From 677eaa5b885ea5da990e0b49c8dc22c804178038 Mon Sep 17 00:00:00 2001
From: Maria Alejandra Kurylec <maria.kurylec@globant.com>
Date: Mon, 30 Jul 2018 12:59:16 -0300
Subject: [PATCH] Note: this PR is the result of splitting
 https://github.com/kubernetes/kubernetes/pull/65793 into 2 sections 1) This
 part, addressing the refactor so eligible-test-for-conformance can use get
 rid of privileged security context. 2) a second part that will address the
 promotion of the testcases to be in conformance suite

Changes:
a) demoted privileged mode for these tests (not needed)
b) regular tests (the other ones existing in the file) will still be using privileged security context.
c) adding privilegedSecurityContext field to VolInfo, so each volume-flavor can let the test know if the security context has to be privileged or not.
This allows granular changes and updates per volume).
d) fixing formatting issue.
---
 test/e2e/storage/subpath.go | 36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/test/e2e/storage/subpath.go b/test/e2e/storage/subpath.go
index 18618416ee..1d5f4bfca0 100644
--- a/test/e2e/storage/subpath.go
+++ b/test/e2e/storage/subpath.go
@@ -49,8 +49,9 @@ var (
 )
 
 type volInfo struct {
-	source *v1.VolumeSource
-	node   string
+	source                    *v1.VolumeSource
+	node                      string
+	privilegedSecurityContext bool
 }
 
 type volSource interface {
@@ -84,6 +85,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 
 	Context("Atomic writer volumes", func() {
 		var err error
+		var privilegedSecurityContext bool = false
 
 		BeforeEach(func() {
 			By("Setting up data")
@@ -98,20 +100,21 @@ var _ = utils.SIGDescribe("Subpath", func() {
 			if err != nil && !apierrors.IsAlreadyExists(err) {
 				Expect(err).ToNot(HaveOccurred(), "while creating configmap")
 			}
+
 		})
 
 		It("should support subpaths with secret pod", func() {
-			pod := testPodSubpath(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}})
+			pod := testPodSubpath(f, "secret-key", "secret", &v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "my-secret"}}, privilegedSecurityContext)
 			testBasicSubpath(f, "secret-value", pod)
 		})
 
 		It("should support subpaths with configmap pod", func() {
-			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}})
+			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
 			testBasicSubpath(f, "configmap-value", pod)
 		})
 
 		It("should support subpaths with configmap pod with mountPath of existing file", func() {
-			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}})
+			pod := testPodSubpath(f, "configmap-key", "configmap", &v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "my-configmap"}}}, privilegedSecurityContext)
 			file := "/etc/resolv.conf"
 			pod.Spec.Containers[0].VolumeMounts[0].MountPath = file
 			testBasicSubpathFile(f, "configmap-value", pod, file)
@@ -122,7 +125,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 				DownwardAPI: &v1.DownwardAPIVolumeSource{
 					Items: []v1.DownwardAPIVolumeFile{{Path: "downward/podname", FieldRef: &v1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}}},
 				},
-			})
+			}, privilegedSecurityContext)
 			testBasicSubpath(f, pod.Name, pod)
 		})
 
@@ -136,7 +139,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 						}},
 					},
 				},
-			})
+			}, privilegedSecurityContext)
 			testBasicSubpath(f, "configmap-value", pod)
 		})
 	})
@@ -154,7 +157,7 @@ var _ = utils.SIGDescribe("Subpath", func() {
 				filePathInSubpath = filepath.Join(volumePath, fileName)
 				filePathInVolume = filepath.Join(subPathDir, fileName)
 				volInfo := vol.createVolume(f)
-				pod = testPodSubpath(f, subPath, curVolType, volInfo.source)
+				pod = testPodSubpath(f, subPath, curVolType, volInfo.source, volInfo.privilegedSecurityContext)
 				pod.Spec.NodeName = volInfo.node
 			})
 
@@ -353,10 +356,9 @@ func testBasicSubpathFile(f *framework.Framework, contents string, pod *v1.Pod,
 	Expect(err).NotTo(HaveOccurred(), "while deleting pod")
 }
 
-func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *v1.VolumeSource) *v1.Pod {
+func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *v1.VolumeSource, privilegedSecurityContext bool) *v1.Pod {
 	var (
 		suffix          = strings.ToLower(fmt.Sprintf("%s-%s", volumeType, rand.String(4)))
-		privileged      = true
 		gracePeriod     = int64(1)
 		probeVolumeName = "liveness-probe-volume"
 	)
@@ -381,7 +383,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 			},
@@ -401,7 +403,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 				{
@@ -418,7 +420,7 @@ func testPodSubpath(f *framework.Framework, subpath, volumeType string, source *
 						},
 					},
 					SecurityContext: &v1.SecurityContext{
-						Privileged: &privileged,
+						Privileged: &privilegedSecurityContext,
 					},
 				},
 			},
@@ -685,6 +687,7 @@ func (s *hostpathSource) createVolume(f *framework.Framework) volInfo {
 				Path: "/tmp",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -764,6 +767,7 @@ func (s *hostpathSymlinkSource) createVolume(f *framework.Framework) volInfo {
 			},
 		},
 		node: node0.Name,
+		privilegedSecurityContext: privileged,
 	}
 }
 
@@ -786,6 +790,7 @@ func (s *emptydirSource) createVolume(f *framework.Framework) volInfo {
 		source: &v1.VolumeSource{
 			EmptyDir: &v1.EmptyDirVolumeSource{},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -865,6 +870,7 @@ func (s *gcepdPVCSource) createVolume(f *framework.Framework) volInfo {
 				ClaimName: s.pvc.Name,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -912,6 +918,7 @@ func (s *gcepdPartitionSource) createVolume(f *framework.Framework) volInfo {
 				Partition: 1,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -946,6 +953,7 @@ func (s *nfsSource) createVolume(f *framework.Framework) volInfo {
 				Path:   "/exports",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -985,6 +993,7 @@ func (s *glusterSource) createVolume(f *framework.Framework) volInfo {
 				Path:          "test_vol",
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }
 
@@ -1054,6 +1063,7 @@ func (s *nfsPVCSource) createVolume(f *framework.Framework) volInfo {
 				ClaimName: pvc.Name,
 			},
 		},
+		privilegedSecurityContext: true,
 	}
 }