scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-02 11:18:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement shared PID namespace in the dockershim

Browse Source
This commit is contained in:
Lee Verberne
2017-04-19 01:29:50 +00:00
parent 09747e6bee
commit d22dd0fa35
12 changed files with 114 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
pkg/kubelet/dockershim/security_context_test.go
View File

@@ -21,6 +21,7 @@ import (
"strconv"
"testing"
"github.com/blang/semver"
dockercontainer "github.com/docker/engine-api/types/container"
"github.com/stretchr/testify/assert"
@@ -172,12 +173,14 @@ func TestModifyHostConfigAndNamespaceOptionsForContainer(t *testing.T) {
Privileged: true,
IpcMode: dockercontainer.IpcMode(sandboxNSMode),
NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
PidMode: dockercontainer.PidMode(sandboxNSMode),
}
setCapsHC := &dockercontainer.HostConfig{
CapAdd: []string{"addCapA", "addCapB"},
CapDrop: []string{"dropCapA", "dropCapB"},
IpcMode: dockercontainer.IpcMode(sandboxNSMode),
NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
PidMode: dockercontainer.PidMode(sandboxNSMode),
}
setSELinuxHC := &dockercontainer.HostConfig{
SecurityOpt: []string{
@@ -188,6 +191,7 @@ func TestModifyHostConfigAndNamespaceOptionsForContainer(t *testing.T) {
},
IpcMode: dockercontainer.IpcMode(sandboxNSMode),
NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
PidMode: dockercontainer.PidMode(sandboxNSMode),
}
cases := []struct {
@@ -286,6 +290,7 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
IpcMode: dockercontainer.IpcMode(sandboxNSMode),
UTSMode: namespaceModeHost,
PidMode: dockercontainer.PidMode(sandboxNSMode),
},
},
{
@@ -296,6 +301,7 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
expected: &dockercontainer.HostConfig{
NetworkMode: dockercontainer.NetworkMode(sandboxNSMode),
IpcMode: dockercontainer.IpcMode(sandboxNSMode),
PidMode: dockercontainer.PidMode(sandboxNSMode),
},
},
{
@@ -317,6 +323,63 @@ func TestModifyContainerNamespaceOptions(t *testing.T) {
}
}
func TestModifyContainerNamespacePIDOverride(t *testing.T) {
cases := []struct {
name string
disable bool
version *semver.Version
input, expected dockercontainer.PidMode
}{
{
name: "SharedPID.Enable",
disable: false,
version: &semver.Version{Major: 1, Minor: 26},
input: "container:sandbox",
expected: "container:sandbox",
},
{
name: "SharedPID.Disable",
disable: true,
version: &semver.Version{Major: 1, Minor: 26},
input: "container:sandbox",
expected: "",
},
{
name: "SharedPID.OldDocker",
disable: false,
version: &semver.Version{Major: 1, Minor: 25},
input: "container:sandbox",
expected: "",
},
{
name: "SharedPID.HostPid",
disable: true,
version: &semver.Version{Major: 1, Minor: 27},
input: "host",
expected: "host",
},
{
name: "SharedPID.DistantFuture",
disable: false,
version: &semver.Version{Major: 2, Minor: 10},
input: "container:sandbox",
expected: "container:sandbox",
},
{
name: "SharedPID.EmptyPidMode",
disable: true,
version: &semver.Version{Major: 1, Minor: 25},
input: "",
expected: "",
},
}
for _, tc := range cases {
dockerCfg := &dockercontainer.HostConfig{PidMode: tc.input}
modifyPIDNamespaceOverrides(tc.disable, tc.version, dockerCfg)
assert.Equal(t, tc.expected, dockerCfg.PidMode, "[Test case %q]", tc.name)
}
}
func fullValidSecurityContext() *runtimeapi.LinuxContainerSecurityContext {
return &runtimeapi.LinuxContainerSecurityContext{
Privileged: true,