diff --git a/test/e2e_node/BUILD b/test/e2e_node/BUILD index 85fbbff564..ec7f37a26c 100644 --- a/test/e2e_node/BUILD +++ b/test/e2e_node/BUILD @@ -159,6 +159,7 @@ go_test( "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library", + "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", ] + select({ "@io_bazel_rules_go//go/platform:linux": [ diff --git a/test/e2e_node/docker_test.go b/test/e2e_node/docker_test.go index dd08d609dd..97dae3e99b 100644 --- a/test/e2e_node/docker_test.go +++ b/test/e2e_node/docker_test.go @@ -37,46 +37,6 @@ var _ = framework.KubeDescribe("Docker features [Feature:Docker]", func() { framework.RunIfContainerRuntimeIs("docker") }) - Context("when shared PID namespace is enabled", func() { - It("processes in different containers of the same pod should be able to see each other", func() { - // TODO(yguo0905): Change this test to run unless the runtime is - // Docker and its version is <1.13. - By("Check whether shared PID namespace is supported.") - isEnabled, err := isSharedPIDNamespaceSupported() - framework.ExpectNoError(err) - if !isEnabled { - framework.Skipf("Skipped because shared PID namespace is not supported by this docker version.") - } - - By("Create a pod with two containers.") - f.PodClient().CreateSync(&v1.Pod{ - ObjectMeta: metav1.ObjectMeta{Name: "shared-pid-ns-test-pod"}, - Spec: v1.PodSpec{ - Containers: []v1.Container{ - { - Name: "test-container-1", - Image: "busybox", - Command: []string{"/bin/top"}, - }, - { - Name: "test-container-2", - Image: "busybox", - Command: []string{"/bin/sleep"}, - Args: []string{"10000"}, - }, - }, - }, - }) - - By("Check if the process in one container is visible to the process in the other.") - pid1 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-1", "/bin/pidof", "top") - pid2 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-2", "/bin/pidof", "top") - if pid1 != pid2 { - framework.Failf("PIDs are not the same in different containers: test-container-1=%v, test-container-2=%v", pid1, pid2) - } - }) - }) - Context("when live-restore is enabled [Serial] [Slow] [Disruptive]", func() { It("containers should not be disrupted when the daemon shuts down and restarts", func() { const ( diff --git a/test/e2e_node/security_context_test.go b/test/e2e_node/security_context_test.go index 6bdda7308d..b7dac718e3 100644 --- a/test/e2e_node/security_context_test.go +++ b/test/e2e_node/security_context_test.go @@ -26,6 +26,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/uuid" + utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/test/e2e/framework" . "github.com/onsi/ginkgo" @@ -39,6 +41,78 @@ var _ = framework.KubeDescribe("Security Context", func() { podClient = f.PodClient() }) + Context("when pod PID namespace is configurable [Feature:ShareProcessNamespace]", func() { + It("containers in pods using isolated PID namespaces should all receive PID 1", func() { + By("Create a pod with isolated PID namespaces.") + f.PodClient().CreateSync(&v1.Pod{ + ObjectMeta: metav1.ObjectMeta{Name: "isolated-pid-ns-test-pod"}, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "test-container-1", + Image: "busybox", + Command: []string{"/bin/top"}, + }, + { + Name: "test-container-2", + Image: "busybox", + Command: []string{"/bin/sleep"}, + Args: []string{"10000"}, + }, + }, + }, + }) + + By("Check if both containers receive PID 1.") + pid1 := f.ExecCommandInContainer("isolated-pid-ns-test-pod", "test-container-1", "/bin/pidof", "top") + pid2 := f.ExecCommandInContainer("isolated-pid-ns-test-pod", "test-container-2", "/bin/pidof", "sleep") + if pid1 != "1" || pid2 != "1" { + framework.Failf("PIDs of different containers are not all 1: test-container-1=%v, test-container-2=%v", pid1, pid2) + } + }) + + It("processes in containers sharing a pod namespace should be able to see each other [Alpha]", func() { + By("Check whether shared PID namespace is supported.") + isEnabled, err := isSharedPIDNamespaceSupported() + framework.ExpectNoError(err) + if !isEnabled { + framework.Skipf("Skipped because shared PID namespace is not supported by this docker version.") + } + // It's not enough to set this flag in the kubelet because the apiserver needs it too + if !utilfeature.DefaultFeatureGate.Enabled(features.PodShareProcessNamespace) { + framework.Skipf("run test with --feature-gates=PodShareProcessNamespace=true to test PID namespace sharing") + } + + By("Create a pod with shared PID namespace.") + f.PodClient().CreateSync(&v1.Pod{ + ObjectMeta: metav1.ObjectMeta{Name: "shared-pid-ns-test-pod"}, + Spec: v1.PodSpec{ + ShareProcessNamespace: &[]bool{true}[0], + Containers: []v1.Container{ + { + Name: "test-container-1", + Image: "busybox", + Command: []string{"/bin/top"}, + }, + { + Name: "test-container-2", + Image: "busybox", + Command: []string{"/bin/sleep"}, + Args: []string{"10000"}, + }, + }, + }, + }) + + By("Check if the process in one container is visible to the process in the other.") + pid1 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-1", "/bin/pidof", "top") + pid2 := f.ExecCommandInContainer("shared-pid-ns-test-pod", "test-container-2", "/bin/pidof", "top") + if pid1 != pid2 { + framework.Failf("PIDs are not the same in different containers: test-container-1=%v, test-container-2=%v", pid1, pid2) + } + }) + }) + Context("when creating a pod in the host PID namespace", func() { makeHostPidPod := func(podName, image string, command []string, hostPID bool) *v1.Pod { return &v1.Pod{ diff --git a/test/e2e_node/services/kubelet.go b/test/e2e_node/services/kubelet.go index eef13623a4..b1f631e08e 100644 --- a/test/e2e_node/services/kubelet.go +++ b/test/e2e_node/services/kubelet.go @@ -258,7 +258,6 @@ func (e *E2EServices) startKubelet() (*server, error) { cmdArgs = append(cmdArgs, "--kubeconfig", kubeconfigPath, "--root-dir", KubeletRootDirectory, - "--docker-disable-shared-pid=false", "--v", LOG_VERBOSITY_LEVEL, "--logtostderr", "--allow-privileged", "true", )