Run GCE unit tests as non-root

sudhanshud · Mar 18, 2021 · a3a2617 · a3a2617
1 parent 0c6d922
commit a3a2617
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 16 deletions.
diff --git a/cluster/gce/gci/apiserver_etcd_test.go b/cluster/gce/gci/apiserver_etcd_test.go
@@ -17,26 +17,29 @@ limitations under the License.
 package gci
 
 import (
+	"os"
+	"strconv"
 	"strings"
 	"testing"
 )
 
 type kubeAPIServeETCDEnv struct {
-	KubeHome            string
-	ETCDServers         string
-	ETCDServersOverride string
-	CAKey               string
-	CACert              string
-	CACertPath          string
-	APIServerKey        string
-	APIServerCert       string
-	APIServerCertPath   string
-	APIServerKeyPath    string
-	ETCDKey             string
-	ETCDCert            string
-	StorageBackend      string
-	StorageMediaType    string
-	CompactionInterval  string
+	KubeHome               string
+	KubeAPIServerRunAsUser string
+	ETCDServers            string
+	ETCDServersOverride    string
+	CAKey                  string
+	CACert                 string
+	CACertPath             string
+	APIServerKey           string
+	APIServerCert          string
+	APIServerCertPath      string
+	APIServerKeyPath       string
+	ETCDKey                string
+	ETCDCert               string
+	StorageBackend         string
+	StorageMediaType       string
+	CompactionInterval     string
 }
 
 func TestServerOverride(t *testing.T) {
@@ -68,6 +71,7 @@ func TestServerOverride(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
 
 			c.mustInvokeFunc(
 				tc.env,
@@ -124,6 +128,7 @@ func TestStorageOptions(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
 
 			c.mustInvokeFunc(
 				tc.env,
@@ -188,6 +193,7 @@ func TestTLSFlags(t *testing.T) {
 			c := newManifestTestCase(t, kubeAPIServerManifestFileName, kubeAPIServerStartFuncName, nil)
 			defer c.tearDown()
 			tc.env.KubeHome = c.kubeHome
+			tc.env.KubeAPIServerRunAsUser = strconv.Itoa(os.Getuid())
 
 			c.mustInvokeFunc(
 				tc.env,

diff --git a/cluster/gce/gci/apiserver_kms_test.go b/cluster/gce/gci/apiserver_kms_test.go
@@ -24,6 +24,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -38,6 +39,7 @@ const (
 
 type kubeAPIServerEnv struct {
 	KubeHome                     string
+	KubeAPIServerRunAsUser       string
 	EncryptionProviderConfigPath string
 	EncryptionProviderConfig     string
 	CloudKMSIntegration          bool
@@ -72,6 +74,7 @@ func TestEncryptionProviderFlag(t *testing.T) {
 
 			e := kubeAPIServerEnv{
 				KubeHome:                     c.kubeHome,
+				KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 				EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
 				EncryptionProviderConfig:     tc.encryptionProviderConfig,
 			}
@@ -107,6 +110,7 @@ func TestEncryptionProviderConfig(t *testing.T) {
 	p := filepath.Join(c.kubeHome, "encryption-provider-config.yaml")
 	e := kubeAPIServerEnv{
 		KubeHome:                     c.kubeHome,
+		KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 		EncryptionProviderConfigPath: p,
 		EncryptionProviderConfig:     base64.StdEncoding.EncodeToString([]byte("foo")),
 	}
@@ -177,6 +181,7 @@ func TestKMSIntegration(t *testing.T) {
 
 			var e = kubeAPIServerEnv{
 				KubeHome:                     c.kubeHome,
+				KubeAPIServerRunAsUser:       strconv.Itoa(os.Getuid()),
 				EncryptionProviderConfigPath: filepath.Join(c.kubeHome, "encryption-provider-config.yaml"),
 				EncryptionProviderConfig:     base64.StdEncoding.EncodeToString([]byte("foo")),
 				CloudKMSIntegration:          tc.cloudKMSIntegration,

diff --git a/cluster/gce/gci/testdata/kube-apiserver/etcd.template b/cluster/gce/gci/testdata/kube-apiserver/etcd.template
@@ -13,3 +13,4 @@ readonly ETCD_SERVERS_OVERRIDES={{.ETCDServersOverride}}
 readonly STORAGE_BACKEND={{.StorageBackend}}
 readonly STORAGE_MEDIA_TYPE={{.StorageMediaType}}
 readonly ETCD_COMPACTION_INTERVAL_SEC={{.CompactionInterval}}
+readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}
diff --git a/cluster/gce/gci/testdata/kube-apiserver/kms.template b/cluster/gce/gci/testdata/kube-apiserver/kms.template
@@ -5,4 +5,5 @@ ENCRYPTION_PROVIDER_CONFIG_PATH={{.EncryptionProviderConfigPath}}
 {{end}}
 {{if .CloudKMSIntegration}}
   readonly CLOUD_KMS_INTEGRATION=true
-{{end}}
+{{end}}
+readonly KUBE_API_SERVER_RUNASUSER={{.KubeAPIServerRunAsUser}}