richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use agnhost instead of busybox for network test (#9390) 

busybox container requires a root permission for ping.
For testing hardening method at CI, we need to switch to another image
which doesn't require the root permission for network testing.
On kubernetes/kubernetes repo, we are using agnhost which doesn't
require it. So this makes the test use aghhost image.

In addition, this updates the test manifest to specify securityContext
without any privilege.
pull/9392/head
Kenichi Omichi 2 years ago
committed by GitHub
parent
23716b0eff
commit
72b45eec2e
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 10 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 41
      tests/testcases/030_check-network.yml

41
tests/testcases/030_check-network.yml
View File

@ -1,8 +1,8 @@
--- ---
- hosts: kube_control_plane[0] - hosts: kube_control_plane[0]
vars: vars:
test_image_repo: registry.k8s.io/busybox
test_image_tag: latest
test_image_repo: registry.k8s.io/e2e-test-images/agnhost
test_image_tag: "2.40"
tasks: tasks:
- name: Force binaries directory for Flatcar Container Linux by Kinvolk - name: Force binaries directory for Flatcar Container Linux by Kinvolk
@ -53,12 +53,33 @@
retries: 5 retries: 5
delay: 5 delay: 5
- name: Run 2 busybox pods in test ns
command: "{{ bin_dir }}/kubectl run {{ item }} --image={{ test_image_repo }}:{{ test_image_tag }} --namespace test --command -- tail -f /dev/null"
- name: Run 2 agnhost pods in test ns
shell:
cmd: |
cat <<EOF | {{ bin_dir }}/kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: {{ item }}
namespace: test
spec:
containers:
- name: agnhost
image: {{ test_image_repo }}:{{ test_image_tag }}
command: ['/agnhost', 'netexec', '--http-port=8080']
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
EOF
changed_when: false changed_when: false
loop: loop:
- busybox1
- busybox2
- agnhost1
- agnhost2
- import_role: # noqa unnamed-task - import_role: # noqa unnamed-task
name: cluster-dump name: cluster-dump
@ -131,8 +152,8 @@
- item in pods_running - item in pods_running
with_items: "{{ pod_ips }}" with_items: "{{ pod_ips }}"
- name: Ping between pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- ping -c 4 {{ item[1] }}"
- name: Curl between pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
when: when:
- not item[0] in pods_hostnet - not item[0] in pods_hostnet
- not item[1] in pods_hostnet - not item[1] in pods_hostnet
@ -140,8 +161,8 @@
- "{{ pod_names }}" - "{{ pod_names }}"
- "{{ pod_ips }}" - "{{ pod_ips }}"
- name: Ping between hostnet pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- ping -c 4 {{ item[1] }}"
- name: Curl between hostnet pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
when: when:
- item[0] in pods_hostnet - item[0] in pods_hostnet
- item[1] in pods_hostnet - item[1] in pods_hostnet

Write Preview
Loading…
Cancel
Save