From 540618a53bafa111c9ee37299068f2e3cedf9f1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Burak=20Varl=C4=B1?= Date: Fri, 27 Dec 2024 17:13:42 +0000 Subject: [PATCH] Fix non-root cache end-to-end test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Burak Varlı --- tests/e2e-kubernetes/testsuites/cache.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/e2e-kubernetes/testsuites/cache.go b/tests/e2e-kubernetes/testsuites/cache.go index a8bebcd..f2100e9 100644 --- a/tests/e2e-kubernetes/testsuites/cache.go +++ b/tests/e2e-kubernetes/testsuites/cache.go @@ -184,7 +184,7 @@ func (t *s3CSICacheTestSuite) DefineTests(driver storageframework.TestDriver, pa "allow-other", fmt.Sprintf("uid=%d", defaultNonRootUser), fmt.Sprintf("gid=%d", defaultNonRootGroup)) - podModifiers := append(basePodModifiers, podModifierNonRoot) + podModifiers := append([]func(*v1.Pod){podModifierNonRoot}, basePodModifiers...) pod, bucketName := createPod(ctx, mountOptions, podModifiers...) checkBasicFileOperations(ctx, pod, bucketName, e2epod.VolumeMountPath1) @@ -327,6 +327,13 @@ func ensureCacheDirExistsInNode(pod *v1.Pod, cacheDir string) { MountPath: "/cache", } + if pod.Spec.SecurityContext == nil { + pod.Spec.SecurityContext = &v1.PodSecurityContext{} + } + // We need to set this false at Pod-level as `chmod-cache-dir` needs to run as `root` and this + // would prevent container creation if its true. + pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(false) + // The directory created with `DirectoryOrCreate` will have 0755 permissions and will be owned by kubelet. // Unless we change permissions here, non-root containers won't be able to access to the cache dir. pod.Spec.InitContainers = append(pod.Spec.DeepCopy().InitContainers, v1.Container{