Skip to content

Commit 9ebe442

Browse files
jsafranejsafrane
committed
Add support for Debian and Ubuntu
Both Debian and Ubuntu + containerd can run with SELinux enabled. Add their defaults to the SELinux e2e tests.
1 parent 20b12ad commit 9ebe442

File tree

1 file changed

+39
-11
lines changed

1 file changed

+39
-11
lines changed

test/e2e/storage/csimock/csi_selinux_mount.go

Lines changed: 39 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,16 @@ import (
6363
// - The test requires SELinuxMountReadWriteOncePod, Feature:SELinuxChangePolicy and SELinuxMount enabled.
6464
//
6565
// All other feature gate combinations should be invalid.
66+
67+
var (
68+
defaultSELinuxLabels = map[string]struct{ defaultProcessLabel, defaultFileLabel string }{
69+
"debian": {"svirt_lxc_net_t", "svirt_lxc_file_t"},
70+
"ubuntu": {"svirt_lxc_net_t", "svirt_lxc_file_t"},
71+
// Assume "custom" means Fedora and derivates. `e2e.test --node-os-distro=` does not have "fedora" or "rhel".
72+
"custom": {"container_t", "container_file_t"},
73+
}
74+
)
75+
6676
var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
6777
f := framework.NewDefaultFramework("csi-mock-volumes-selinux")
6878
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
@@ -71,21 +81,22 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
7181
mount := v1.SELinuxChangePolicyMountOption
7282

7383
f.Context("SELinuxMount [LinuxOnly]", feature.SELinux, func() {
84+
processLabel, fileLabel := getDefaultContainerSELinuxLabels()
7485
// Make sure all options are set so system specific defaults are not used.
7586
seLinuxOpts1 := v1.SELinuxOptions{
7687
User: "system_u",
7788
Role: "system_r",
78-
Type: "container_t",
89+
Type: processLabel,
7990
Level: "s0:c0,c1",
8091
}
81-
seLinuxMountOption1 := "context=\"system_u:object_r:container_file_t:s0:c0,c1\""
92+
seLinuxMountOption1 := fmt.Sprintf("context=\"system_u:object_r:%s:s0:c0,c1\"", fileLabel)
8293
seLinuxOpts2 := v1.SELinuxOptions{
8394
User: "system_u",
8495
Role: "system_r",
85-
Type: "container_t",
96+
Type: processLabel,
8697
Level: "s0:c98,c99",
8798
}
88-
seLinuxMountOption2 := "context=\"system_u:object_r:container_file_t:s0:c98,c99\""
99+
seLinuxMountOption2 := fmt.Sprintf("context=\"system_u:object_r:%s:s0:c98,c99\"", fileLabel)
89100

90101
tests := []struct {
91102
name string
@@ -259,8 +270,8 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
259270
for _, t := range tests {
260271
t := t
261272
testFunc := func(ctx context.Context) {
262-
if framework.NodeOSDistroIs("windows") {
263-
e2eskipper.Skipf("SELinuxMount is only applied on linux nodes -- skipping")
273+
if processLabel == "" {
274+
e2eskipper.Skipf("SELinux tests are supported only on %+v", getSupportedSELinuxDistros())
264275
}
265276
var nodeStageMountOpts, nodePublishMountOpts []string
266277
var unstageCalls, stageCalls, unpublishCalls, publishCalls atomic.Int32
@@ -406,17 +417,18 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics", func() {
406417

407418
// [Serial]: the tests read global kube-controller-manager metrics, so no other test changes them in parallel.
408419
f.Context("SELinuxMount metrics [LinuxOnly]", feature.SELinux, f.WithSerial(), func() {
420+
processLabel, _ := getDefaultContainerSELinuxLabels()
409421
// Make sure all options are set so system specific defaults are not used.
410422
seLinuxOpts1 := v1.SELinuxOptions{
411423
User: "system_u",
412424
Role: "system_r",
413-
Type: "container_t",
425+
Type: processLabel,
414426
Level: "s0:c0,c1",
415427
}
416428
seLinuxOpts2 := v1.SELinuxOptions{
417429
User: "system_u",
418430
Role: "system_r",
419-
Type: "container_t",
431+
Type: processLabel,
420432
Level: "s0:c98,c99",
421433
}
422434
recursive := v1.SELinuxChangePolicyRecursive
@@ -614,12 +626,13 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics", func() {
614626
for _, t := range tests {
615627
t := t
616628
testFunc := func(ctx context.Context) {
629+
if processLabel == "" {
630+
e2eskipper.Skipf("SELinux tests are supported only on %+v", getSupportedSELinuxDistros())
631+
}
632+
617633
// Some metrics use CSI driver name as a label, which is "csi-mock-" + the namespace name.
618634
volumePluginLabel := "volume_plugin=\"kubernetes.io/csi/csi-mock-" + f.Namespace.Name + "\""
619635

620-
if framework.NodeOSDistroIs("windows") {
621-
e2eskipper.Skipf("SELinuxMount is only applied on linux nodes -- skipping")
622-
}
623636
grabber, err := e2emetrics.NewMetricsGrabber(ctx, f.ClientSet, nil, f.ClientConfig(), true, false, false, false, false, false)
624637
framework.ExpectNoError(err, "creating the metrics grabber")
625638

@@ -784,3 +797,18 @@ func addLabels(metricNames sets.Set[string], volumePluginLabel string, accessMod
784797

785798
return ret
786799
}
800+
801+
func getDefaultContainerSELinuxLabels() (processLabel string, fileLabel string) {
802+
defaultLabels := defaultSELinuxLabels[framework.TestContext.NodeOSDistro]
803+
// This function can return "" for unknown distros!
804+
// SELinux tests should be skipped on those in their ginkgo.It().
805+
return defaultLabels.defaultProcessLabel, defaultLabels.defaultFileLabel
806+
}
807+
808+
func getSupportedSELinuxDistros() []string {
809+
distros := make([]string, 0, len(defaultSELinuxLabels))
810+
for distro := range defaultSELinuxLabels {
811+
distros = append(distros, distro)
812+
}
813+
return distros
814+
}

0 commit comments

Comments
 (0)