Fix SELinux unit tests

Use device mountable volume, to make it impossible to share the same global mount with different SELinux contexts. And fix pod2Name to actually refer to pod2.
kubernetes · Oct 25, 2023 · e511edf · e511edf
1 parent 2f5903b
commit e511edf
Showing 1 changed file with 26 additions and 18 deletions.
diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go
@@ -612,10 +612,12 @@ func Test_AddPodToVolume_Positive_SELinuxNoRWOP(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
 	// Arrange
 	plugins := []volume.VolumePlugin{
-		&volumetesting.FakeBasicVolumePlugin{
-			Plugin: volumetesting.FakeVolumePlugin{
-				PluginName:      "basic",
-				SupportsSELinux: true,
+		&volumetesting.FakeDeviceMountableVolumePlugin{
+			FakeBasicVolumePlugin: volumetesting.FakeBasicVolumePlugin{
+				Plugin: volumetesting.FakeVolumePlugin{
+					PluginName:      "basic",
+					SupportsSELinux: true,
+				},
 			},
 		},
 	}
@@ -692,10 +694,12 @@ func Test_AddPodToVolume_Positive_NoSELinuxPlugin(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
 	// Arrange
 	plugins := []volume.VolumePlugin{
-		&volumetesting.FakeBasicVolumePlugin{
-			Plugin: volumetesting.FakeVolumePlugin{
-				PluginName:      "basic",
-				SupportsSELinux: false,
+		&volumetesting.FakeDeviceMountableVolumePlugin{
+			FakeBasicVolumePlugin: volumetesting.FakeBasicVolumePlugin{
+				Plugin: volumetesting.FakeVolumePlugin{
+					PluginName:      "basic",
+					SupportsSELinux: false,
+				},
 			},
 		},
 	}
@@ -773,10 +777,12 @@ func Test_AddPodToVolume_Positive_ExistingPodSameSELinuxRWOP(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
 	// Arrange
 	plugins := []volume.VolumePlugin{
-		&volumetesting.FakeBasicVolumePlugin{
-			Plugin: volumetesting.FakeVolumePlugin{
-				PluginName:      "basic",
-				SupportsSELinux: true,
+		&volumetesting.FakeDeviceMountableVolumePlugin{
+			FakeBasicVolumePlugin: volumetesting.FakeBasicVolumePlugin{
+				Plugin: volumetesting.FakeVolumePlugin{
+					PluginName:      "basic",
+					SupportsSELinux: true,
+				},
 			},
 		},
 	}
@@ -873,10 +879,12 @@ func Test_AddPodToVolume_Negative_ExistingPodDifferentSELinuxRWOP(t *testing.T)
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)()
 	// Arrange
 	plugins := []volume.VolumePlugin{
-		&volumetesting.FakeBasicVolumePlugin{
-			Plugin: volumetesting.FakeVolumePlugin{
-				PluginName:      "basic",
-				SupportsSELinux: true,
+		&volumetesting.FakeDeviceMountableVolumePlugin{
+			FakeBasicVolumePlugin: volumetesting.FakeBasicVolumePlugin{
+				Plugin: volumetesting.FakeVolumePlugin{
+					PluginName:      "basic",
+					SupportsSELinux: true,
+				},
 			},
 		},
 	}
@@ -957,7 +965,7 @@ func Test_AddPodToVolume_Negative_ExistingPodDifferentSELinuxRWOP(t *testing.T)
 	pod2.Name = "pod2"
 	pod2.UID = "pod2uid"
 	pod2.Spec.SecurityContext.SELinuxOptions = &seLinux2
-	pod2Name := util.GetUniquePodName(pod)
+	pod2Name := util.GetUniquePodName(pod2)
 
 	// Act
 	_, err = dsw.AddPodToVolume(
@@ -967,7 +975,7 @@ func Test_AddPodToVolume_Negative_ExistingPodDifferentSELinuxRWOP(t *testing.T)
 		t.Fatalf("Second AddPodToVolume succeeded, expected a failure")
 	}
 	// Verify the original SELinux context is still in DSW
-	verifyPodExistsInVolumeDsw(t, pod2Name, generatedVolumeName, "system_u:object_r:container_file_t:s0:c1,c2", dsw)
+	verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, "system_u:object_r:container_file_t:s0:c1,c2", dsw)
 }
 
 func verifyVolumeExistsDsw(