Главная Обзор Помощь
Вход
tzeneto
/
custom-kube-scheduler
Следить 1
В избранное 0
Ответвить 0
Файлы Обсуждения 0 Запросы на слияние 0 Вики
Дерево: f552199f50
Ветки Метки
custom-kube-...
/
kubernetes-v1.15.4
/
test
/
e2e
/
common
/
sysctl.go

sysctl.go 6.2 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. /*
    2. 

  2. Copyright 2014 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package common
    18. 

  18. 

  19. import (
    20. 

  20. 	"k8s.io/api/core/v1"
    21. 

  21. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    22. 

  22. 	"k8s.io/apimachinery/pkg/util/uuid"
    23. 

  23. 	"k8s.io/kubernetes/pkg/kubelet/sysctl"
    24. 

  24. 	"k8s.io/kubernetes/test/e2e/framework"
    25. 

  25. 	imageutils "k8s.io/kubernetes/test/utils/image"
    26. 

  26. 

  27. 	. "github.com/onsi/ginkgo"
    28. 

  28. 	. "github.com/onsi/gomega"
    29. 

  29. )
    30. 

  30. 

  31. var _ = framework.KubeDescribe("Sysctls [NodeFeature:Sysctls]", func() {
    32. 

  32. 	f := framework.NewDefaultFramework("sysctl")
    33. 

  33. 	var podClient *framework.PodClient
    34. 

  34. 

  35. 	testPod := func() *v1.Pod {
    36. 

  36. 		podName := "sysctl-" + string(uuid.NewUUID())
    37. 

  37. 		pod := v1.Pod{
    38. 

  38. 			ObjectMeta: metav1.ObjectMeta{
    39. 

  39. 				Name:        podName,
    40. 

  40. 				Annotations: map[string]string{},
    41. 

  41. 			},
    42. 

  42. 			Spec: v1.PodSpec{
    43. 

  43. 				Containers: []v1.Container{
    44. 

  44. 					{
    45. 

  45. 						Name:  "test-container",
    46. 

  46. 						Image: imageutils.GetE2EImage(imageutils.BusyBox),
    47. 

  47. 					},
    48. 

  48. 				},
    49. 

  49. 				RestartPolicy: v1.RestartPolicyNever,
    50. 

  50. 			},
    51. 

  51. 		}
    52. 

  52. 

  53. 		return &pod
    54. 

  54. 	}
    55. 

  55. 

  56. 	BeforeEach(func() {
    57. 

  57. 		podClient = f.PodClient()
    58. 

  58. 	})
    59. 

  59. 

  60. 	It("should support sysctls", func() {
    61. 

  61. 		pod := testPod()
    62. 

  62. 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
    63. 

  63. 			Sysctls: []v1.Sysctl{
    64. 

  64. 				{
    65. 

  65. 					Name:  "kernel.shm_rmid_forced",
    66. 

  66. 					Value: "1",
    67. 

  67. 				},
    68. 

  68. 			},
    69. 

  69. 		}
    70. 

  70. 		pod.Spec.Containers[0].Command = []string{"/bin/sysctl", "kernel.shm_rmid_forced"}
    71. 

  71. 

  72. 		By("Creating a pod with the kernel.shm_rmid_forced sysctl")
    73. 

  73. 		pod = podClient.Create(pod)
    74. 

  74. 

  75. 		By("Watching for error events or started pod")
    76. 

  76. 		// watch for events instead of termination of pod because the kubelet deletes
    77. 

  77. 		// failed pods without running containers. This would create a race as the pod
    78. 

  78. 		// might have already been deleted here.
    79. 

  79. 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
    80. 

  80. 		framework.ExpectNoError(err)
    81. 

  81. 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
    82. 

  82. 			framework.Skipf("No sysctl support in Docker <1.12")
    83. 

  83. 		}
    84. 

  84. 		Expect(ev).To(BeNil())
    85. 

  85. 

  86. 		By("Waiting for pod completion")
    87. 

  87. 		err = f.WaitForPodNoLongerRunning(pod.Name)
    88. 

  88. 		framework.ExpectNoError(err)
    89. 

  89. 		pod, err = podClient.Get(pod.Name, metav1.GetOptions{})
    90. 

  90. 		framework.ExpectNoError(err)
    91. 

  91. 

  92. 		By("Checking that the pod succeeded")
    93. 

  93. 		Expect(pod.Status.Phase).To(Equal(v1.PodSucceeded))
    94. 

  94. 

  95. 		By("Getting logs from the pod")
    96. 

  96. 		log, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, pod.Spec.Containers[0].Name)
    97. 

  97. 		framework.ExpectNoError(err)
    98. 

  98. 

  99. 		By("Checking that the sysctl is actually updated")
    100. 

  100. 		Expect(log).To(ContainSubstring("kernel.shm_rmid_forced = 1"))
    101. 

  101. 	})
    102. 

  102. 

  103. 	It("should support unsafe sysctls which are actually whitelisted", func() {
    104. 

  104. 		pod := testPod()
    105. 

  105. 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
    106. 

  106. 			Sysctls: []v1.Sysctl{
    107. 

  107. 				{
    108. 

  108. 					Name:  "kernel.shm_rmid_forced",
    109. 

  109. 					Value: "1",
    110. 

  110. 				},
    111. 

  111. 			},
    112. 

  112. 		}
    113. 

