Skip to content

Commit 70a2857

Browse files
kolyshkinkolyshkin
committed
test/e2e/node: fix selinux test failure
Commit 69a473b broke the test case (that was checking that a file from a volume can't be read) by adding a (wrong) assumption that error should be nil. Fix the assumption (we do expect the error here). Note that we were checking file contents before; now when we check the error from read, checking the contents is redundant. The other issue with the test is SELinux should be in enforcing mode for this to work, so let's check that first to avoid false positives. Signed-off-by: Kir Kolyshkin <[email protected]>
1 parent e5524f5 commit 70a2857

File tree

1 file changed

+9
-5
lines changed

1 file changed

+9
-5
lines changed

test/e2e/node/security_context.go

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ import (
2626
"context"
2727
"fmt"
2828

29-
"k8s.io/api/core/v1"
29+
v1 "k8s.io/api/core/v1"
3030
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3131
"k8s.io/apimachinery/pkg/util/uuid"
3232
"k8s.io/kubernetes/test/e2e/framework"
@@ -252,10 +252,11 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
252252
pod.Spec.SecurityContext.SELinuxOptions = &v1.SELinuxOptions{
253253
Level: "s0:c0,c1",
254254
}
255-
256255
f.TestContainerOutput("Pod with same MCS label reading test file", pod, 0, []string{testContent})
256+
257257
// Confirm that the same pod with a different MCS
258258
// label cannot access the volume
259+
ginkgo.By("confirming a container with a different MCS label is unable to read the file")
259260
pod = scTestPod(hostIPC, hostPID)
260261
pod.Spec.Volumes = volumes
261262
pod.Spec.Containers[0].VolumeMounts = volumeMounts
@@ -269,7 +270,10 @@ func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool)
269270
err = f.WaitForPodRunning(pod.Name)
270271
framework.ExpectNoError(err, "Error waiting for pod to run %v", pod)
271272

272-
content, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath)
273-
framework.ExpectNoError(err, "Error reading file via container")
274-
gomega.Expect(content).NotTo(gomega.ContainSubstring(testContent))
273+
// for this to work, SELinux should be in enforcing mode, so let's check that
274+
isEnforced, err := tk.ReadFileViaContainer(pod.Name, "test-container", "/sys/fs/selinux/enforce")
275+
if err == nil && isEnforced == "1" {
276+
_, err = tk.ReadFileViaContainer(pod.Name, "test-container", testFilePath)
277+
framework.ExpectError(err, "expecting SELinux to not let the container with different MCS label to read the file")
278+
}
275279
}

0 commit comments

Comments
 (0)