2020package integration
2121
2222import (
23+ "fmt"
2324 "os"
2425 "path/filepath"
2526 "testing"
@@ -31,49 +32,98 @@ import (
3132)
3233
3334func TestAdditionalGids (t * testing.T ) {
34- testPodLogDir , err := os .MkdirTemp ("/tmp" , "additional-gids" )
35- require .NoError (t , err )
36- defer os .RemoveAll (testPodLogDir )
35+ testImage := GetImage (BusyBox )
36+ EnsureImageExists (t , testImage )
37+ type testCase struct {
38+ description string
39+ opts []ContainerOpts
40+ expected string
41+ }
3742
38- t .Log ("Create a sandbox with log directory" )
39- sb , sbConfig := PodSandboxConfigWithCleanup (t , "sandbox" , "additional-gids" ,
40- WithPodLogDirectory (testPodLogDir ))
43+ testCases := []testCase {
44+ {
45+ description : "Equivalent of `docker run` (no option)" ,
46+ opts : nil ,
47+ expected : "groups=0(root),10(wheel)" ,
48+ },
49+ {
50+ description : "Equivalent of `docker run --group-add 1 --group-add 1234`" ,
51+ opts : []ContainerOpts {WithSupplementalGroups ([]int64 {1 /*daemon*/ , 1234 /*new group*/ })},
52+ expected : "groups=0(root),1(daemon),10(wheel),1234" ,
53+ },
54+ {
55+ description : "Equivalent of `docker run --user 1234`" ,
56+ opts : []ContainerOpts {WithRunAsUser (1234 )},
57+ expected : "groups=0(root)" ,
58+ },
59+ {
60+ description : "Equivalent of `docker run --user 1234:1234`" ,
61+ opts : []ContainerOpts {WithRunAsUser (1234 ), WithRunAsGroup (1234 )},
62+ expected : "groups=1234" ,
63+ },
64+ {
65+ description : "Equivalent of `docker run --user 1234 --group-add 1234`" ,
66+ opts : []ContainerOpts {WithRunAsUser (1234 ), WithSupplementalGroups ([]int64 {1234 })},
67+ expected : "groups=0(root),1234" ,
68+ },
69+ {
70+ description : "Equivalent of `docker run --user daemon` (Supported by CRI, although unsupported by kube-apiserver)" ,
71+ opts : []ContainerOpts {WithRunAsUsername ("daemon" )},
72+ expected : "groups=1(daemon)" ,
73+ },
74+ {
75+ description : "Equivalent of `docker run --user daemon --group-add 1234` (Supported by CRI, although unsupported by kube-apiserver)" ,
76+ opts : []ContainerOpts {WithRunAsUsername ("daemon" ), WithSupplementalGroups ([]int64 {1234 })},
77+ expected : "groups=1(daemon),1234" ,
78+ },
79+ }
4180
42- var (
43- testImage = GetImage (BusyBox )
44- containerName = "test-container"
45- )
81+ for i , tc := range testCases {
82+ i , tc := i , tc
83+ tBasename := fmt .Sprintf ("case-%d" , i )
84+ t .Run (tBasename , func (t * testing.T ) {
85+ t .Log (tc .description )
86+ t .Logf ("Expected=%q" , tc .expected )
4687
47- EnsureImageExists (t , testImage )
88+ testPodLogDir := t .TempDir ()
89+
90+ t .Log ("Create a sandbox with log directory" )
91+ sb , sbConfig := PodSandboxConfigWithCleanup (t , "sandbox" , tBasename ,
92+ WithPodLogDirectory (testPodLogDir ))
93+
94+ t .Log ("Create a container to print id" )
95+ containerName := tBasename
96+ cnConfig := ContainerConfig (
97+ containerName ,
98+ testImage ,
99+ append (
100+ []ContainerOpts {
101+ WithCommand ("id" ),
102+ WithLogPath (containerName ),
103+ }, tc .opts ... )... ,
104+ )
105+ cn , err := runtimeService .CreateContainer (sb , cnConfig , sbConfig )
106+ require .NoError (t , err )
107+
108+ t .Log ("Start the container" )
109+ require .NoError (t , runtimeService .StartContainer (cn ))
110+
111+ t .Log ("Wait for container to finish running" )
112+ require .NoError (t , Eventually (func () (bool , error ) {
113+ s , err := runtimeService .ContainerStatus (cn )
114+ if err != nil {
115+ return false , err
116+ }
117+ if s .GetState () == runtime .ContainerState_CONTAINER_EXITED {
118+ return true , nil
119+ }
120+ return false , nil
121+ }, time .Second , 30 * time .Second ))
48122
49- t .Log ("Create a container to print id" )
50- cnConfig := ContainerConfig (
51- containerName ,
52- testImage ,
53- WithCommand ("id" ),
54- WithLogPath (containerName ),
55- WithSupplementalGroups ([]int64 {1 /*daemon*/ , 1234 /*new group*/ }),
56- )
57- cn , err := runtimeService .CreateContainer (sb , cnConfig , sbConfig )
58- require .NoError (t , err )
59-
60- t .Log ("Start the container" )
61- require .NoError (t , runtimeService .StartContainer (cn ))
62-
63- t .Log ("Wait for container to finish running" )
64- require .NoError (t , Eventually (func () (bool , error ) {
65- s , err := runtimeService .ContainerStatus (cn )
66- if err != nil {
67- return false , err
68- }
69- if s .GetState () == runtime .ContainerState_CONTAINER_EXITED {
70- return true , nil
71- }
72- return false , nil
73- }, time .Second , 30 * time .Second ))
74-
75- t .Log ("Search additional groups in container log" )
76- content , err := os .ReadFile (filepath .Join (testPodLogDir , containerName ))
77- assert .NoError (t , err )
78- assert .Contains (t , string (content ), "groups=1(daemon),10(wheel),1234" )
123+ t .Log ("Search additional groups in container log" )
124+ content , err := os .ReadFile (filepath .Join (testPodLogDir , containerName ))
125+ assert .NoError (t , err )
126+ assert .Contains (t , string (content ), tc .expected + "\n " )
127+ })
128+ }
79129}
0 commit comments