Skip to content

Commit

Permalink
userns: Query runtime once
Browse files Browse the repository at this point in the history 
Sascha suggested to run this only once. Let's cache the answer from the
runtime and move the tests that need idmap mounts on the host to
`When("Host idmap mount support is needed"`.

While we split the tests in that way, let's just query idmap mount
support for the tests that need it, using the cache.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
  • Loading branch information
@rata
rata committed Jul 8, 2024
1 parent 934f1cc commit 02ad18b
Showing 1 changed file with 98 additions and 85 deletions.
183 changes: 98 additions & 85 deletions pkg/validate/security_context_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"os/exec"
"path/filepath"
"strings"
"sync"
"syscall"
"time"

Expand Down Expand Up @@ -850,8 +851,11 @@ var _ = framework.KubeDescribe("Security Context", func() {

Context("UserNamespaces", func() {
var (
podName string
defaultMapping = []*runtimeapi.IDMapping{{
podName string
statusOnce sync.Once
statusResp runtimeapi.StatusResponse
supportsUserNamespaces bool
defaultMapping = []*runtimeapi.IDMapping{{
ContainerId: 0,
HostId: 1000,
Length: 100000,
Expand All @@ -863,108 +867,117 @@ var _ = framework.KubeDescribe("Security Context", func() {

// Find a working runtime handler if none provided
By("searching for runtime handler which supports user namespaces")
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
resp, err := rc.Status(ctx, true) // Set verbose to true so the info field is populated.
framework.ExpectNoError(err, "failed to get runtime config: %v", err)

supportsUserNamespaces := false
for _, rh := range resp.GetRuntimeHandlers() {
if rh.GetName() == framework.TestContext.RuntimeHandler {
if rh.GetFeatures().GetUserNamespaces() {
supportsUserNamespaces = true
break
statusOnce.Do(func() {
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
// Set verbose to true, other BeforeEachs calls need info populated.
statusResp, err := rc.Status(ctx, true)
framework.ExpectNoError(err, "failed to get runtime config: %v", err)
for _, rh := range statusResp.GetRuntimeHandlers() {
if rh.GetName() == framework.TestContext.RuntimeHandler {
if rh.GetFeatures().GetUserNamespaces() {
supportsUserNamespaces = true
break
}
}
}
}

supportsUserNamespaces = false
})
if !supportsUserNamespaces {
Skip("no runtime handler found which supports user namespaces")
}

pathIDMap := rootfsPath(resp.GetInfo())
if err := supportsIDMap(pathIDMap); err != nil {
Skip("ID mapping is not supported" + " with path: " + pathIDMap + ": " + err.Error())
}
})

It("runtime should support NamespaceMode_POD", func() {
namespaceOption := &runtimeapi.NamespaceOption{
UsernsOptions: &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: defaultMapping,
Gids: defaultMapping,
},
}
When("Host idmap mount support is needed", func() {
BeforeEach(func() {
// Find a working runtime handler if none provided
By("check for host idmap mount support")
pathIDMap := rootfsPath(statusResp.GetInfo())
if err := supportsIDMap(pathIDMap); err != nil {
Skip("ID mapping is not supported" + " with path: " + pathIDMap + ": " + err.Error())
}
})

It("runtime should support NamespaceMode_POD", func() {
namespaceOption := &runtimeapi.NamespaceOption{
UsernsOptions: &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: defaultMapping,
Gids: defaultMapping,
},
}

hostLogPath, podLogPath := createLogTempDir(podName)
defer os.RemoveAll(hostLogPath)
podID, podConfig = createNamespacePodSandbox(rc, namespaceOption, podName, podLogPath)
containerName := runUserNamespaceContainer(rc, ic, podID, podConfig)
hostLogPath, podLogPath := createLogTempDir(podName)
defer os.RemoveAll(hostLogPath)
podID, podConfig = createNamespacePodSandbox(rc, namespaceOption, podName, podLogPath)
containerName := runUserNamespaceContainer(rc, ic, podID, podConfig)

matchContainerOutputRe(podConfig, containerName, `\s+0\s+1000\s+100000\n`)
matchContainerOutputRe(podConfig, containerName, `\s+0\s+1000\s+100000\n`)
})
})

