From dacffe5b0eea4a6a6d881352e34f46f26435beb9 Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Thu, 5 Oct 2023 17:39:44 +0200 Subject: [PATCH] Add runasnonroot test for the kubeflow namespace --- tests/e2e/README.md | 2 +- tests/e2e/mnist.py | 4 ++-- tests/e2e/runasnonroot.sh | 35 +++++++++++++++++++++++++++++++++++ tests/e2e/runner.sh | 2 ++ 4 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 tests/e2e/runasnonroot.sh diff --git a/tests/e2e/README.md b/tests/e2e/README.md index c009a3be7d..743341e496 100644 --- a/tests/e2e/README.md +++ b/tests/e2e/README.md @@ -13,7 +13,7 @@ This test is using the following Kubeflow CRDs: The heart of this test is the `mnist.py` python script, which applies and waits for the CRDs to complete. The python scripts are all expecting that 1. `kubectl` is configured with access to a Kubeflow cluster -2. `kustomize` 3.2.0 is available +2. `kustomize` 5.0.3+ is available 3. The KFP backend is proxied to localhost While the `mnist.py` is used for running the test, it is advised to use the diff --git a/tests/e2e/mnist.py b/tests/e2e/mnist.py index e5f4b6f5f1..ce7e07b498 100644 --- a/tests/e2e/mnist.py +++ b/tests/e2e/mnist.py @@ -1,8 +1,8 @@ """E2E Kubeflow test that tesst Pipelines, Katib, TFJobs and KServe. Requires: -pip install kfp==1.8.4 -pip install kubeflow-katib==0.12.0 +pip install kfp==1.8.22 +pip install kubeflow-katib==0.15.0 """ import kfp import kfp.dsl as dsl diff --git a/tests/e2e/runasnonroot.sh b/tests/e2e/runasnonroot.sh new file mode 100644 index 0000000000..a557753329 --- /dev/null +++ b/tests/e2e/runasnonroot.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +namespace="kubeflow" +error_flag=0 + +# Get a list of pod names in the specified namespace +pod_names=$(kubectl get pods -n $namespace -o json | jq -r '.items[].metadata.name') +echo "Checking for root containers in namespace $namespace" + +# Loop through the pod names and execute the 'id' command within each container +for pod_name in $pod_names; do + echo "Entering pod $pod_name in namespace $namespace..." + + container_names=$(kubectl get pod -n $namespace $pod_name -o json | jq -r '.spec.containers[].name') + + for container_name in $container_names; do + user_id=$(kubectl exec -it -n $namespace $pod_name -c $container_name -- id -u) + # echo "Container: $container_name - User ID: $user_id" + + if [ "$user_id" -eq 0 ]; then + echo "Error: Pod $pod_name contains user ID 0 in container $container_name" + error_flag=1 + fi + done + + echo "-------------------------------------" +done + +# Exit with an error if any pod contains user ID 0 +if [ $error_flag -eq 1 ]; then + exit 1 +fi + +# Exit successfully if no pod contains user ID 0 +exit 0 \ No newline at end of file diff --git a/tests/e2e/runner.sh b/tests/e2e/runner.sh index 440f3044e4..29f442b083 100755 --- a/tests/e2e/runner.sh +++ b/tests/e2e/runner.sh @@ -10,6 +10,8 @@ echo "Setting up port-forward..." echo "Running the tests.""" python3 mnist.py +# runasnonroot.sh + echo "Cleaning up opened processes.""" ./hack/cleanup_proxies.sh