github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

e2e: add a test to check that plugins ReadOnlyRootfs is enabled

Browse Source 
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This commit is contained in:
Mikko Ylinen 2021-08-31 15:12:08 +03:00
parent 9b687401b8
commit 8c6b8ceb69
2 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
test/e2e/qat/qatplugin_dpdk.go
View File

@ -57,13 +57,19 @@ func describeQatDpdkPlugin() {
framework.RunKubectlOrDie(f.Namespace.Name, "--namespace", f.Namespace.Name, "apply", "-k", filepath.Dir(kustomizationPath))
ginkgo.By("waiting for QAT plugin's availability")
if _, err := e2epod.WaitForPodsWithLabelRunningReady(f.ClientSet, f.Namespace.Name,
labels.Set{"app": "intel-qat-plugin"}.AsSelector(), 1 /* one replica */, 10*time.Second); err != nil {
podList, err := e2epod.WaitForPodsWithLabelRunningReady(f.ClientSet, f.Namespace.Name,
labels.Set{"app": "intel-qat-plugin"}.AsSelector(), 1 /* one replica */, 10*time.Second)
if err != nil {
framework.DumpAllNamespaceInfo(f.ClientSet, f.Namespace.Name)
kubectl.LogFailedContainers(f.ClientSet, f.Namespace.Name, framework.Logf)
framework.Failf("unable to wait for all pods to be running and ready: %v", err)
}
ginkgo.By("checking QAT plugin's securityContext")
if err := utils.TestPodsFileSystemInfo(podList.Items); err != nil {
framework.Failf("container filesystem info checks failed: %v", err)
}
ginkgo.By("checking the resource is allocatable")
if err := utils.WaitForNodesWithResource(f.ClientSet, "qat.intel.com/generic", 30*time.Second); err != nil {
framework.Failf("unable to wait for nodes to have positive allocatable resource: %v", err)

22
test/e2e/utils/utils.go
View File

@ -173,3 +173,25 @@ func TestContainersRunAsNonRoot(pods []v1.Pod) error {
}
return nil
}
func printVolumeMounts(vm []v1.VolumeMount) {
for _, v := range vm {
if !v.ReadOnly {
framework.Logf("Available RW volume mounts: %v", v)
}
}
}
// TestPodsFileSystemInfo checks that all containers within the Pods run
// with ReadOnlyRootFileSystem. It also prints RW volume mounts.
func TestPodsFileSystemInfo(pods []v1.Pod) error {
for _, p := range pods {
for _, c := range append(p.Spec.InitContainers, p.Spec.Containers...) {
if !*c.SecurityContext.ReadOnlyRootFilesystem {
return fmt.Errorf("%s (container: %s): Writable root filesystem", p.Name, c.Name)
}
printVolumeMounts(c.VolumeMounts)
}
}
return nil
}