diff --git a/CHANGELOG.md b/CHANGELOG.md index 35e76380d5..1c24585426 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,3 +7,7 @@ - Extend the set of packages installed in the `metalk8s-utils` container image (Partially resolves issue [#2156](https://github.com/scality/metalk8s/issues/2156), PR [#2374](https://github.com/scality/metalk8s/pull/2374)) +- Upgrade `containerd` to 1.2.13 (PR [#2369](https://github.com/scality/metalk8s/pull/2369)) +- Enable `seccomp` support in `containerd` + (Issue [#2259](https://github.com/scality/metalk8s/issues/2259), + PR [#2369](https://github.com/scality/metalk8s/pull/2369)) diff --git a/buildchain/buildchain/packaging.py b/buildchain/buildchain/packaging.py index c0719803fa..b65ece4f1d 100644 --- a/buildchain/buildchain/packaging.py +++ b/buildchain/buildchain/packaging.py @@ -305,6 +305,15 @@ def _rpm_repository( ], ) +CONTAINERD_RPM = _rpm_package( + name='containerd', + sources=[ + Path('containerd.service'), + Path('containerd.toml'), + Path('containerd-{}.tar.gz'.format(versions.CONTAINERD_VERSION)), + ], +) + RPM_TO_BUILD : Dict[str, Tuple[targets.RPMPackage, ...]] = { 'scality': ( # SOS report custom plugins. @@ -315,7 +324,8 @@ def _rpm_repository( Path('containerd.py'), ], ), - CALICO_RPM + CALICO_RPM, + CONTAINERD_RPM, ), } diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index c6884197e3..36cf0a2d68 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -20,6 +20,8 @@ CALICO_VERSION : str = '3.12.0' K8S_VERSION : str = '1.17.4' SALT_VERSION : str = '2018.3.4' +CONTAINERD_VERSION : str = '1.2.13' +CONTAINERD_RELEASE : str = '2.el7' def load_version_information() -> None: """Load version information from `VERSION`.""" @@ -306,7 +308,6 @@ def deb_full_name(self) -> str: PackageVersion(name='kubectl', version=K8S_VERSION), PackageVersion(name='kubelet', version=K8S_VERSION), # Latest packages - PackageVersion(name='containerd'), PackageVersion(name='coreutils'), PackageVersion(name='cri-tools'), PackageVersion(name='e2fsprogs'), @@ -330,6 +331,11 @@ def deb_full_name(self) -> str: version=CALICO_VERSION, release='1.el7' ), + PackageVersion( + name='containerd', + version=CONTAINERD_VERSION, + release=CONTAINERD_RELEASE, + ), PackageVersion(name='container-selinux'), # TODO #1710 PackageVersion( name='metalk8s-sosreport', diff --git a/packages/redhat/Dockerfile b/packages/redhat/Dockerfile index a48a7aff0b..540e6cc99a 100644 --- a/packages/redhat/Dockerfile +++ b/packages/redhat/Dockerfile @@ -18,4 +18,14 @@ RUN yum install -y \ && \ yum clean all +# To build containerd +RUN yum install -y \ + golang \ + btrfs-progs-devel \ + go-md2man \ + libseccomp-devel \ + systemd \ + && \ + yum clean all + RUN useradd -m build diff --git a/packages/redhat/containerd.service b/packages/redhat/containerd.service new file mode 100644 index 0000000000..08c6a2e0a7 --- /dev/null +++ b/packages/redhat/containerd.service @@ -0,0 +1,13 @@ +[Unit] +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target + +[Service] +ExecStartPre=/sbin/modprobe overlay +ExecStart=/usr/bin/containerd +Delegate=yes +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/packages/redhat/containerd.spec b/packages/redhat/containerd.spec new file mode 100644 index 0000000000..f8a2371d6e --- /dev/null +++ b/packages/redhat/containerd.spec @@ -0,0 +1,269 @@ +%global goipath github.com/containerd/containerd +Version: 1.2.13 + +%if %{defined fedora} +%gometa +%ifnarch %{arm} +%bcond_without tests +%endif +%else +ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm} aarch64 ppc64le s390x %{mips}} +%global debug_package %{nil} +%global gourl https://%{goipath} +%global gosource %{gourl}/archive/v%{version}/%{name}-%{version}.tar.gz +%define gobuildroot %{expand: +GO_BUILD_PATH=$PWD/_build +install -m 0755 -vd $(dirname $GO_BUILD_PATH/src/%{goipath}) +ln -fs $PWD $GO_BUILD_PATH/src/%{goipath} +cd $GO_BUILD_PATH/src/%{goipath} +install -m 0755 -vd _bin +export PATH=$PWD/_bin${PATH:+:$PATH} +export GOPATH=$GO_BUILD_PATH:%{gopath} +} +%define gobuild(o:) %{expand: +%global _dwz_low_mem_die_limit 0 +%ifnarch ppc64 +go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-seccomp}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**}; +%else +go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-seccomp}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags %{?