Merge pull request #344 from flatcar/tormath1/selinux

test/selinux: update boolean name and added back enforced Selinux Cilium tests
flatcar · Sep 22, 2023 · 7d8aac2 · 7d8aac2
2 parents 2998fe8 + 6598471
commit 7d8aac2
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 13 deletions.
diff --git a/kola/tests/kubeadm/kubeadm.go b/kola/tests/kubeadm/kubeadm.go
@@ -54,12 +54,8 @@ var (
 					_ = c.MustSSH(controller, "/opt/bin/cilium uninstall")
 					version := params["CiliumVersion"].(string)
 					cidr := params["PodSubnet"].(string)
-					cmd := fmt.Sprintf("/opt/bin/cilium install --config enable-endpoint-routes=true --config cluster-pool-ipv4-cidr=%s --version=%s --encryption=ipsec --wait=false --restart-unmanaged-pods=false --rollback=false", cidr, version)
-					_, _ = c.SSH(controller, cmd)
-					patch := `/opt/bin/kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}'`
-					_ = c.MustSSH(controller, patch)
-					status := "/opt/bin/cilium status --wait --wait-duration 1m"
-					_ = c.MustSSH(controller, status)
+					cmd := fmt.Sprintf("/opt/bin/cilium install --config enable-endpoint-routes=true --config cluster-pool-ipv4-cidr=%s --version=%s --encryption=ipsec --wait --wait-duration 1m", cidr, version)
+					_ = c.MustSSH(controller, cmd)
 				},
 			},
 		},
@@ -239,7 +235,7 @@ func init() {
 					major = 3140
 				}
 
-				if CNI == "flannel" || CNI == "cilium" {
+				if CNI == "flannel" {
 					flags = append(flags, register.NoEnableSelinux)
 				}
 

diff --git a/kola/tests/kubeadm/templates.go b/kola/tests/kubeadm/templates.go
@@ -403,7 +403,6 @@ EOF
         --config enable-endpoint-routes=true \
         --config cluster-pool-ipv4-cidr={{ .PodSubnet }} \
         --version={{ .CiliumVersion }} 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT
-    kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}'
     # --wait will wait for status to report success
     /opt/bin/cilium status --wait 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT
 {{ end }}

diff --git a/kola/tests/kubeadm/testdata/master-cilium-script.sh b/kola/tests/kubeadm/testdata/master-cilium-script.sh
@@ -91,7 +91,6 @@ EOF
         --config enable-endpoint-routes=true \
         --config cluster-pool-ipv4-cidr=192.168.0.0/17 \
         --version=v0.11.1 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT
-    kubectl --namespace kube-system patch daemonset/cilium -p '{"spec":{"template":{"spec":{"containers":[{"name":"cilium-agent","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}],"initContainers":[{"name":"mount-cgroup","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"apply-sysctl-overwrites","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}},{"name":"clean-cilium-state","securityContext":{"seLinuxOptions":{"level":"s0","type":"unconfined_t"}}}]}}}}'
     # --wait will wait for status to report success
     /opt/bin/cilium status --wait 2>&1 | iconv --from-code utf-8 --to-code ascii//TRANSLIT
 

diff --git a/kola/tests/misc/selinux.go b/kola/tests/misc/selinux.go
@@ -19,11 +19,14 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/coreos/go-semver/semver"
 	"github.com/flatcar/mantle/kola/cluster"
 	"github.com/flatcar/mantle/kola/register"
 	"github.com/flatcar/mantle/platform"
 )
 
+var seBoolean = "container_use_nfs"
+
 func init() {
 	register.Register(&register.Test{
 		Run:         SelinuxEnforce,
@@ -40,6 +43,15 @@ func init() {
 		Distros:     []string{"cl", "fcos", "rhcos"},
 		// This test is normally not related to the cloud environment
 		Platforms: []string{"qemu", "qemu-unpriv"},
+		SkipFunc: func(version semver.Version, channel, arch, platform string) bool {
+			// Workaround to set the SELinux boolean name based of the Flatcar version.
+			// Note: it works only if we test '*'
+			if version.LessThan(semver.Version{Major: 3733}) {
+				seBoolean = "virt_use_nfs"
+			}
+
+			return false
+		},
 	})
 	register.Register(&register.Test{
 		Run:         SelinuxBooleanPersist,
@@ -48,6 +60,15 @@ func init() {
 		Distros:     []string{"fcos", "rhcos"},
 		// This test is normally not related to the cloud environment
 		Platforms: []string{"qemu", "qemu-unpriv"},
+		SkipFunc: func(version semver.Version, channel, arch, platform string) bool {
+			// Workaround to set the SELinux boolean name based of the Flatcar version.
+			// Note: it works only if we test '*'
+			if version.LessThan(semver.Version{Major: 3733}) {
+				seBoolean = "virt_use_nfs"
+			}
+
+			return false
+		},
 	})
 	register.Register(&register.Test{
 		Run:         SelinuxManage,
@@ -155,8 +176,6 @@ func SelinuxEnforce(c cluster.TestCluster) {
 
 // SelinuxBoolean checks that you can tweak a boolean in the current session
 func SelinuxBoolean(c cluster.TestCluster) {
-	seBoolean := "virt_use_nfs"
-
 	m := c.Machines()[0]
 
 	tempBoolState, err := getSelinuxBooleanState(c, m, seBoolean)
@@ -186,8 +205,6 @@ func SelinuxBoolean(c cluster.TestCluster) {
 // SelinuxBooleanPersist checks that you can tweak a boolean and have it
 // persist across reboots
 func SelinuxBooleanPersist(c cluster.TestCluster) {
-	seBoolean := "virt_use_nfs"
-
 	m := c.Machines()[0]
 
 	persistBoolState, err := getSelinuxBooleanState(c, m, seBoolean)