/core/v1" 28 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 29 "k8s.io/apimachinery/pkg/util/uuid" 30 admissionapi "k8s.io/pod-security-admission/api" 31 32 kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" 33 "k8s.io/kubernetes/test/e2e/feature" 34 "k8s.io/kubernetes/test/e2e/framework" 35 e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output" 36 ) 37 38 // SeccompProcStatusField is the field of /proc/$PID/status referencing the seccomp filter type. 39 const SeccompProcStatusField = "Seccomp:" 40 41 // ProcSelfStatusPath is the path to /proc/self/status. 42 const ProcSelfStatusPath = "/proc/self/status" 43 44 // Serial because the test updates kubelet configuration. 45 var _ = SIGDescribe("SeccompDefault", framework.WithSerial(), feature.SeccompDefault, "[LinuxOnly]", func() { 46 f := framework.NewDefaultFramework("seccompdefault-test") 47 f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged 48 49 ginkgo.Context("with SeccompDefault enabled", func() { 50 tempSetCurrentKubeletConfig(f, func(ctx context.Context, cfg *kubeletconfig.KubeletConfiguration) { 51 cfg.SeccompDefault = true 52 }) 53 54 newPod := func(securityContext *v1.SecurityContext) *v1.Pod { 55 name := "seccompdefault-test-" + string(uuid.NewUUID()) 56 return &v1.Pod{ 57 ObjectMeta: metav1.ObjectMeta{Name: name}, 58 Spec: v1.PodSpec{ 59 RestartPolicy: v1.RestartPolicyNever, 60 Containers: []v1.Container{ 61 { 62 Name: name, 63 Image: busyboxImage, 64 Command: []string{"grep", SeccompProcStatusField, ProcSelfStatusPath}, 65 SecurityContext: securityContext, 66 }, 67 }, 68 }, 69 } 70 } 71 72 ginkgo.It("should use the default seccomp profile when unspecified", func(ctx context.Context) { 73 pod := newPod(nil) 74 e2eoutput.TestContainerOutput(ctx, f, "SeccompDefault", pod, 0, []string{"2"}) 75 }) 76 77 ginkgo.It("should use unconfined when specified", func(ctx context.Context) { 78 pod := newPod(&v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}}) 79 e2eoutput.TestContainerOutput(ctx, f, "SeccompDefault-unconfined", pod, 0, []string{"0"}) 80 }) 81 }) 82 })