test: add containerd seccomp default profile for golden profile test data #5230
Conversation
…file changes, the test will fail
bravebeaver
changed the title
bravebeaver
requested review from
juan-lee,
cameronmeissner,
UtheMan,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
lilypan26,
AbelHu,
junjiezhang1997,
jason1028kr,
djsly,
phealy,
r2k1 and
timmy-wright
as code owners
| @@ -0,0 +1,13 @@ | |||
| { | |||
There was a problem hiding this comment.
what is the meaning of 48.json for the kernel ?
There was a problem hiding this comment.
those syscalls are added if you are using kernel 4.8 and above.
i have not included those in the current e2e check yet (which now only contains base checks)..
| @@ -185,3 +189,34 @@ func leakedSecretsValidators(scenario *Scenario) []*LiveVMValidator { | |||
| } | |||
| return validators | |||
| } | |||
|
|
|||
| func createKubeletDebugPod(ctx context.Context, t *testing.T, kube *Kubeclient, nodeName string, isAirgap bool) { | |||
| testPodName := "security-context-profile-test-pod" | |||
There was a problem hiding this comment.
is this a Generic DebugPod is a security-context-profile test pods ? the function name doesnt seem to match what the function is doing.
There was a problem hiding this comment.
agreed. The pod's intention is to create 2 containers
- one with specified securityContext
- one without, so it will be using kubelet default
- runtimeDefault if seccompDefault flag is enabled
- unconfined if not.
would createSeccompProfileDebugPod be more accurate for the moment? although i do notice there is a lack of coverage on customKubeletConfig, but we can improve that later.
| func createKubeletDebugPod(ctx context.Context, t *testing.T, kube *Kubeclient, nodeName string, isAirgap bool) { | ||
| testPodName := "security-context-profile-test-pod" | ||
| testPodManifest := getSecurityContextPodTemplate(isAirgap, nodeName, testPodName) | ||
| t.Logf("Custom kubelet config scenario: running debug pod on node %s ...", nodeName) |
There was a problem hiding this comment.
which custom kubelet config ? is the entention to run a security-context pod when ever a custom kubelet config is provided ?
There was a problem hiding this comment.
correct. checks on when tag KubeletCustomConfig is set to true
AgentBaker/e2e/scenario_helpers_test.go
Line 129 in 979c12f
| @@ -126,6 +126,9 @@ func createAndValidateVM(ctx context.Context, t *testing.T, scenario *Scenario) | |||
| validateWasm(ctx, t, scenario.Runtime.Cluster.Kube, nodeName) | |||
| } | |||
|
|
|||
| if scenario.Tags.KubeletCustomConfig { | |||
There was a problem hiding this comment.
are all Kubelet Custom Config scenarios requiring a debugPod to properly test them ?
There was a problem hiding this comment.
yes and no. i have introduced the tag and have only used it in 2 e2e scenarios so far
AgentBaker/e2e/scenario_test.go
Line 1258 in 979c12f
i did not use tag "SeccompDefaultProfile" ish tag for the reason that this is only one of the flags we used in customKubeletConfig. since this is e2e, i think customKubeletConfig tag is at a better abstraction level.
leaving space for other customKubeletConfig checks when we want to include in retrospect and to consolidate the e2e test scenarios maybe around VHD * OS SKU matrix .
There was a problem hiding this comment.
I think this is special case for a single case. I would instead add another hook to Scenario.
Something like DoExtraStuff: func(s *Scenario, t *testing.T) or PrepareCluster (it's all bad names, come up with something better)
There was a problem hiding this comment.
alternatively, can it be a part of validator?
There was a problem hiding this comment.
This feels unnecessary deep. I would put it in testdata/seccomp_profile_amd64.json
| @@ -126,6 +126,9 @@ func createAndValidateVM(ctx context.Context, t *testing.T, scenario *Scenario) | |||
| validateWasm(ctx, t, scenario.Runtime.Cluster.Kube, nodeName) | |||
| } | |||
|
|
|||
| if scenario.Tags.KubeletCustomConfig { | |||
There was a problem hiding this comment.
I think this is special case for a single case. I would instead add another hook to Scenario.
Something like DoExtraStuff: func(s *Scenario, t *testing.T) or PrepareCluster (it's all bad names, come up with something better)
| actualSyscallsConsolidated := make(map[string][]string) | ||
| for _, syscall := range actual.Syscalls { | ||
| actualSyscallsConsolidated[syscall.Action] = append(syscall.Names, actualSyscallsConsolidated[syscall.Action]...) | ||
| } |
There was a problem hiding this comment.
it feels like assert.JSONEq(t *testing.T, stdout, baseProfileFile)
| @@ -126,6 +126,9 @@ func createAndValidateVM(ctx context.Context, t *testing.T, scenario *Scenario) | |||
| validateWasm(ctx, t, scenario.Runtime.Cluster.Kube, nodeName) | |||
| } | |||
|
|
|||
| if scenario.Tags.KubeletCustomConfig { | |||
There was a problem hiding this comment.
alternatively, can it be a part of validator?
What type of PR is this?
/kind test
What this PR does / why we need it:
add default seccomp profile for containerd so that we are alerted when the profile is changed (which could break existing workload when kubelet seccomp feature is enabled and RuntimeDefault profile is used
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: