Add tap plugin test

Test for the following PR: containernetworking/plugins#832 Signed-off-by: Marcelo Guerrero Viveros <marguerr@redhat.com>
mlguerrero12 · Feb 22, 2023 · 95f7e41 · 95f7e41
1 parent 663c570
commit 95f7e41
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 0 deletions.
diff --git a/test/extended/networking/tap.go b/test/extended/networking/tap.go
@@ -0,0 +1,90 @@
+package networking
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+	corev1 "k8s.io/api/core/v1"
+	kapiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
+
+	nadtypes "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+)
+
+const nodeLabelSelectorWorker = "node-role.kubernetes.io/worker"
+
+var _ = g.Describe("[sig-network][Feature:tap]", func() {
+	oc := exutil.NewCLIWithPodSecurityLevel("tap", admissionapi.LevelBaseline)
+	f := oc.KubeFramework()
+
+	g.It(fmt.Sprintf("should create a pod with a tap interface [apigroup:k8s.cni.cncf.io]"), func() {
+		ns := f.Namespace.Name
+		podName := "pod1"
+		nadName := "nad-tap"
+		ifName := "tap1"
+		nadConfig := `{
+			"cniVersion":"0.4.0",
+			"name":"%s",
+			"type": "tap",
+			"selinuxcontext": "system_u:system_r:container_t:s0"
+		}`
+
+		g.By("enabling SEBoolean container_use_devices on the first worker")
+		worker := enableSEBooleanContainerUseDevicesFirstWorker(f.ClientSet, oc)
+
+		g.By("creating a network attachment definition")
+		err := createNetworkAttachmentDefinition(
+			oc.AdminConfig(),
+			ns,
+			nadName,
+			fmt.Sprintf(nadConfig, nadName),
+		)
+		o.Expect(err).NotTo(o.HaveOccurred(), "unable to create tap network-attachment-definition")
+
+		g.By("creating a pod on worker with container_use_devices on")
+		exutil.CreateExecPodOrFail(f.ClientSet, ns, podName, func(pod *kapiv1.Pod) {
+			tapAnnotation := fmt.Sprintf("%s/%s@%s", ns, nadName, ifName)
+			pod.ObjectMeta.Annotations = map[string]string{"k8s.v1.cni.cncf.io/networks": fmt.Sprintf("%s", tapAnnotation)}
+			pod.Spec.NodeSelector = worker.Labels
+		})
+		pod, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), podName, metav1.GetOptions{})
+		o.Expect(err).ToNot(o.HaveOccurred())
+
+		g.By("checking annotations")
+		networkStatusString, ok := pod.Annotations["k8s.v1.cni.cncf.io/network-status"]
+		o.Expect(ok).To(o.BeTrue())
+		o.Expect(networkStatusString).ToNot(o.BeNil())
+
+		var networkStatuses []nadtypes.NetworkStatus
+		o.Expect(json.Unmarshal([]byte(networkStatusString), &networkStatuses)).ToNot(o.HaveOccurred())
+		o.Expect(networkStatuses).To(o.HaveLen(2))
+		o.Expect(networkStatuses[1].Interface).To(o.Equal(ifName))
+		o.Expect(networkStatuses[1].Name).To(o.Equal(fmt.Sprintf("%s/%s", ns, nadName)))
+	})
+})
+
+func enableSEBooleanContainerUseDevicesFirstWorker(c clientset.Interface, oc *exutil.CLI) *corev1.Node {
+	// Fetch worker nodes.
+	workerNodes, err := c.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{
+		LabelSelector: nodeLabelSelectorWorker,
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+	if len(workerNodes.Items) == 0 {
+		e2e.Failf("cluster should have nodes")
+	}
+
+	// Enable SEBoolean on first worker.
+	_, err = exutil.ExecCommandOnMachineConfigDaemon(c, oc, &workerNodes.Items[0], []string{
+		"sh", "-c", "nsenter --mount=/proc/1/ns/mnt -- sh -c 'setsebool container_use_devices 1'",
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+
+	return &workerNodes.Items[0]
+}
diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go