__golang_extldflags}'" -a -v -x %{?**}; +%endif +} +%endif + + +Name: containerd +Release: 2%{?dist} +Summary: An industry-standard container runtime +License: ASL 2.0 +URL: https://containerd.io +Source0: %{gosource} +Source1: containerd.service +Source2: containerd.toml + +BuildRequires: golang >= 1.10 +BuildRequires: btrfs-progs-devel +BuildRequires: go-md2man +BuildRequires: libseccomp-devel +BuildRequires: systemd +%{?systemd_requires} +Requires: runc + +# vendored libraries +# grep -v -e '^$' -e '^#' containerd-*/vendor.conf | sort | awk '{print "Provides: bundled(golang("$1")) = "$2}' +Provides: bundled(golang(github.com/beorn7/perks)) = 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9 +Provides: bundled(golang(github.com/blang/semver)) = v3.1.0 +Provides: bundled(golang(github.com/BurntSushi/toml)) = a368813c5e648fee92e5f6c30e3944ff9d5e8895 +Provides: bundled(golang(github.com/containerd/aufs)) = ffa39970e26ad01d81f540b21e65f9c1841a5f92 +Provides: bundled(golang(github.com/containerd/btrfs)) = 2e1aa0ddf94f91fa282b6ed87c23bf0d64911244 +Provides: bundled(golang(github.com/containerd/cgroups)) = c4b9ac5c7601384c965b9646fc515884e091ebb9 +Provides: bundled(golang(github.com/containerd/console)) = c12b1e7919c14469339a5d38f2f8ed9b64a9de23 +Provides: bundled(golang(github.com/containerd/continuity)) = bd77b46c8352f74eb12c85bdc01f4b90f69d66b4 +Provides: bundled(golang(github.com/containerd/cri)) = b1052f3b73fb9f0a6805d3c20e884a4cef265a38 +Provides: bundled(golang(github.com/containerd/fifo)) = 3d5202aec260678c48179c56f40e6f38a095738c +Provides: bundled(golang(github.com/containerd/go-cni)) = 40bcf8ec8acd7372be1d77031d585d5d8e561c90 +Provides: bundled(golang(github.com/containerd/go-runc)) = e029b79d8cda8374981c64eba71f28ec38e5526f +Provides: bundled(golang(github.com/containerd/ttrpc)) = 92c8520ef9f86600c650dd540266a007bf03670f +Provides: bundled(golang(github.com/containerd/typeurl)) = a93fcdb778cd272c6e9b3028b2f42d813e785d40 +Provides: bundled(golang(github.com/containerd/zfs)) = 2ceb2dbb8154202ed1b8fd32e4ea25b491d7b251 +Provides: bundled(golang(github.com/containernetworking/cni)) = v0.6.0 +Provides: bundled(golang(github.com/containernetworking/plugins)) = v0.7.5 +Provides: bundled(golang(github.com/coreos/go-systemd)) = 48702e0da86bd25e76cfef347e2adeb434a0d0a6 +Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0 +Provides: bundled(golang(github.com/docker/distribution)) = 0d3efadf0154c2b8a4e7b6621fff9809655cc580 +Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00 +Provides: bundled(golang(github.com/docker/go-events)) = 9461782956ad83b30282bf90e31fa6a70c255ba9 +Provides: bundled(golang(github.com/docker/go-metrics)) = 4ea375f7759c82740c893fc030bc37088d2ec098 +Provides: bundled(golang(github.com/docker/go-units)) = v0.3.1 +Provides: bundled(golang(github.com/docker/spdystream)) = 449fdfce4d962303d702fec724ef0ad181c92528 +Provides: bundled(golang(github.com/emicklei/go-restful)) = v2.2.1 +Provides: bundled(golang(github.com/ghodss/yaml)) = v1.0.0 +Provides: bundled(golang(github.com/godbus/dbus)) = c7fdd8b5cd55e87b4e1f4e372cdb1db61dd6c66f +Provides: bundled(golang(github.com/gogo/googleapis)) = 08a7655d27152912db7aaf4f983275eaf8d128ef +Provides: bundled(golang(github.com/gogo/protobuf)) = v1.0.0 +Provides: bundled(golang(github.com/golang/glog)) = 