Use agnhost instead of busybox for network test (#9390)

busybox container requires a root permission for ping.
For testing hardening method at CI, we need to switch to another image
which doesn't require the root permission for network testing.
On kubernetes/kubernetes repo, we are using agnhost which doesn't
require it. So this makes the test use aghhost image.

In addition, this updates the test manifest to specify securityContext
without any privilege.
pull/9392/head
Kenichi Omichi 2022-10-14 22:10:46 +09:00 committed by GitHub
parent 23716b0eff
commit 72b45eec2e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 10 deletions

View File

@ -1,8 +1,8 @@
--- ---
- hosts: kube_control_plane[0] - hosts: kube_control_plane[0]
vars: vars:
test_image_repo: registry.k8s.io/busybox test_image_repo: registry.k8s.io/e2e-test-images/agnhost
test_image_tag: latest test_image_tag: "2.40"
tasks: tasks:
- name: Force binaries directory for Flatcar Container Linux by Kinvolk - name: Force binaries directory for Flatcar Container Linux by Kinvolk
@ -53,12 +53,33 @@
retries: 5 retries: 5
delay: 5 delay: 5
- name: Run 2 busybox pods in test ns - name: Run 2 agnhost pods in test ns
command: "{{ bin_dir }}/kubectl run {{ item }} --image={{ test_image_repo }}:{{ test_image_tag }} --namespace test --command -- tail -f /dev/null" shell:
cmd: |
cat <<EOF | {{ bin_dir }}/kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: {{ item }}
namespace: test
spec:
containers:
- name: agnhost
image: {{ test_image_repo }}:{{ test_image_tag }}
command: ['/agnhost', 'netexec', '--http-port=8080']
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsUser: 1000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
EOF
changed_when: false changed_when: false
loop: loop:
- busybox1 - agnhost1
- busybox2 - agnhost2
- import_role: # noqa unnamed-task - import_role: # noqa unnamed-task
name: cluster-dump name: cluster-dump
@ -131,8 +152,8 @@
- item in pods_running - item in pods_running
with_items: "{{ pod_ips }}" with_items: "{{ pod_ips }}"
- name: Ping between pods is working - name: Curl between pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- ping -c 4 {{ item[1] }}" command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
when: when:
- not item[0] in pods_hostnet - not item[0] in pods_hostnet
- not item[1] in pods_hostnet - not item[1] in pods_hostnet
@ -140,8 +161,8 @@
- "{{ pod_names }}" - "{{ pod_names }}"
- "{{ pod_ips }}" - "{{ pod_ips }}"
- name: Ping between hostnet pods is working - name: Curl between hostnet pods is working
command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- ping -c 4 {{ item[1] }}" command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
when: when:
- item[0] in pods_hostnet - item[0] in pods_hostnet
- item[1] in pods_hostnet - item[1] in pods_hostnet