From ca7be7dc6d566980f5bfc85add965d40d55a269c Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <sttts@redhat.com>
Date: Mon, 6 Jun 2016 14:05:26 +0200
Subject: [PATCH] Add e2e tests for seccomp

---
 test/e2e/security_context.go | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/test/e2e/security_context.go b/test/e2e/security_context.go
index a0d41b5f3f..af9d3bac33 100644
--- a/test/e2e/security_context.go
+++ b/test/e2e/security_context.go
@@ -37,8 +37,9 @@ func scTestPod(hostIPC bool, hostPID bool) *api.Pod {
 	podName := "security-context-" + string(util.NewUUID())
 	pod := &api.Pod{
 		ObjectMeta: api.ObjectMeta{
-			Name:   podName,
-			Labels: map[string]string{"name": podName},
+			Name:        podName,
+			Labels:      map[string]string{"name": podName},
+			Annotations: map[string]string{},
 		},
 		Spec: api.PodSpec{
 			SecurityContext: &api.PodSecurityContext{
@@ -106,6 +107,37 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun
 		testPodSELinuxLabeling(f, false, true)
 	})
 
+	It("should support seccomp alpha unconfined annotation on the container [Feature:Seccomp]", func() {
+		// TODO: port to SecurityContext as soon as seccomp is out of alpha
+		pod := scTestPod(false, false)
+		pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "unconfined"
+		pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "docker/default"
+		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
+	})
+
+	It("should support seccomp alpha unconfined annotation on the pod [Feature:Seccomp]", func() {
+		// TODO: port to SecurityContext as soon as seccomp is out of alpha
+		pod := scTestPod(false, false)
+		pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "unconfined"
+		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
+	})
+
+	It("should support seccomp alpha docker/default annotation [Feature:Seccomp]", func() {
+		// TODO: port to SecurityContext as soon as seccomp is out of alpha
+		pod := scTestPod(false, false)
+		pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "docker/default"
+		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"2"}) // seccomp filtered
+	})
+
+	It("should support seccomp default which is unconfined [Feature:Seccomp]", func() {
+		// TODO: port to SecurityContext as soon as seccomp is out of alpha
+		pod := scTestPod(false, false)
+		pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
+		f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
+	})
 })
 
 func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) {