github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #58777 from filbranden/nnp1 

Automatic merge from submit-queue (batch tested with PRs 58777, 58978, 58977, 58775). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Skip NoNewPrivileges test when SELinux is enabled

**What this PR does / why we need it**:

A bug in the SELinux policy prevented NoNewPrivileges from working on Docker with SELinux support enabled.

The problem has been fixed upstream (see projectatomic/container-selinux#45)

But hasn't been backported yet (a fix might come in RHEL 7.5)

For now, let's skip the NoNewPrivileges test when SELinux support is enabled in Docker.

Tested:

- Before this commit, the test fails:
```
    $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
    (on a host with SELinux enabled)

    • [SLOW TEST:22.798 seconds] (passed)
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should allow privilege escalation when true

    • Failure [16.539 seconds]
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should not allow privilege escalation when false [It]

        wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success
        Expected success, but got an error:
            <*errors.errorString | 0xc4204e26d0>: {
                s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"",
            }
            pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: ""

    • [SLOW TEST:26.572 seconds] (passed)
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should allow privilege escalation when not explicitly set and uid != 0

    Ran 3 of 257 Specs in 45.364 seconds
    FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped

    Ginkgo ran 1 suite in 49.389123442s
    Test Suite Failed
```
- After this commit, the test is skipped:
```
    $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
    (on a host with SELinux enabled)

    S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds]
    S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds]
    S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds]

    Ran 0 of 257 Specs in 39.174 seconds
    SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped

    Ginkgo ran 1 suite in 43.570630357s
    Test Suite Passed
```
- No changes when SELinux is disabled:
```
    $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
    (on a host with SELinux disabled)

    • [SLOW TEST:15.013 seconds]
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should not allow privilege escalation when false

    • [SLOW TEST:19.155 seconds]
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should allow privilege escalation when true

    • [SLOW TEST:21.087 seconds]
    [k8s.io] Security Context
      when creating containers with AllowPrivilegeEscalation
        should allow privilege escalation when not explicitly set and uid != 0

    Ran 3 of 259 Specs in 38.560 seconds
    SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped

    Ginkgo ran 1 suite in 41.937918928s
    Test Suite Passed
```




**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
N/A

**Special notes for your reviewer**:
N/A

**Release note**:

```release-note
NONE
```
pull/6/head
Kubernetes Submit Queue 2018-01-29 14:59:36 -08:00 committed by GitHub
parent 235714e7f3 6d30b026ba
commit 85e435d35a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
test/e2e_node/security_context_test.go
View File

@ -373,6 +373,18 @@ var _ = framework.KubeDescribe("Security Context", func() {
if !isSupported {
framework.Skipf("Skipping because no_new_privs is not supported in this docker")
}
// It turns out SELinux policy in RHEL 7 does not play well with
// the "NoNewPrivileges" flag. So let's skip this test when running
// with SELinux support enabled.
//
// TODO(filbranden): Remove this after the fix for
// https://github.com/projectatomic/container-selinux/issues/45
// has been backported to RHEL 7 (expected on RHEL 7.5)
selinuxEnabled, err := isDockerSELinuxSupportEnabled()
framework.ExpectNoError(err)
if selinuxEnabled {
framework.Skipf("Skipping because Docker daemon is running with SELinux support enabled")
}
}
})