e2e_node: Don't use userns in DefaultPocMount tests

rata · rata · commit 3b7926824ec3 · 2025-02-17T11:51:55.000+01:00
When proc mount is set to default, it should mask /proc.

The DefaultProcMount test was setting "hostUsers: false" which means to
create a user namespaces. This was not causing issues before, because
user namespaces was disabled by default and therefore the field was
completely ignored. Now that userns is enabled by default, the test is
failing as the runtime doesn't always have userns support.

One option would be to filter for runtimes that do have userns support.
But the default case (/proc is masked) for sure we want to test it
without userns support, as it will be applied to all pods.

To that end, we add a param "hostUsers bool" to testProcMount that will
enable it or not. Then, both test cases that call this function set it
accordingly: the default case sets it to true (no user namespace), and
the unmasked case with a privileged pod sets it to false (use a user
namespace), to verify the /proc mount is unmasked in this case.

Signed-off-by: Rodrigo Campos &lt;rodrigoca@microsoft.com&gt;
diff --git a/test/e2e_node/proc_mount_test.go b/test/e2e_node/proc_mount_test.go
@@ -41,7 +41,7 @@ var _ = SIGDescribe("DefaultProcMount [LinuxOnly]", framework.WithNodeConformanc
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 
 	ginkgo.It("will mask proc mounts by default", func(ctx context.Context) {
-		testProcMount(ctx, f, v1.DefaultProcMount, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
+		testProcMount(ctx, f, v1.DefaultProcMount, true, gomega.BeNumerically(">", 1), gomega.BeNumerically(">", 0))
 	})
 })
 
@@ -85,11 +85,11 @@ var _ = SIGDescribe("ProcMount [LinuxOnly]", feature.ProcMountType, feature.User
 		if !supportsUserNS(ctx, f) {
 			e2eskipper.Skipf("runtime does not support user namespaces")
 		}
-		testProcMount(ctx, f, v1.UnmaskedProcMount, gomega.Equal(1), gomega.BeZero())
+		testProcMount(ctx, f, v1.UnmaskedProcMount, false, gomega.Equal(1), gomega.BeZero())
 	})
 })
 
-func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
+func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMountType, hostUsers bool, expectedLines gomegatypes.GomegaMatcher, expectedReadOnly gomegatypes.GomegaMatcher) {
 	ginkgo.By("creating a target pod")
 	podClient := e2epod.NewPodClient(f)
 	pod := podClient.CreateSync(ctx, &v1.Pod{
@@ -106,7 +106,7 @@ func testProcMount(ctx context.Context, f *framework.Framework, pmt v1.ProcMount
 					},
 				},
 			},
-			HostUsers: &falseVar,
+			HostUsers: &hostUsers,
 		},
 	})
 