It("runtime should support NamespaceMode_NODE", func() {
namespaceOption := &runtimeapi.NamespaceOption{
UsernsOptions: &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_NODE,
},
}

hostLogPath, podLogPath := createLogTempDir(podName)
defer os.RemoveAll(hostLogPath)
podID, podConfig = createNamespacePodSandbox(rc, namespaceOption, podName, podLogPath)
containerName := runUserNamespaceContainer(rc, ic, podID, podConfig)

// 4294967295 means that the entire range is available
matchContainerOutputRe(podConfig, containerName, `\s+0\s+0\s+4294967295\n`)
})
When("Host idmap mount support is not needed", func() {
It("runtime should support NamespaceMode_NODE", func() {
namespaceOption := &runtimeapi.NamespaceOption{
UsernsOptions: &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_NODE,
},
}

It("runtime should fail if more than one mapping provided", func() {
wrongMapping := []*runtimeapi.IDMapping{{
ContainerId: 0,
HostId: 1000,
Length: 100000,
}, {
ContainerId: 0,
HostId: 2000,
Length: 100000,
}}
usernsOptions := &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: wrongMapping,
Gids: wrongMapping,
}
hostLogPath, podLogPath := createLogTempDir(podName)
defer os.RemoveAll(hostLogPath)
podID, podConfig = createNamespacePodSandbox(rc, namespaceOption, podName, podLogPath)
containerName := runUserNamespaceContainer(rc, ic, podID, podConfig)

// 4294967295 means that the entire range is available
matchContainerOutputRe(podConfig, containerName, `\s+0\s+0\s+4294967295\n`)
})

It("runtime should fail if more than one mapping provided", func() {
wrongMapping := []*runtimeapi.IDMapping{{
ContainerId: 0,
HostId: 1000,
Length: 100000,
}, {
ContainerId: 0,
HostId: 2000,
Length: 100000,
}}
usernsOptions := &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: wrongMapping,
Gids: wrongMapping,
}

runUserNamespacePodWithError(rc, podName, usernsOptions)
})
runUserNamespacePodWithError(rc, podName, usernsOptions)
})

It("runtime should fail if container ID 0 is not mapped", func() {
mapping := []*runtimeapi.IDMapping{{
ContainerId: 1,
HostId: 1000,
Length: 100000,
}}
usernsOptions := &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: mapping,
Gids: mapping,
}
It("runtime should fail if container ID 0 is not mapped", func() {
mapping := []*runtimeapi.IDMapping{{
ContainerId: 1,
HostId: 1000,
Length: 100000,
}}
usernsOptions := &runtimeapi.UserNamespace{
Mode: runtimeapi.NamespaceMode_POD,
Uids: mapping,
Gids: mapping,
}

runUserNamespacePodWithError(rc, podName, usernsOptions)
})
runUserNamespacePodWithError(rc, podName, usernsOptions)
})

It("runtime should fail with NamespaceMode_CONTAINER", func() {
usernsOptions := &runtimeapi.UserNamespace{Mode: runtimeapi.NamespaceMode_CONTAINER}
It("runtime should fail with NamespaceMode_CONTAINER", func() {
usernsOptions := &runtimeapi.UserNamespace{Mode: runtimeapi.NamespaceMode_CONTAINER}

runUserNamespacePodWithError(rc, podName, usernsOptions)
})
runUserNamespacePodWithError(rc, podName, usernsOptions)
})

It("runtime should fail with NamespaceMode_TARGET", func() {
usernsOptions := &runtimeapi.UserNamespace{Mode: runtimeapi.NamespaceMode_TARGET}
It("runtime should fail with NamespaceMode_TARGET", func() {
usernsOptions := &runtimeapi.UserNamespace{Mode: runtimeapi.NamespaceMode_TARGET}

runUserNamespacePodWithError(rc, podName, usernsOptions)
runUserNamespacePodWithError(rc, podName, usernsOptions)
})
})
})
})
Expand Down

0 comments on commit 02ad18b

Please sign in to comment.