mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-03-24 03:15:23 -04:00
158 lines
7.1 KiB
Go
158 lines
7.1 KiB
Go
/*
|
|
Copyright 2025 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package e2enode
|
|
|
|
import (
|
|
"context"
|
|
"path"
|
|
|
|
"github.com/onsi/ginkgo/v2"
|
|
"github.com/onsi/gomega"
|
|
|
|
v1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
internalapi "k8s.io/cri-api/pkg/apis"
|
|
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
|
|
"k8s.io/kubernetes/pkg/features"
|
|
kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
|
|
admissionapi "k8s.io/pod-security-admission/api"
|
|
|
|
e2ecommonnode "k8s.io/kubernetes/test/e2e/common/node"
|
|
"k8s.io/kubernetes/test/e2e/framework"
|
|
e2eregistry "k8s.io/kubernetes/test/e2e/framework/registry"
|
|
)
|
|
|
|
var _ = SIGDescribe("Ensure Credential Pulled Images", func() {
|
|
f := framework.NewDefaultFramework("ensure-credential-pulled-images")
|
|
f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
|
|
var is internalapi.ImageManagerService
|
|
|
|
framework.Describe("pulling images with credentials", framework.WithFeatureGate(features.KubeletEnsureSecretPulledImages), framework.WithSerial(), func() {
|
|
var registryAddress string
|
|
var testImage string
|
|
var testImageID string
|
|
var testSecret *v1.Secret
|
|
var testNode string
|
|
|
|
ginkgo.BeforeEach(func(ctx context.Context) {
|
|
var err error
|
|
_, is, err = getCRIClient(ctx)
|
|
framework.ExpectNoError(err)
|
|
|
|
var registryNodeNames []string
|
|
registryAddress, registryNodeNames, err = e2eregistry.SetupRegistry(ctx, f, true)
|
|
framework.ExpectNoError(err)
|
|
gomega.Expect(registryNodeNames).ToNot(gomega.BeEmpty(), "registry should run on at least one node")
|
|
// this is to wait for the complete removal of all registry pods between tests
|
|
ginkgo.DeferCleanup(func(ctx context.Context) {
|
|
f.DeleteNamespace(ctx, f.Namespace.Name)
|
|
})
|
|
|
|
testImage = path.Join(registryAddress, "pause:testing")
|
|
_ = is.RemoveImage(ctx, &runtimeapi.ImageSpec{Image: testImage})
|
|
|
|
testSecret = e2eregistry.User1DockerSecret(registryAddress)
|
|
testSecret.GenerateName = f.UniqueName
|
|
testSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, testSecret, metav1.CreateOptions{})
|
|
framework.ExpectNoError(err)
|
|
// Use the registry node for scheduling - in node e2e tests, this is the single test node
|
|
testNode = registryNodeNames[0]
|
|
// PullAlways pull policy will force an ImagePulledRecord to be created
|
|
origPod := e2ecommonnode.ImagePullTest(ctx, f, testImage, v1.PullAlways, testSecret, testNode, v1.PodRunning, false)
|
|
gomega.Expect(origPod.Spec.NodeName).To(gomega.Equal(testNode), "pod should be scheduled on the expected node")
|
|
|
|
testImgStatus, err := is.ImageStatus(ctx, &runtimeapi.ImageSpec{Image: testImage}, false)
|
|
framework.ExpectNoError(err)
|
|
testImageID = testImgStatus.Image.Id
|
|
})
|
|
|
|
for _, credsPolicy := range []kubeletconfig.ImagePullCredentialsVerificationPolicy{
|
|
kubeletconfig.NeverVerifyPreloadedImages,
|
|
kubeletconfig.AlwaysVerify,
|
|
kubeletconfig.NeverVerifyAllowlistedImages,
|
|
kubeletconfig.NeverVerify,
|
|
} {
|
|
framework.Context(string(credsPolicy), func() {
|
|
tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
|
|
initialConfig.ImagePullCredentialsVerificationPolicy = string(credsPolicy)
|
|
})
|
|
|
|
for _, pullPolicy := range []v1.PullPolicy{v1.PullIfNotPresent, v1.PullNever} {
|
|
framework.Context(string(pullPolicy), func() {
|
|
statusOnInvalidCreds := v1.PodPending
|
|
pullingOnInvalidCreds := true
|
|
if credsPolicy == kubeletconfig.NeverVerify {
|
|
statusOnInvalidCreds = v1.PodRunning
|
|
pullingOnInvalidCreds = false
|
|
}
|
|
|
|
framework.It("pod without PullSecret accessing previously pulled private image", func(ctx context.Context) {
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, nil, testNode, statusOnInvalidCreds, pullingOnInvalidCreds)
|
|
})
|
|
framework.It("pod with invalid PullSecret accessing previously pulled private image", func(ctx context.Context) {
|
|
invalidSecret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, &v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{GenerateName: f.UniqueName},
|
|
Type: v1.SecretTypeDockerConfigJson,
|
|
Data: map[string][]byte{
|
|
v1.DockerConfigJsonKey: []byte(`{"auths":{"somerepo.com": {"auth": "aW52YWxpZHVzZXI6aW52YWxpZHBhc3N3b3Jk"}}}`),
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
framework.ExpectNoError(err)
|
|
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, invalidSecret, testNode, statusOnInvalidCreds, pullingOnInvalidCreds)
|
|
})
|
|
framework.It("pod with the same PullSecret accessing previously pulled image", func(ctx context.Context) {
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, testSecret, testNode, v1.PodRunning, false)
|
|
})
|
|
framework.It("pod with the same credentials in a different secret accessing previously pulled image", func(ctx context.Context) {
|
|
newSecret := testSecret.DeepCopy()
|
|
newSecret.Name = ""
|
|
newSecret.ResourceVersion = ""
|
|
newSecret.GenerateName = f.UniqueName
|
|
newSecret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, newSecret, metav1.CreateOptions{})
|
|
framework.ExpectNoError(err)
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, newSecret, testNode, v1.PodRunning, false)
|
|
})
|
|
|
|
switch credsPolicy {
|
|
case kubeletconfig.NeverVerifyAllowlistedImages:
|
|
framework.Context("[NeverVerifyAllowListedImages specific tests]", func() {
|
|
tempRemoveImagePulledRecord(f, &testImageID)
|
|
tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
|
|
initialConfig.ImagePullCredentialsVerificationPolicy = string(credsPolicy)
|
|
initialConfig.PreloadedImagesVerificationAllowlist = []string{path.Join(registryAddress, "pause")}
|
|
})
|
|
|
|
framework.It("pod without PullSecret accessing previously pulled private image which is allowlisted", func(ctx context.Context) {
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, nil, testNode, v1.PodRunning, false)
|
|
})
|
|
})
|
|
case kubeletconfig.NeverVerifyPreloadedImages:
|
|
framework.Context("[NeverVerifyPreloadedImages specific tests]", func() {
|
|
tempRemoveImagePulledRecord(f, &testImageID)
|
|
|
|
framework.It("pod without PullSecret accessing a preloaded image", func(ctx context.Context) {
|
|
_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, nil, testNode, v1.PodRunning, false)
|
|
})
|
|
})
|
|
} // switch credsPolicy
|
|
}) // framework.Context(pullPolicy)
|
|
} // for pullPolicy
|
|
}) // framework.Context(credsPolicy)
|
|
} // for credsPolicy
|
|
}) // framework.Describe()
|
|
})
|