• Filipe Brandenburger's avatar
    Skip NoNewPrivileges test when SELinux is enabled · 6d30b026
    Filipe Brandenburger authored
    A bug in the SELinux policy prevented NoNewPrivileges from working on
    Docker with SELinux support enabled.
    
    The problem has been fixed upstream:
    https://github.com/projectatomic/container-selinux/issues/45
    
    But hasn't been backported yet (a fix might come in RHEL 7.5)
    
    For now, let's skip the NoNewPrivileges test when SELinux support is
    enabled in Docker.
    
    Tested:
    
    - Before this commit, the test fails:
    
        $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
        (on a host with SELinux enabled)
    
        • [SLOW TEST:22.798 seconds] (passed)
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should allow privilege escalation when true
    
        • Failure [16.539 seconds]
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should not allow privilege escalation when false [It]
    
            wait for pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" to success
            Expected success, but got an error:
                <*errors.errorString | 0xc4204e26d0>: {
                    s: "pod \"alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009\" failed with reason: \"\", message: \"\"",
                }
                pod "alpine-nnp-false-aef03e47-0090-11e8-886f-42010af00009" failed with reason: "", message: ""
    
        • [SLOW TEST:26.572 seconds] (passed)
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should allow privilege escalation when not explicitly set and uid != 0
    
        Ran 3 of 257 Specs in 45.364 seconds
        FAIL! -- 2 Passed | 1 Failed | 0 Pending | 254 Skipped
    
        Ginkgo ran 1 suite in 49.389123442s
        Test Suite Failed
    
    - After this commit, the test is skipped:
    
        $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
        (on a host with SELinux enabled)
    
        S [SKIPPING] in Spec Setup (BeforeEach) [12.452 seconds]
        S [SKIPPING] in Spec Setup (BeforeEach) [16.298 seconds]
        S [SKIPPING] in Spec Setup (BeforeEach) [18.183 seconds]
    
        Ran 0 of 257 Specs in 39.174 seconds
        SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 257 Skipped
    
        Ginkgo ran 1 suite in 43.570630357s
        Test Suite Passed
    
    - No changes when SELinux is disabled:
    
        $ make test-e2e-node REMOTE=true FOCUS="allow privilege escalation"
        (on a host with SELinux disabled)
    
        • [SLOW TEST:15.013 seconds]
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should not allow privilege escalation when false
    
        • [SLOW TEST:19.155 seconds]
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should allow privilege escalation when true
    
        • [SLOW TEST:21.087 seconds]
        [k8s.io] Security Context
          when creating containers with AllowPrivilegeEscalation
            should allow privilege escalation when not explicitly set and uid != 0
    
        Ran 3 of 259 Specs in 38.560 seconds
        SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 256 Skipped
    
        Ginkgo ran 1 suite in 41.937918928s
        Test Suite Passed
    6d30b026
security_context_test.go 15.8 KB