Skip to content

Commit 8c6b8ce

Browse files
mythimythi
committed
e2e: add a test to check that plugins ReadOnlyRootfs is enabled
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
1 parent 9b68740 commit 8c6b8ce

File tree

2 files changed

+30
-2
lines changed

2 files changed

+30
-2
lines changed

test/e2e/qat/qatplugin_dpdk.go

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,13 +57,19 @@ func describeQatDpdkPlugin() {
5757
framework.RunKubectlOrDie(f.Namespace.Name, "--namespace", f.Namespace.Name, "apply", "-k", filepath.Dir(kustomizationPath))
5858

5959
ginkgo.By("waiting for QAT plugin's availability")
60-
if _, err := e2epod.WaitForPodsWithLabelRunningReady(f.ClientSet, f.Namespace.Name,
61-
labels.Set{"app": "intel-qat-plugin"}.AsSelector(), 1 /* one replica */, 10*time.Second); err != nil {
60+
podList, err := e2epod.WaitForPodsWithLabelRunningReady(f.ClientSet, f.Namespace.Name,
61+
labels.Set{"app": "intel-qat-plugin"}.AsSelector(), 1 /* one replica */, 10*time.Second)
62+
if err != nil {
6263
framework.DumpAllNamespaceInfo(f.ClientSet, f.Namespace.Name)
6364
kubectl.LogFailedContainers(f.ClientSet, f.Namespace.Name, framework.Logf)
6465
framework.Failf("unable to wait for all pods to be running and ready: %v", err)
6566
}
6667

68+
ginkgo.By("checking QAT plugin's securityContext")
69+
if err := utils.TestPodsFileSystemInfo(podList.Items); err != nil {
70+
framework.Failf("container filesystem info checks failed: %v", err)
71+
}
72+
6773
ginkgo.By("checking the resource is allocatable")
6874
if err := utils.WaitForNodesWithResource(f.ClientSet, "qat.intel.com/generic", 30*time.Second); err != nil {
6975
framework.Failf("unable to wait for nodes to have positive allocatable resource: %v", err)

test/e2e/utils/utils.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,3 +173,25 @@ func TestContainersRunAsNonRoot(pods []v1.Pod) error {
173173
}
174174
return nil
175175
}
176+
177+
func printVolumeMounts(vm []v1.VolumeMount) {
178+
for _, v := range vm {
179+
if !v.ReadOnly {
180+
framework.Logf("Available RW volume mounts: %v", v)
181+
}
182+
}
183+
}
184+
185+
// TestPodsFileSystemInfo checks that all containers within the Pods run
186+
// with ReadOnlyRootFileSystem. It also prints RW volume mounts.
187+
func TestPodsFileSystemInfo(pods []v1.Pod) error {
188+
for _, p := range pods {
189+
for _, c := range append(p.Spec.InitContainers, p.Spec.Containers...) {
190+
if !*c.SecurityContext.ReadOnlyRootFilesystem {
191+
return fmt.Errorf("%s (container: %s): Writable root filesystem", p.Name, c.Name)
192+
}
193+
printVolumeMounts(c.VolumeMounts)
194+
}
195+
}
196+
return nil
197+
}

0 commit comments

Comments
 (0)