From ce7b9ac99acbe0164c0e6ca7ea35497fa00d217e Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar <ccojocar@google.com> Date: Tue, 3 Dec 2024 12:52:41 +0000 Subject: [PATCH] Remove the apparmor e2e test from test suite since is covered by hack/ci/e2e-apparmor test Change-Id: I6e0df97860c205b97cd67a1545237e895c523b04 Signed-off-by: Cosmin Cojocar <ccojocar@google.com> --- hack/ci/e2e-ubuntu.sh | 5 +- test/e2e_test.go | 4 - test/suite_test.go | 28 ----- test/tc_apparmor_base_usage_test.go | 155 ---------------------------- 4 files changed, 2 insertions(+), 190 deletions(-) delete mode 100644 test/tc_apparmor_base_usage_test.go diff --git a/hack/ci/e2e-ubuntu.sh b/hack/ci/e2e-ubuntu.sh index 884e951e2e..69b494ade3 100755 --- a/hack/ci/e2e-ubuntu.sh +++ b/hack/ci/e2e-ubuntu.sh @@ -18,11 +18,10 @@ set -euo pipefail export E2E_CLUSTER_TYPE=vanilla export E2E_TEST_LOG_ENRICHER=true export E2E_TEST_SECCOMP=false -export E2E_TEST_APPARMOR=true export E2E_TEST_FLAKY_TESTS_ONLY=${E2E_TEST_FLAKY_TESTS_ONLY:-false} if "${E2E_TEST_FLAKY_TESTS_ONLY}"; then - make test-flaky-e2e + make test-flaky-e2e else - make test-e2e + make test-e2e fi diff --git a/test/e2e_test.go b/test/e2e_test.go index 537ccaf1bb..335cd0d244 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -115,10 +115,6 @@ func (e *e2e) TestSecurityProfilesOperator() { "SELinux: Metrics (update, delete)", e.testCaseSelinuxMetrics, }, - { - "AppArmor: base case (install policy, run pod and delete)", - e.testCaseAppArmorBaseUsage, - }, { "SPOD: Update SELinux flag", e.testCaseSPODUpdateSelinux, diff --git a/test/suite_test.go b/test/suite_test.go index 1e06dec61f..12c51f6e34 100644 --- a/test/suite_test.go +++ b/test/suite_test.go @@ -55,7 +55,6 @@ var ( envSkipFlakyTests = os.Getenv("E2E_SKIP_FLAKY_TESTS") envSkipNamespacedTests = os.Getenv("E2E_SKIP_NAMESPACED_TESTS") envSelinuxTestsEnabled = os.Getenv("E2E_TEST_SELINUX") - envApparmorTestsEnabled = os.Getenv("E2E_TEST_APPARMOR") envLogEnricherTestsEnabled = os.Getenv("E2E_TEST_LOG_ENRICHER") envSeccompTestsEnabled = os.Getenv("E2E_TEST_SECCOMP") envBpfRecorderTestsEnabled = os.Getenv("E2E_TEST_BPF_RECORDER") @@ -99,7 +98,6 @@ type e2e struct { nodeRootfsPrefix string operatorManifest string selinuxEnabled bool - apparmorEnabled bool logEnricherEnabled bool testSeccomp bool bpfRecorderEnabled bool @@ -150,10 +148,6 @@ func TestSuite(t *testing.T) { if err != nil { selinuxEnabled = false } - apparmorEnabled, err := strconv.ParseBool(envApparmorTestsEnabled) - if err != nil { - apparmorEnabled = false - } logEnricherEnabled, err := strconv.ParseBool(envLogEnricherTestsEnabled) if err != nil { logEnricherEnabled = false @@ -215,7 +209,6 @@ func TestSuite(t *testing.T) { containerRuntime: containerRuntime, nodeRootfsPrefix: nodeRootfsPrefix, selinuxEnabled: selinuxEnabled, - apparmorEnabled: apparmorEnabled, logEnricherEnabled: logEnricherEnabled, testSeccomp: testSeccomp, selinuxdImage: selinuxdImage, @@ -249,7 +242,6 @@ func TestSuite(t *testing.T) { containerRuntime: containerRuntime, nodeRootfsPrefix: nodeRootfsPrefix, selinuxEnabled: selinuxEnabled, - apparmorEnabled: apparmorEnabled, logEnricherEnabled: logEnricherEnabled, testSeccomp: testSeccomp, selinuxdImage: selinuxdImage, @@ -277,7 +269,6 @@ func TestSuite(t *testing.T) { containerRuntime: containerRuntime, nodeRootfsPrefix: nodeRootfsPrefix, selinuxEnabled: selinuxEnabled, - apparmorEnabled: apparmorEnabled, logEnricherEnabled: logEnricherEnabled, testSeccomp: testSeccomp, selinuxdImage: selinuxdImage, @@ -710,13 +701,6 @@ func (e *e2e) selinuxOnlyTestCase() { e.enableSelinuxInSpod() } -func (e *e2e) apparmorOnlyTestCase() { - if !e.apparmorEnabled { - e.T().Skip("Skipping AppArmor-related test") - } - e.enableApparmorInSpod() -} - func (e *e2e) enableSelinuxInSpod() { selinuxEnabledInSPODDS := e.kubectlOperatorNS("get", "ds", "spod", "-o", "yaml") if !strings.Contains(selinuxEnabledInSPODDS, "--with-selinux=true") { @@ -733,18 +717,6 @@ func (e *e2e) enableSelinuxInSpod() { } } -func (e *e2e) enableApparmorInSpod() { - apparmorEnabledInSPODDS := e.kubectlOperatorNS("get", "ds", "spod", "-o", "yaml") - if !strings.Contains(apparmorEnabledInSPODDS, "--with-apparmor=true") { - e.logf("Enable AppArmor in