Add option to pass cri socket (#96)

* Add option to pass cri socket * Adjust unit tests
inovex · Apr 21, 2020 · c3c2068 · c3c2068
1 parent 57d6837
commit c3c2068
Show file tree

Hide file tree

Showing 8 changed files with 147 additions and 18 deletions.
diff --git a/docs/developing.md b/docs/developing.md
@@ -148,7 +148,7 @@ DOCKER_REGISTRY=$(minikube ip) ./local_dev/run_e2e_tests.sh
 In order to run the unit tests:
 
 ```bash
-python3 setup.py test --addopts --runslow
+python setup.py test --addopts="-m 'not e2e' --runslow"
 ```
 
 ## Cleanup

diff --git a/src/illuminatio/illuminatio.py b/src/illuminatio/illuminatio.py
@@ -87,7 +87,20 @@ def cli(incluster, kubeconfig):
     default="nginx:stable",
     help="Target image that is used to generate pods (should have a webserver inside listening on port 80)",
 )
-def run(outfile, brief, dry, runner_image, target_image):
+@click.option(
+    "-c",
+    "--cri-socket",
+    default=None,
+    help="CRI socket used for the interaction with the container runtime",
+)
+def run(
+    outfile: str,
+    brief: bool,
+    dry: bool,
+    runner_image: str,
+    target_image: str,
+    cri_socket: str,
+):
     """
     Create and execute test cases for NetworkPolicies currently in cluster.
     """
@@ -128,7 +141,7 @@ def run(outfile, brief, dry, runner_image, target_image):
         additional_data,
         resource_creation_time,
         result_wait_time,
-    ) = execute_tests(cases, orch)
+    ) = execute_tests(cases, orch, cri_socket)
     runtimes["resource-creation"] = resource_creation_time - case_time
     runtimes["result-waiting"] = result_wait_time - resource_creation_time
     result_time = time.time()
@@ -165,7 +178,7 @@ def run(outfile, brief, dry, runner_image, target_image):
     # clean(True)
 
 
-def execute_tests(cases, orch):
+def execute_tests(cases, orch, cri_socket):
     """
     Executes all tests with given test cases
     """
@@ -185,7 +198,7 @@ def execute_tests(cases, orch):
         cfgmap,
     ) = orch.ensure_cases_are_generated(core_api)
     pod_selector = orch.ensure_daemonset_is_ready(
-        cfgmap, k8s.client.AppsV1Api(), core_api
+        cfgmap, k8s.client.AppsV1Api(), core_api, cri_socket
     )
     resource_creation_time = time.time()
     raw_results, runtimes = orch.collect_results(pod_selector, core_api)

diff --git a/src/illuminatio/manifests/runner-daemonset.yaml b/src/illuminatio/manifests/runner-daemonset.yaml
@@ -38,6 +38,8 @@ spec:
               fieldPath: metadata.namespace
         - name: CONTAINER_RUNTIME_NAME
           value: {runtime}
+        - name: CONTAINER_RUNTIME_ENDPOINT
+          value: {cri_socket}
         image: {image}
         imagePullPolicy: Always
         name: runner

diff --git a/src/illuminatio/test_orchestrator.py b/src/illuminatio/test_orchestrator.py
@@ -440,9 +440,10 @@ def ensure_cases_are_generated(self, core_api: k8s.client.CoreV1Api):
 
     def ensure_daemonset_is_ready(
         self,
-        config_map_name,
+        config_map_name: str,
         apps_api: k8s.client.AppsV1Api,
         core_api: k8s.client.CoreV1Api,
+        cri_socket: str,
     ):
         """
         Ensures that all required resources for illuminatio are created
@@ -460,7 +461,7 @@ def ensure_daemonset_is_ready(
         # Ensure that our DaemonSet and the Pods are running/ready
         daemonset_name = f"{PROJECT_PREFIX}-runner"
         self._ensure_daemonset_exists(
-            daemonset_name, service_account_name, config_map_name, apps_api
+            daemonset_name, service_account_name, config_map_name, apps_api, cri_socket
         )
         pod_selector = self._ensure_daemonset_ready(daemonset_name, apps_api)
 
@@ -519,23 +520,28 @@ def collect_results(self, pod_selector, api: k8s.client.CoreV1Api):
         return {k: v for yam in [y.items() for y in yamls] for k, v in yam}, times
 
     def create_daemonset_manifest(
-        self, daemon_set_name, service_account_name, config_map_name, container_runtime
+        self,
+        daemon_set_name: str,
+        service_account_name: str,
+        config_map_name: str,
+        container_runtime: str,
+        cri_socket: str,
     ):
         """
         Creates a DaemonSet manifest on basis of the project's manifest files and the current
         container runtime
         """
-        cri_socket = ""
         runtime = ""
         netns_path = "/var/run/netns"
 
         if container_runtime.startswith("docker"):
             netns_path = "/var/run/docker/netns"
-            cri_socket = "/var/run/docker.sock"
+            if cri_socket is None:
+                cri_socket = "/var/run/docker.sock"
             runtime = "docker"
         elif container_runtime.startswith("containerd"):
-            # this should be actually the default -> "/run/containerd/containerd.sock"
-            cri_socket = "/var/run/dockershim.sock"
+            if cri_socket is None:
+                cri_socket = "/var/run/dockershim.sock"
             runtime = "containerd"
         else:
             raise NotImplementedError(
@@ -567,10 +573,11 @@ def create_daemonset(self, daemon_manifest, api):
 
