Skip to content

Commit b580eb1

Browse files
vinayakankugoyalvinayakankugoyal
committed
Update AppArmor e2e tests to use Pod field instead of annotations.
Signed-off-by: Vinayak Goyal <[email protected]>
1 parent 77c3859 commit b580eb1

File tree

1 file changed

+62
-15
lines changed

1 file changed

+62
-15
lines changed

test/e2e_node/apparmor_test.go

Lines changed: 62 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -57,23 +57,46 @@ var _ = SIGDescribe("AppArmor", framework.WithNodeConformance(), func() {
5757
f := framework.NewDefaultFramework("apparmor-test")
5858
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
5959

60-
ginkgo.It("should reject an unloaded profile", func(ctx context.Context) {
61-
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileNamePrefix+"non-existent-profile")
60+
ginkgo.It("should reject an unloaded profile with annotation", func(ctx context.Context) {
61+
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileNamePrefix+"non-existent-profile", false)
6262
gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor"))
6363
})
64-
ginkgo.It("should enforce a profile blocking writes", func(ctx context.Context) {
65-
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write")
64+
ginkgo.It("should reject an unloaded profile with field", func(ctx context.Context) {
65+
status := runAppArmorTest(ctx, f, false, "non-existent-profile", true)
66+
gomega.Expect(status.ContainerStatuses[0].State.Waiting.Message).To(gomega.ContainSubstring("apparmor"))
67+
})
68+
ginkgo.It("should enforce a profile blocking writes with annotation", func(ctx context.Context) {
69+
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"deny-write", false)
70+
if len(status.ContainerStatuses) == 0 {
71+
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
72+
return
73+
}
74+
state := status.ContainerStatuses[0].State.Terminated
75+
gomega.Expect(state).ToNot(gomega.BeNil(), "ContainerState: %+v", status.ContainerStatuses[0].State)
76+
gomega.Expect(state.ExitCode).To(gomega.Not(gomega.BeZero()), "ContainerStateTerminated: %+v", state)
77+
})
78+
ginkgo.It("should enforce a profile blocking writes with field", func(ctx context.Context) {
79+
status := runAppArmorTest(ctx, f, true, apparmorProfilePrefix+"deny-write", true)
6680
if len(status.ContainerStatuses) == 0 {
6781
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
6882
return
6983
}
7084
state := status.ContainerStatuses[0].State.Terminated
7185
gomega.Expect(state).ToNot(gomega.BeNil(), "ContainerState: %+v", status.ContainerStatuses[0].State)
7286
gomega.Expect(state.ExitCode).To(gomega.Not(gomega.BeZero()), "ContainerStateTerminated: %+v", state)
73-
7487
})
75-
ginkgo.It("should enforce a permissive profile", func(ctx context.Context) {
76-
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write")
88+
ginkgo.It("should enforce a permissive profile with annotations", func(ctx context.Context) {
89+
status := runAppArmorTest(ctx, f, true, v1.DeprecatedAppArmorBetaProfileNamePrefix+apparmorProfilePrefix+"audit-write", false)
90+
if len(status.ContainerStatuses) == 0 {
91+
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
92+
return
93+
}
94+
state := status.ContainerStatuses[0].State.Terminated
95+
gomega.Expect(state).ToNot(gomega.BeNil(), "ContainerState: %+v", status.ContainerStatuses[0].State)
96+
gomega.Expect(state.ExitCode).To(gomega.BeZero(), "ContainerStateTerminated: %+v", state)
97+
})
98+
ginkgo.It("should enforce a permissive profile with field", func(ctx context.Context) {
99+
status := runAppArmorTest(ctx, f, true, apparmorProfilePrefix+"audit-write", true)
77100
if len(status.ContainerStatuses) == 0 {
78101
framework.Failf("Unexpected pod status: %s", dump.Pretty(status))
79102
return
@@ -88,8 +111,13 @@ var _ = SIGDescribe("AppArmor", framework.WithNodeConformance(), func() {
88111
f := framework.NewDefaultFramework("apparmor-test")
89112
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
90113

91-
ginkgo.It("should reject a pod with an AppArmor profile", func(ctx context.Context) {
92-
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault)
114+
ginkgo.It("should reject a pod with an AppArmor profile in annotation", func(ctx context.Context) {
115+
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault, false)
116+
expectRejection(status)
117+
})
118+
119+
ginkgo.It("should reject a pod with an AppArmor profile in field", func(ctx context.Context) {
120+
status := runAppArmorTest(ctx, f, false, v1.DeprecatedAppArmorBetaProfileRuntimeDefault, true)
93121
expectRejection(status)
94122
})
95123
})
@@ -149,8 +177,8 @@ func loadTestProfiles() error {
149177
return nil
150178
}
151179

152-
func runAppArmorTest(ctx context.Context, f *framework.Framework, shouldRun bool, profile string) v1.PodStatus {
153-
pod := createPodWithAppArmor(ctx, f, profile)
180+
func runAppArmorTest(ctx context.Context, f *framework.Framework, shouldRun bool, profile string, useField bool) v1.PodStatus {
181+
pod := createPodWithAppArmor(ctx, f, profile, useField)
154182
if shouldRun {
155183
// The pod needs to start before it stops, so wait for the longer start timeout.
156184
framework.ExpectNoError(e2epod.WaitTimeoutForPodNoLongerRunningInNamespace(ctx,
@@ -207,13 +235,10 @@ func runAppArmorTest(ctx context.Context, f *framework.Framework, shouldRun bool
207235
return p.Status
208236
}
209237

210-
func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile string) *v1.Pod {
238+
func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile string, useField bool) *v1.Pod {
211239
pod := &v1.Pod{
212240
ObjectMeta: metav1.ObjectMeta{
213241
Name: fmt.Sprintf("test-apparmor-%s", strings.Replace(profile, "/", "-", -1)),
214-
Annotations: map[string]string{
215-
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
216-
},
217242
},
218243
Spec: v1.PodSpec{
219244
Containers: []v1.Container{{
@@ -224,6 +249,28 @@ func createPodWithAppArmor(ctx context.Context, f *framework.Framework, profile
224249
RestartPolicy: v1.RestartPolicyNever,
225250
},
226251
}
252+
253+
if useField {
254+
if profile == v1.DeprecatedAppArmorBetaProfileRuntimeDefault {
255+
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
256+
AppArmorProfile: &v1.AppArmorProfile{
257+
Type: v1.AppArmorProfileTypeRuntimeDefault,
258+
},
259+
}
260+
} else {
261+
pod.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
262+
AppArmorProfile: &v1.AppArmorProfile{
263+
Type: v1.AppArmorProfileTypeLocalhost,
264+
LocalhostProfile: &profile,
265+
},
266+
}
267+
}
268+
} else {
269+
pod.Annotations = map[string]string{
270+
v1.DeprecatedAppArmorBetaContainerAnnotationKeyPrefix + "test": profile,
271+
}
272+
}
273+
227274
return e2epod.NewPodClient(f).Create(ctx, pod)
228275
}
229276

0 commit comments

Comments
 (0)