|
1 | 1 | package agent |
2 | 2 |
|
3 | 3 | import ( |
| 4 | + "fmt" |
4 | 5 | "testing" |
5 | 6 |
|
6 | 7 | "k8s.io/utils/ptr" |
@@ -216,6 +217,48 @@ func TestDefaultSyscallsForSystemProbe(t *testing.T) { |
216 | 217 | } |
217 | 218 | } |
218 | 219 |
|
| 220 | +func TestHostProfilerContainer(t *testing.T) { |
| 221 | + dda := &metav1.ObjectMeta{Name: "foo", Namespace: "default", Labels: map[string]string{}} |
| 222 | + |
| 223 | + containers := agentOptimizedContainers(dda, []apicommon.AgentContainerName{ |
| 224 | + apicommon.CoreAgentContainerName, |
| 225 | + apicommon.HostProfiler, |
| 226 | + }) |
| 227 | + assert.Len(t, containers, 2) |
| 228 | + |
| 229 | + c := containers[1] |
| 230 | + assert.Equal(t, string(apicommon.HostProfiler), c.Name) |
| 231 | + assert.NotNil(t, c.SecurityContext) |
| 232 | + assert.Nil(t, c.SecurityContext.Privileged, "host-profiler should not run as privileged") |
| 233 | + assert.NotNil(t, c.SecurityContext.SeccompProfile) |
| 234 | + assert.Equal(t, corev1.SeccompProfileTypeLocalhost, c.SecurityContext.SeccompProfile.Type) |
| 235 | + assert.Equal(t, common.HostProfilerSeccompProfileName, *c.SecurityContext.SeccompProfile.LocalhostProfile) |
| 236 | +} |
| 237 | + |
| 238 | +func TestInitHostProfilerSeccompSetupContainer(t *testing.T) { |
| 239 | + dda := &metav1.ObjectMeta{Name: "foo", Namespace: "default", Labels: map[string]string{}} |
| 240 | + |
| 241 | + initContainers := initContainers(dda, []apicommon.AgentContainerName{apicommon.HostProfiler}) |
| 242 | + |
| 243 | + var setupContainer *corev1.Container |
| 244 | + for i := range initContainers { |
| 245 | + if initContainers[i].Name == "host-profiler-seccomp-setup" { |
| 246 | + setupContainer = &initContainers[i] |
| 247 | + break |
| 248 | + } |
| 249 | + } |
| 250 | + assert.NotNil(t, setupContainer, "host-profiler-seccomp-setup init container should exist") |
| 251 | + dst := fmt.Sprintf("%s/%s", common.SeccompRootVolumePath, common.HostProfilerSeccompProfileName) |
| 252 | + assert.Contains(t, setupContainer.Command, dst, "cp command should copy to the kubelet seccomp path") |
| 253 | + |
| 254 | + mountNames := map[string]bool{} |
| 255 | + for _, m := range setupContainer.VolumeMounts { |
| 256 | + mountNames[m.Name] = true |
| 257 | + } |
| 258 | + assert.True(t, mountNames[common.HostProfilerSecurityVolumeName]) |
| 259 | + assert.True(t, mountNames[common.SeccompRootVolumeName]) |
| 260 | +} |
| 261 | + |
219 | 262 | func TestPrivateActionRunnerContainer(t *testing.T) { |
220 | 263 | dda := &metav1.ObjectMeta{ |
221 | 264 | Name: "test-dda", |
|
0 commit comments