  113. 		pod.Spec.Containers[0].Command = []string{"/bin/sysctl", "kernel.shm_rmid_forced"}
    114. 

  114. 

  115. 		By("Creating a pod with the kernel.shm_rmid_forced sysctl")
    116. 

  116. 		pod = podClient.Create(pod)
    117. 

  117. 

  118. 		By("Watching for error events or started pod")
    119. 

  119. 		// watch for events instead of termination of pod because the kubelet deletes
    120. 

  120. 		// failed pods without running containers. This would create a race as the pod
    121. 

  121. 		// might have already been deleted here.
    122. 

  122. 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
    123. 

  123. 		framework.ExpectNoError(err)
    124. 

  124. 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
    125. 

  125. 			framework.Skipf("No sysctl support in Docker <1.12")
    126. 

  126. 		}
    127. 

  127. 		Expect(ev).To(BeNil())
    128. 

  128. 

  129. 		By("Waiting for pod completion")
    130. 

  130. 		err = f.WaitForPodNoLongerRunning(pod.Name)
    131. 

  131. 		framework.ExpectNoError(err)
    132. 

  132. 		pod, err = podClient.Get(pod.Name, metav1.GetOptions{})
    133. 

  133. 		framework.ExpectNoError(err)
    134. 

  134. 

  135. 		By("Checking that the pod succeeded")
    136. 

  136. 		Expect(pod.Status.Phase).To(Equal(v1.PodSucceeded))
    137. 

  137. 

  138. 		By("Getting logs from the pod")
    139. 

  139. 		log, err := framework.GetPodLogs(f.ClientSet, f.Namespace.Name, pod.Name, pod.Spec.Containers[0].Name)
    140. 

  140. 		framework.ExpectNoError(err)
    141. 

  141. 

  142. 		By("Checking that the sysctl is actually updated")
    143. 

  143. 		Expect(log).To(ContainSubstring("kernel.shm_rmid_forced = 1"))
    144. 

  144. 	})
    145. 

  145. 

  146. 	It("should reject invalid sysctls", func() {
    147. 

  147. 		pod := testPod()
    148. 

  148. 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
    149. 

  149. 			Sysctls: []v1.Sysctl{
    150. 

  150. 				// Safe parameters
    151. 

  151. 				{
    152. 

  152. 					Name:  "foo-",
    153. 

  153. 					Value: "bar",
    154. 

  154. 				},
    155. 

  155. 				{
    156. 

  156. 					Name:  "kernel.shmmax",
    157. 

  157. 					Value: "100000000",
    158. 

  158. 				},
    159. 

  159. 				{
    160. 

  160. 					Name:  "safe-and-unsafe",
    161. 

  161. 					Value: "100000000",
    162. 

  162. 				},
    163. 

  163. 				{
    164. 

  164. 					Name:  "bar..",
    165. 

  165. 					Value: "42",
    166. 

  166. 				},
    167. 

  167. 			},
    168. 

  168. 		}
    169. 

  169. 

  170. 		By("Creating a pod with one valid and two invalid sysctls")
    171. 

  171. 		client := f.ClientSet.CoreV1().Pods(f.Namespace.Name)
    172. 

  172. 		_, err := client.Create(pod)
    173. 

  173. 

  174. 		Expect(err).NotTo(BeNil())
    175. 

  175. 		Expect(err.Error()).To(ContainSubstring(`Invalid value: "foo-"`))
    176. 

  176. 		Expect(err.Error()).To(ContainSubstring(`Invalid value: "bar.."`))
    177. 

  177. 		Expect(err.Error()).NotTo(ContainSubstring(`safe-and-unsafe`))
    178. 

  178. 		Expect(err.Error()).NotTo(ContainSubstring("kernel.shmmax"))
    179. 

  179. 	})
    180. 

  180. 

  181. 	It("should not launch unsafe, but not explicitly enabled sysctls on the node", func() {
    182. 

  182. 		pod := testPod()
    183. 

  183. 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
    184. 

  184. 			Sysctls: []v1.Sysctl{
    185. 

  185. 				{
    186. 

  186. 					Name:  "kernel.msgmax",
    187. 

  187. 					Value: "10000000000",
    188. 

  188. 				},
    189. 

  189. 			},
    190. 

  190. 		}
    191. 

  191. 

  192. 		By("Creating a pod with a greylisted, but not whitelisted sysctl on the node")
    193. 

  193. 		pod = podClient.Create(pod)
    194. 

  194. 

  195. 		By("Watching for error events or started pod")
    196. 

  196. 		// watch for events instead of termination of pod because the kubelet deletes
    197. 

  197. 		// failed pods without running containers. This would create a race as the pod
    198. 

  198. 		// might have already been deleted here.
    199. 

  199. 		ev, err := f.PodClient().WaitForErrorEventOrSuccess(pod)
    200. 

  200. 		framework.ExpectNoError(err)
    201. 

  201. 		if ev != nil && ev.Reason == sysctl.UnsupportedReason {
    202. 

  202. 			framework.Skipf("No sysctl support in Docker <1.12")
    203. 

  203. 		}
    204. 

  204. 

  205. 		By("Checking that the pod was rejected")
    206. 

  206. 		Expect(ev).ToNot(BeNil())
    207. 

  207. 		Expect(ev.Reason).To(Equal("SysctlForbidden"))
    208. 

  208. 	})
    209. 

  209. })
    210. 

  210.