SPOD") - e.kubectlOperatorNS("patch", "spod", "spod", "-p", `{"spec":{"enableAppArmor": true}}`, "--type=merge") - time.Sleep(defaultWaitTime) - e.waitInOperatorNSFor("condition=ready", "spod", "spod") - - e.kubectlOperatorNS("rollout", "status", "ds", "spod", "--timeout", defaultSelinuxOpTimeout) - } -} - func (e *e2e) logEnricherOnlyTestCase() { if !e.logEnricherEnabled { e.T().Skip("Skipping log-enricher related test") diff --git a/test/tc_apparmor_base_usage_test.go b/test/tc_apparmor_base_usage_test.go deleted file mode 100644 index bc4522d20c..0000000000 --- a/test/tc_apparmor_base_usage_test.go +++ /dev/null @@ -1,155 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package e2e_test - -import ( - "fmt" - "strings" - "time" -) - -const ( - defaultAppArmorOpTimeout = "60s" - errorloggerProfile = ` -apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 -kind: AppArmorProfile -metadata: - name: aa-errorlogger-profile -spec: - abstract: - filesystem: - readOnlyPaths: [] - writeOnlyPaths: [] - readWritePaths: [] -` - - aaPodWithPolicyFmt = ` -apiVersion: v1 -kind: Pod -metadata: - name: aa-errorlogger - annotations: - container.apparmor.security.beta.kubernetes.io/errorlogger: localhost/%s -spec: - containers: - - name: errorlogger - image: "registry.access.redhat.com/ubi9/ubi-minimal:latest" - command: ["/bin/bash"] - args: [ "-c","set -eux; echo 'Hello AppArmor!' && sleep 1h" ] - restartPolicy: Never -` -) - -func (e *e2e) testCaseAppArmorBaseUsage(nodes []string) { - e.apparmorOnlyTestCase() - - e.logf("The 'errorlogger' workload should be able to use AppArmor profile") - - e.logf("creating profile") - e.writeAndCreate(errorloggerProfile, "errorlogger-profile.yml") - - profileName := "aa-errorlogger-profile" - - e.logf("assert profile is installed") - e.assertAppArmorProfileIsInstalled(nodes, profileName, maxNodeIterations, sleepBetweenIterations) - - e.logf("creating workload") - - podWithPolicy := fmt.Sprintf(aaPodWithPolicyFmt, profileName) - e.writeAndCreate(podWithPolicy, "pod-w-profile.yml") - - podName := "aa-errorlogger" - - e.waitFor("condition=ready", "pod", podName) - - e.logf("the workload should be running") - podWithPolicyPhase := e.kubectl( - "get", "pods", podName, "-o", "jsonpath={.status.phase}") - e.Truef(strings.EqualFold(podWithPolicyPhase, "running"), - "The pod without profile's phase should be 'Running', instead it's: %s", - podWithPolicyPhase) - - e.logf("cleaning up") - - e.logf("removing workload") - e.kubectl("delete", "pod", podName) - - e.logf("removing profile") - e.kubectl("delete", "apparmorprofile", profileName) - - e.logf("assert profile was removed") - e.assertAppArmorProfileIsRemoved(nodes, profileName, maxNodeIterations, sleepBetweenIterations) -} - -func (e *e2e) assertAppArmorProfileIsInstalled( - nodes []string, profile string, nodeIterations int, sleep time.Duration, -) { - for i := range nodeIterations { - var missingPolName string - - for _, node := range nodes { - allLoaddedProfiles := e.execNode(node, "sudo", "aa-status") - loadedProifles := []string{} - for _, p := range strings.Split(allLoaddedProfiles, "\n") { - p = strings.TrimSpace(p) - loadedProifles = append(loadedProifles, p) - } - if !e.sliceContainsString(loadedProifles, profile) { - missingPolName = node - break - } - } - - if missingPolName != "" { - if i == nodeIterations-1 { - e.Fail(fmt.Sprintf( - "The AppArmorProfile %s wasn't found in the %s node", - profile, missingPolName, - )) - } else { - e.logf("The profile %s wasn't found, trying again", profile) - time.Sleep(sleep) - } - } - } -} - -func (e *e2e) assertAppArmorProfileIsRemoved(nodes []string, profile string, nodeIterations int, sleep time.Duration) { - for i := range nodeIterations { - var missingPolName string - - for _, node := range nodes { - loadedProfiles := e.execNode(node, "sudo", "cat", "/sys/kernel/security/apparmor/profiles") - if e.sliceContainsString(strings.Split(loadedProfiles, "\n"), profile) { - missingPolName = node - break - } - } - - if missingPolName != "" { - if i == nodeIterations-1 { - e.Fail(fmt.Sprintf( - "The AppArmor errorlogger was found in the %s node with the name %s", - missingPolName, profile, - )) - } else { - e.logf("the profile was still present, trying again") - time.Sleep(sleep) - } - } - } -}