Add runasnonroot test for the kubeflow namespace

juliusvonkohout · Oct 5, 2023 · dacffe5 · dacffe5
1 parent 17a92cb
commit dacffe5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 3 deletions.
diff --git a/tests/e2e/README.md b/tests/e2e/README.md
@@ -13,7 +13,7 @@ This test is using the following Kubeflow CRDs:
 The heart of this test is the `mnist.py` python script, which applies and waits
 for the CRDs to complete. The python scripts are all expecting that
 1. `kubectl` is configured with access to a Kubeflow cluster
-2. `kustomize` 3.2.0 is available
+2. `kustomize` 5.0.3+ is available
 3. The KFP backend is proxied to localhost
 
 While the `mnist.py` is used for running the test, it is advised to use the

diff --git a/tests/e2e/mnist.py b/tests/e2e/mnist.py
@@ -1,8 +1,8 @@
 """E2E Kubeflow test that tesst Pipelines, Katib, TFJobs and KServe.
 
 Requires:
-pip install kfp==1.8.4
-pip install kubeflow-katib==0.12.0
+pip install kfp==1.8.22
+pip install kubeflow-katib==0.15.0
 """
 import kfp
 import kfp.dsl as dsl

diff --git a/tests/e2e/runasnonroot.sh b/tests/e2e/runasnonroot.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+namespace="kubeflow"
+error_flag=0
+
+# Get a list of pod names in the specified namespace
+pod_names=$(kubectl get pods -n $namespace -o json | jq -r '.items[].metadata.name')
+echo "Checking for root containers in namespace $namespace"
+
+# Loop through the pod names and execute the 'id' command within each container
+for pod_name in $pod_names; do
+  echo "Entering pod $pod_name in namespace $namespace..."
+
+  container_names=$(kubectl get pod -n $namespace $pod_name -o json | jq -r '.spec.containers[].name')
+
+  for container_name in $container_names; do
+    user_id=$(kubectl exec -it -n $namespace $pod_name -c $container_name -- id -u)
+    # echo "Container: $container_name - User ID: $user_id"
+
+    if [ "$user_id" -eq 0 ]; then
+      echo "Error: Pod $pod_name contains user ID 0 in container $container_name"
+      error_flag=1
+    fi
+  done
+
+  echo "-------------------------------------"
+done
+
+# Exit with an error if any pod contains user ID 0
+if [ $error_flag -eq 1 ]; then
+  exit 1
+fi
+
+# Exit successfully if no pod contains user ID 0
+exit 0
diff --git a/tests/e2e/runner.sh b/tests/e2e/runner.sh
@@ -10,6 +10,8 @@ echo "Setting up port-forward..."
 
 echo "Running the tests."""
 python3 mnist.py
+# runasnonroot.sh
+
 
 echo "Cleaning up opened processes."""
 ./hack/cleanup_proxies.sh