forked from openshift/origin
/
images.go
118 lines (107 loc) · 4.8 KB
/
images.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package operators
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"strings"
. "github.com/onsi/ginkgo"
"github.com/openshift/origin/pkg/oc/cli/admin/release"
exutil "github.com/openshift/origin/test/extended/util"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
e2e "k8s.io/kubernetes/test/e2e/framework"
)
var _ = Describe("[Feature:Platform][Smoke] Managed cluster", func() {
oc := exutil.NewCLIWithoutNamespace("operators")
It("should ensure pods use images from our release image with proper ImagePullPolicy", func() {
imagePullSecret, err := oc.KubeFramework().ClientSet.CoreV1().Secrets("openshift-config").Get("pull-secret", metav1.GetOptions{})
if err != nil {
e2e.Failf("unable to get pull secret for cluster: %v", err)
}
// cache file to local temp location
imagePullFile, err := ioutil.TempFile("", "image-pull-secret")
if err != nil {
e2e.Failf("unable to create a temporary file: %v", err)
}
defer os.Remove(imagePullFile.Name())
// write the content
imagePullSecretBytes := imagePullSecret.Data[".dockerconfigjson"]
if _, err := imagePullFile.Write(imagePullSecretBytes); err != nil {
e2e.Failf("unable to write pull secret to temp file: %v", err)
}
if err := imagePullFile.Close(); err != nil {
e2e.Failf("unable to close file: %v", err)
}
// find out the current installed release info using the temp file
out, err := oc.Run("adm", "release", "info").Args("--pullspecs", "-o", "json", "--registry-config", imagePullFile.Name()).Output()
if err != nil {
// TODO need to determine why release tests are not having access to read payload
e2e.Logf("unable to read release payload with error: %v", err)
return
}
releaseInfo := &release.ReleaseInfo{}
if err := json.Unmarshal([]byte(out), &releaseInfo); err != nil {
e2e.Failf("unable to decode release payload with error: %v", err)
}
e2e.Logf("Release Info image=%s", releaseInfo.Image)
e2e.Logf("Release Info number of tags %v", len(releaseInfo.References.Spec.Tags))
// valid images include the release image and all its tagged references
validImages := sets.NewString()
validImages.Insert(releaseInfo.Image)
if releaseInfo.References == nil {
e2e.Failf("no references found")
}
for i := range releaseInfo.References.Spec.Tags {
tag := releaseInfo.References.Spec.Tags[i]
if tag.From != nil && tag.From.Kind == "DockerImage" {
validImages.Insert(tag.From.Name)
}
}
// iterate over the references to find valid images
pods, err := oc.KubeFramework().ClientSet.CoreV1().Pods("").List(metav1.ListOptions{})
if err != nil {
e2e.Failf("unable to list pods: %v", err)
}
// list of pods that use images not in the release payload
invalidPodContainerImages := sets.NewString()
invalidPodContainerImagePullPolicy := sets.NewString()
// a pod in a namespace that begins with kube-* or openshift-* must come from our release payload
// TODO components in openshift-operators may not come from our payload, may want to weaken restriction
namespacePrefixes := sets.NewString("kube-", "openshift-")
for i := range pods.Items {
pod := pods.Items[i]
for _, prefix := range namespacePrefixes.List() {
if !strings.HasPrefix(pod.Namespace, prefix) {
continue
}
containersToInspect := []v1.Container{}
for j := range pod.Spec.InitContainers {
containersToInspect = append(containersToInspect, pod.Spec.InitContainers[j])
}
for j := range pod.Spec.Containers {
containersToInspect = append(containersToInspect, pod.Spec.Containers[j])
}
for j := range containersToInspect {
container := containersToInspect[j]
if !validImages.Has(container.Image) {
invalidPodContainerImages.Insert(fmt.Sprintf("%s/%s/%s image=%s", pod.Namespace, pod.Name, container.Name, container.Image))
}
if container.ImagePullPolicy != v1.PullIfNotPresent {
invalidPodContainerImagePullPolicy.Insert(fmt.Sprintf("%s/%s/%s imagePullPolicy=%s", pod.Namespace, pod.Name, container.Name, container.ImagePullPolicy))
}
}
}
}
// log for debugging output before we ultimately fail
e2e.Logf("Pods found with invalid container images not present in release payload: %s", strings.Join(invalidPodContainerImages.List(), "\n"))
e2e.Logf("Pods found with invalid container image pull policy not equal to IfNotPresent: %s", strings.Join(invalidPodContainerImagePullPolicy.List(), "\n"))
if len(invalidPodContainerImages) > 0 {
e2e.Failf("Pods found with invalid container images not present in release payload: %s", strings.Join(invalidPodContainerImages.List(), "\n"))
}
if len(invalidPodContainerImagePullPolicy) > 0 {
e2e.Failf("Pods found with invalid container image pull policy not equal to IfNotPresent: %s", strings.Join(invalidPodContainerImagePullPolicy.List(), "\n"))
}
})
})