     def _ensure_daemonset_exists(
         self,
-        daemonset_name,
-        service_account_name,
-        config_map_name,
+        daemonset_name: str,
+        service_account_name: str,
+        config_map_name: str,
         api: k8s.client.AppsV1Api,
+        cri_socket: str,
     ):
         # Use a Kubernetes Manifest as template and replace required parts
         try:
@@ -584,6 +591,7 @@ def _ensure_daemonset_exists(
                     service_account_name,
                     config_map_name,
                     get_container_runtime(),
+                    cri_socket,
                 )
                 self.create_daemonset(daemonset_manifest, api)
             else:

diff --git a/tests/assets/containerd.yaml b/tests/assets/containerd.yaml
@@ -38,6 +38,8 @@ spec:
               fieldPath: metadata.namespace
         - name: CONTAINER_RUNTIME_NAME
           value: containerd
+        - name: CONTAINER_RUNTIME_ENDPOINT
+          value: /var/run/dockershim.sock
         image: inovex/illuminatio-runner:dev
         imagePullPolicy: Always
         name: runner

diff --git a/tests/assets/containerd_custom_socket.yaml b/tests/assets/containerd_custom_socket.yaml
@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: illuminatio-runner
+    illuminatio-cleanup: on-request
+    illuminatio-role: ds_runner-set
+  name: illuminatio-runner
+  namespace: illuminatio
+spec:
+  selector:
+    matchLabels:
+      illuminatio-role: ds_runner
+  template:
+    metadata:
+      labels:
+        illuminatio-cleanup: on-request
+        illuminatio-role: ds_runner
+    spec:
+      containers:
+      - env:
+        - name: RUNNER_MODE
+          value: daemon
+        - name: RUNNER_NODE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: RUNNER_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: RUNNER_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_RUNTIME_NAME
+          value: containerd
+        - name: CONTAINER_RUNTIME_ENDPOINT
+          value: /var/run/containerd/containerd.sock
+        image: inovex/illuminatio-runner:dev
+        imagePullPolicy: Always
+        name: runner
+        securityContext:
+          allowPrivilegeEscalation: true
+          procMount: Default
+          runAsUser: 0
+          capabilities:
+            add:
+              - SYS_ADMIN
+        volumeMounts:
+        - mountPath: /etc/config/
+          name: cases-volume
+        - mountPath: /var/run/containerd/containerd.sock
+          name: cri-socket
+          readOnly: true
+        - mountPath: /var/run/netns
+          name: net-ns
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      hostPID: true
+      serviceAccount: illuminatio-runner
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: cases-volume
+        configMap:
+          defaultMode: 420
+          name: illuminatio-cases-cfgmap
+      - name: cri-socket
+        hostPath:
+          path: /var/run/containerd/containerd.sock
+          type: Socket
+      - name: net-ns
+        hostPath:
+          path: /var/run/netns
+          type: Directory
diff --git a/tests/assets/docker.yaml b/tests/assets/docker.yaml
@@ -38,6 +38,8 @@ spec:
               fieldPath: metadata.namespace
         - name: CONTAINER_RUNTIME_NAME
           value: docker
+        - name: CONTAINER_RUNTIME_ENDPOINT
+          value: /var/run/docker.sock
         image: inovex/illuminatio-runner:dev
         imagePullPolicy: Always
         name: runner

diff --git a/tests/test_test_orchestrator.py b/tests/test_test_orchestrator.py
@@ -97,7 +97,7 @@ def test_create_daemonset_manifest_docker():
 
     expected = get_manifest("docker.yaml")
     result = orch.create_daemonset_manifest(
-        daemon_set_name, service_account_name, config_map_name, container_runtime
+        daemon_set_name, service_account_name, config_map_name, container_runtime, None
     )
     assert result == expected
 
@@ -112,7 +112,27 @@ def test_create_daemonset_manifest_containerd():
 
     expected = get_manifest("containerd.yaml")
     result = orch.create_daemonset_manifest(
-        daemon_set_name, service_account_name, config_map_name, container_runtime
+        daemon_set_name, service_account_name, config_map_name, container_runtime, None
+    )
+    assert result == expected
+
+
+def test_create_daemonset_manifest_containerd_custom_socket():
+    orch = createOrchestrator([])
+    orch.set_runner_image("inovex/illuminatio-runner:dev")
+    daemon_set_name = "illuminatio-runner"
+    service_account_name = "illuminatio-runner"
+    config_map_name = "illuminatio-cases-cfgmap"
+    container_runtime = "containerd://1.2.6"
+    cri_socket = "/var/run/containerd/containerd.sock"
+
+    expected = get_manifest("containerd_custom_socket.yaml")
+    result = orch.create_daemonset_manifest(
+        daemon_set_name,
+        service_account_name,
+        config_map_name,
+        container_runtime,
+        cri_socket,
     )
     assert result == expected
 
@@ -127,5 +147,9 @@ def test_create_daemonset_manifest_unsupported():
 
     with pytest.raises(NotImplementedError):
         orch.create_daemonset_manifest(
-            daemon_set_name, service_account_name, config_map_name, container_runtime
+            daemon_set_name,
+            service_account_name,
+            config_map_name,
+            container_runtime,
+            None,
         )