|
| 1 | +/* |
| 2 | +Copyright 2017 The Kubernetes Authors. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package validate |
| 18 | + |
| 19 | +import ( |
| 20 | + "time" |
| 21 | + |
| 22 | + "github.com/kubernetes-incubator/cri-tools/pkg/framework" |
| 23 | + "github.com/opencontainers/selinux/go-selinux" |
| 24 | + internalapi "k8s.io/kubernetes/pkg/kubelet/apis/cri" |
| 25 | + runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1/runtime" |
| 26 | + |
| 27 | + . "github.com/onsi/ginkgo" |
| 28 | + . "github.com/onsi/gomega" |
| 29 | +) |
| 30 | + |
| 31 | +var _ = framework.KubeDescribe("SELinux", func() { |
| 32 | + f := framework.NewDefaultCRIFramework() |
| 33 | + |
| 34 | + var rc internalapi.RuntimeService |
| 35 | + var ic internalapi.ImageManagerService |
| 36 | + |
| 37 | + if selinux.GetEnabled() { |
| 38 | + BeforeEach(func() { |
| 39 | + rc = f.CRIClient.CRIRuntimeClient |
| 40 | + ic = f.CRIClient.CRIImageClient |
| 41 | + }) |
| 42 | + |
| 43 | + Context("runtime should support selinux", func() { |
| 44 | + var sandboxID string |
| 45 | + var sandboxConfig *runtimeapi.PodSandboxConfig |
| 46 | + |
| 47 | + BeforeEach(func() { |
| 48 | + sandboxID, sandboxConfig = framework.CreatePodSandboxForContainer(rc) |
| 49 | + }) |
| 50 | + |
| 51 | + AfterEach(func() { |
| 52 | + By("stop PodSandbox") |
| 53 | + rc.StopPodSandbox(sandboxID) |
| 54 | + By("delete PodSandbox") |
| 55 | + rc.RemovePodSandbox(sandboxID) |
| 56 | + }) |
| 57 | + |
| 58 | + It("should work with just selinux level set", func() { |
| 59 | + options := &runtimeapi.SELinuxOption{ |
| 60 | + Level: "s0", |
| 61 | + } |
| 62 | + containerID := createContainerWithSelinux(rc, ic, sandboxID, sandboxConfig, options, true, true) |
| 63 | + checkContainerSelinux(rc, containerID, true) |
| 64 | + }) |
| 65 | + |
| 66 | + It("should work with selinux set", func() { |
| 67 | + options := &runtimeapi.SELinuxOption{ |
| 68 | + User: "system_u", |
| 69 | + Role: "system_r", |
| 70 | + Type: "svirt_lxc_net_t", |
| 71 | + Level: "s0:c4,c5", |
| 72 | + } |
| 73 | + containerID := createContainerWithSelinux(rc, ic, sandboxID, sandboxConfig, options, true, true) |
| 74 | + checkContainerSelinux(rc, containerID, true) |
| 75 | + }) |
| 76 | + |
| 77 | + It("should error on create with wrong options", func() { |
| 78 | + options := &runtimeapi.SELinuxOption{ |
| 79 | + User: "system_u", |
| 80 | + Role: "system_r", |
| 81 | + Type: "svirt_lxc_net_t", |
| 82 | + // s0,c4,c5 is wrong, should have been s0:c4,c5 |
| 83 | + Level: "s0,c4,c5", |
| 84 | + } |
| 85 | + _ = createContainerWithSelinux(rc, ic, sandboxID, sandboxConfig, options, false, false) |
| 86 | + }) |
| 87 | + }) |
| 88 | + } |
| 89 | +}) |
| 90 | + |
| 91 | +func createContainerWithSelinux(rc internalapi.RuntimeService, ic internalapi.ImageManagerService, sandboxID string, sandboxConfig *runtimeapi.PodSandboxConfig, options *runtimeapi.SELinuxOption, shouldStart, shouldCreate bool) string { |
| 92 | + By("create a container with selinux") |
| 93 | + containerName := "selinux-test-" + framework.NewUUID() |
| 94 | + containerConfig := &runtimeapi.ContainerConfig{ |
| 95 | + Metadata: framework.BuildContainerMetadata(containerName, framework.DefaultAttempt), |
| 96 | + Image: &runtimeapi.ImageSpec{Image: framework.DefaultContainerImage}, |
| 97 | + Command: []string{"touch", "foo"}, |
| 98 | + Linux: &runtimeapi.LinuxContainerConfig{ |
| 99 | + SecurityContext: &runtimeapi.LinuxContainerSecurityContext{ |
| 100 | + SelinuxOptions: options, |
| 101 | + }, |
| 102 | + }, |
| 103 | + } |
| 104 | + containerID, err := framework.CreateContainerWithError(rc, ic, containerConfig, sandboxID, sandboxConfig) |
| 105 | + if !shouldCreate { |
| 106 | + Expect(err).To(HaveOccurred()) |
| 107 | + return "" |
| 108 | + } else { |
| 109 | + Expect(err).NotTo(HaveOccurred()) |
| 110 | + } |
| 111 | + |
| 112 | + By("start container with selinux") |
| 113 | + err = rc.StartContainer(containerID) |
| 114 | + if shouldStart { |
| 115 | + Expect(err).NotTo(HaveOccurred()) |
| 116 | + } else { |
| 117 | + Expect(err).To(HaveOccurred()) |
| 118 | + } |
| 119 | + |
| 120 | + // wait container exited and check the status. |
| 121 | + Eventually(func() runtimeapi.ContainerState { |
| 122 | + return getContainerStatus(rc, containerID).State |
| 123 | + }, time.Minute, time.Second*4).Should(Equal(runtimeapi.ContainerState_CONTAINER_EXITED)) |
| 124 | + |
| 125 | + return containerID |
| 126 | +} |
| 127 | + |
| 128 | +func checkContainerSelinux(rc internalapi.RuntimeService, containerID string, shoudRun bool) { |
| 129 | + By("get container status") |
| 130 | + status, err := rc.ContainerStatus(containerID) |
| 131 | + Expect(err).NotTo(HaveOccurred()) |
| 132 | + |
| 133 | + if shoudRun { |
| 134 | + Expect(status.GetExitCode()).To(Equal(int32(0))) |
| 135 | + } else { |
| 136 | + Expect(status.GetExitCode()).NotTo(Equal(int32(0))) |
| 137 | + } |
| 138 | +} |
0 commit comments