kuma

container_patch.go
142 строки · 4.7 Кб
Перенос по словам
1
package container_patch
2

3
import (
4
	"fmt"
5

6
	"github.com/gruntwork-io/terratest/modules/k8s"
7
	. "github.com/onsi/ginkgo/v2"
8
	. "github.com/onsi/gomega"
9
	kube_core "k8s.io/api/core/v1"
10

11
	k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util"
12
	. "github.com/kumahq/kuma/test/framework"
13
	"github.com/kumahq/kuma/test/framework/deployments/testserver"
14
	"github.com/kumahq/kuma/test/framework/envs/kubernetes"
15
)
16

17
func ContainerPatch() {
18
	const namespace = "container-patch"
19
	const mesh = "container-patch"
20
	const appName = "test-service"
21
	const appNameWithPatch = "test-service-patched"
22

23
	containerPatch := func(ns string) string {
24
		return fmt.Sprintf(`apiVersion: kuma.io/v1alpha1
25
kind: ContainerPatch
26
metadata:
27
  namespace: %s
28
  name: container-patch-1
29
spec:
30
  sidecarPatch:
31
    - op: add
32
      path: /securityContext/privileged
33
      value: "true"`, ns)
34
	}
35
	containerPatch2 := func(ns string) string {
36
		return fmt.Sprintf(`apiVersion: kuma.io/v1alpha1
37
kind: ContainerPatch
38
metadata:
39
  namespace: %s
40
  name: container-patch-2
41
spec:
42
  initPatch:
43
    - op: remove
44
      path: /securityContext/runAsUser`, ns)
45
	}
46
	BeforeAll(func() {
47
		err := NewClusterSetup().
48
			Install(NamespaceWithSidecarInjection(namespace)).
49
			Install(YamlK8s(containerPatch(Config.KumaNamespace))).
50
			Install(YamlK8s(containerPatch2(Config.KumaNamespace))).
51
			Install(MeshKubernetes(mesh)).
52
			Install(testserver.Install(
53
				testserver.WithNamespace(namespace),
54
				testserver.WithMesh(mesh),
55
				testserver.WithName(appNameWithPatch),
56
				testserver.WithPodAnnotations(
57
					map[string]string{"kuma.io/container-patches": "container-patch-1,container-patch-2"},
58
				),
59
			)).
60
			Install(testserver.Install(
61
				testserver.WithNamespace(namespace),
62
				testserver.WithMesh(mesh),
63
				testserver.WithName(appName),
64
			)).
65
			Setup(kubernetes.Cluster)
66
		Expect(err).ToNot(HaveOccurred())
67
	})
68
	E2EAfterAll(func() {
69
		Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
70
		Expect(kubernetes.Cluster.DeleteMesh(mesh)).To(Succeed())
71
	})
72

73
	It("should apply container patch to kubernetes configuration", func() {
74
		// when
75
		// pod without container patch
76
		podName, err := PodNameOfApp(kubernetes.Cluster, appName, namespace)
77
		Expect(err).ToNot(HaveOccurred())
78
		pod, err := k8s.GetPodE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), podName)
79
		Expect(err).ToNot(HaveOccurred())
80

81
		// then
82
		Expect(pod.Spec.InitContainers).To(
83
			Or(HaveLen(1), HaveLen(2)),
84
		)
85
		// should have default value *int64 = 0
86
		Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(Equal(new(int64)))
87
		Expect(pod.Spec.Containers).To(
88
			Or(HaveLen(2), HaveLen(1)),
89
		)
90
		beSidecarWithoutPrivileged := And(
91
			WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)),
92
			WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, BeNil()),
93
		)
94
		if len(pod.Spec.Containers) == 2 {
95
			// kuma-sidecar is the first container
96
			Expect(pod.Spec.Containers[0]).To(beSidecarWithoutPrivileged)
97
		} else {
98
			Expect(pod.Spec.InitContainers).To(HaveLen(2))
99
			// kuma-sidecar is the second init container
100
			Expect(pod.Spec.InitContainers[1]).To(beSidecarWithoutPrivileged)
101
		}
102

103
		// when
104
		// pod with patch
105
		podName, err = PodNameOfApp(kubernetes.Cluster, appNameWithPatch, namespace)
106
		Expect(err).ToNot(HaveOccurred())
107
		pod, err = k8s.GetPodE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), podName)
108
		Expect(err).ToNot(HaveOccurred())
109

110
		// then
111
		pointerTrue := new(bool)
112
		*pointerTrue = true
113
		Expect(pod.Spec.InitContainers).To(
114
			Or(HaveLen(1), HaveLen(2)),
115
		)
116
		// should doesn't have defined RunAsUser
117
		Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(BeNil())
118
		Expect(pod.Spec.Containers).To(
119
			Or(HaveLen(2), HaveLen(1)),
120
		)
121
		beSidecarWithPrivileged := And(
122
			WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)),
123
			WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, Equal(pointerTrue)),
124
		)
125
		if len(pod.Spec.Containers) == 2 {
126
			// kuma-sidecar is the first container
127
			Expect(pod.Spec.Containers[0]).To(beSidecarWithPrivileged)
128
		} else {
129
			Expect(pod.Spec.InitContainers).To(HaveLen(2))
130
			// kuma-sidecar is the second init container
131
			Expect(pod.Spec.InitContainers[1]).To(beSidecarWithPrivileged)
132
		}
133
	})
134

135
	It("should reject ContainerPatch in non-system namespace", func() {
136
		// when
137
		err := k8s.KubectlApplyFromStringE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(), containerPatch(namespace))
138

139
		// then
140
		Expect(err).To(HaveOccurred())
141
	})
142
}
143
kuma

Использование cookies