44145f04b68cf362d9c4df2182967c2275eaefed +Provides: bundled(golang(github.com/golang/protobuf)) = v1.1.0 +Provides: bundled(golang(github.com/google/go-cmp)) = v0.1.0 +Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c +Provides: bundled(golang(github.com/google/uuid)) = v1.1.1 +Provides: bundled(golang(github.com/grpc-ecosystem/go-grpc-prometheus)) = 6b7015e65d366bf3f19b2b2a000a831940f0f7e0 +Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55 +Provides: bundled(golang(github.com/hashicorp/go-multierror)) = ed905158d87462226a13fe39ddf685ea65f1c11f +Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.5 +Provides: bundled(golang(github.com/matttproud/golang_protobuf_extensions)) = v1.0.0 +Provides: bundled(golang(github.com/Microsoft/go-winio)) = v0.4.11 +Provides: bundled(golang(github.com/Microsoft/hcsshim)) = v0.8.1 +Provides: bundled(golang(github.com/mistifyio/go-zfs)) = f784269be439d704d3dfa1906f45dd848fed2beb +Provides: bundled(golang(github.com/modern-go/concurrent)) = 1.0.3 +Provides: bundled(golang(github.com/modern-go/reflect2)) = 1.0.1 +Provides: bundled(golang(github.com/opencontainers/go-digest)) = c9281466c8b2f606084ac71339773efd177436e7 +Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.1 +Provides: bundled(golang(github.com/opencontainers/runc)) = dc9208a3303feef5b3839f4323d9beb36df0a9dd +Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = eba862dc2470385a233c7507392675cbeadf7353 +Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = v0.6.0 +Provides: bundled(golang(github.com/opencontainers/selinux)) = 5215b1806f52b1fcc2070a8826c542c9d33cd3cf +Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0 +Provides: bundled(golang(github.com/prometheus/client_golang)) = f4fb1b73fb099f396a7f0036bf86aa8def4ed823 +Provides: bundled(golang(github.com/prometheus/client_model)) = 99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c +Provides: bundled(golang(github.com/prometheus/common)) = 89604d197083d4781071d3c65855d24ecfb0a563 +Provides: bundled(golang(github.com/prometheus/procfs)) = cb4147076ac75738c9a7d279075a253c0cc5acbd +Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.1 +Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0 +Provides: bundled(golang(github.com/syndtr/gocapability)) = db04d3cc01c8b54962a58ec7e491717d06cfcc16 +Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6 +Provides: bundled(golang(github.com/urfave/cli)) = 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c +Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = 4e3ac2762d5f479393488629ee9370b50873b3a6 +Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = bd5ef7bd5415a7ac448318e64f11a24cd21e594b +Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = 1d523034197ff1f222f6429836dd36a2457a1874 +Provides: bundled(golang(go.etcd.io/bbolt)) = v1.3.1-etcd.8 +Provides: bundled(golang(golang.org/x/crypto)) = 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 +Provides: bundled(golang(golang.org/x/net)) = b3756b4b77d7b13260a0a2ec658753cf48922eac +Provides: bundled(golang(golang.org/x/oauth2)) = a6bd8cefa1811bd24b86f8902872e4e8225f74c4 +Provides: bundled(golang(golang.org/x/sync)) = 450f422ab23cf9881c94e2db30cac0eb1b7cf80c +Provides: bundled(golang(golang.org/x/sys)) = 41f3e6584952bb034a481797859f6ab34b6803bd +Provides: bundled(golang(golang.org/x/text)) = 19e51611da83d6be54ddafce4a4af510cb3e9ea4 +Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631 +Provides: bundled(golang(google.golang.org/appengine)) = 54a98f90d1c46b7731eb8fb305d2a321c30ef610 +Provides: bundled(golang(google.golang.org/genproto)) = d80a6e20e776b0b17a324d0ba1ab50a39c8e8944 +Provides: bundled(golang(google.golang.org/grpc)) = 39e8a7b072a67ca2a75f57fa2e0d50995f5b22f6 +Provides: bundled(golang(gopkg.in/inf.v0)) = 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4 +Provides: bundled(golang(gopkg.in/yaml.v2)) = 53403b58ad1b561927d19068c655246f2db79d48 +Provides: bundled(golang(gotest.tools)) = v2.1.0 +Provides: bundled(golang(k8s.io/api)) = kubernetes-1.12.0 +Provides: bundled(golang(k8s.io/apimachinery)) = kubernetes-1.12.0 +Provides: bundled(golang(k8s.io/apiserver)) = kubernetes-1.12.0 +Provides: bundled(golang(k8s.io/client-go)) = kubernetes-1.12.0 +Provides: bundled(golang(k8s.io/kubernetes)) = v1.12.0 +Provides: bundled(golang(k8s.io/utils)) = cd34563cd63c2bd7c6fe88a73c4dcf34ed8a67cb + + +%description +containerd is an industry-standard container runtime with an emphasis on +simplicity, robustness and portability. It is available as a daemon for Linux +and Windows, which can manage the complete container lifecycle of its host +system: image transfer and storage, container execution and supervision, +low-level storage and network attachments, etc. + + +%prep +%autosetup + + +%build +%gobuildroot +export LDFLAGS="-X %{goipath}/version.Version=%{version}" +%gobuild -o _bin/containerd %{goipath}/cmd/containerd +%gobuild -o _bin/containerd-shim %{goipath}/cmd/containerd-shim +%gobuild -o _bin/containerd-shim-runc-v1 %{goipath}/cmd/containerd-shim-runc-v1 +%gobuild -o _bin/ctr %{goipath}/cmd/ctr +mkdir _man +go-md2man -in docs/man/containerd.1.md -out _man/containerd.1 +go-md2man -in docs/man/containerd-config.1.md -out _man/containerd-config.1 +go-md2man -in docs/man/ctr.1.md -out _man/ctr.1 +go-md2man -in docs/man/containerd-config.toml.5.md -out _man/containerd-config.toml.5 + + +%install +install -D -p -m 0755 _bin/containerd %{buildroot}%{_bindir}/containerd +install -D -p -m 0755 _bin/containerd-shim %{buildroot}%{_bindir}/containerd-shim +install -D -p -m 0755 _bin/containerd-shim-runc-v1 %{buildroot}%{_bindir}/containerd-shim-runc-v1 +install -D -p -m 0755 _bin/ctr %{buildroot}%{_bindir}/ctr +install -D -p -m 0644 _man/containerd.1 %{buildroot}%{_mandir}/man1/containerd.1 +install -D -p -m 0644 _man/containerd-config.1 %{buildroot}%{_mandir}/man1/containerd-config.1 +install -D -p -m 0644 _man/ctr.1 %{buildroot}%{_mandir}/man1/ctr.1 +install -D -p -m 0644 _man/containerd-config.toml.5 %{buildroot}%{_mandir}/man5/containerd-config.toml.5 +install -D -p -m 0644 %{S:1} %{buildroot}%{_unitdir}/containerd.service +install -D -p -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/containerd/config.toml + + +%if %{with tests} +%check +%gochecks +%endif + + +%post +%systemd_post containerd.service + + +%preun +%systemd_preun containerd.service + + +%postun +%systemd_postun_with_restart containerd.service + + +%files +%license LICENSE +%doc README.md +%{_bindir}/containerd +%{_bindir}/containerd-shim +%{_bindir}/containerd-shim-runc-v1 +%{_bindir}/ctr +%{_mandir}/man1/containerd.1* +%{_mandir}/man1/containerd-config.1* +%{_mandir}/man1/ctr.1* +%{_mandir}/man5/containerd-config.toml.5* +%{_unitdir}/containerd.service +%dir %{_sysconfdir}/containerd +%config(noreplace) %{_sysconfdir}/containerd/config.toml + + +%changelog +* Mon Apr 6 2020 Nicolas Trangez - 1.2.13-2 +- Enable seccomp support + +* Mon Apr 6 2020 Nicolas Trangez - 1.2.13-1 +- Latest upstream + +* Tue Feb 26 2019 Carl George - 1.2.4-1 +- Latest upstream + +* Thu Jan 31 2019 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jan 03 2019 Carl George - 1.2.1-1 +- Latest upstream +- Run test suite (except on el7 or %%arm) + +* Thu Oct 25 2018 Carl George - 1.2.0-1 +- Latest upstream + +* Mon Aug 13 2018 Carl George - 1.1.2-1 +- Latest upstream + +* Thu Jul 12 2018 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 26 2018 Carl George - 1.1.0-1 +- Latest upstream +- Build and include man pages + +* Wed Apr 04 2018 Carl George - 1.0.3-1 +- Latest upstream + +* Wed Feb 07 2018 Fedora Release Engineering - 1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Jan 22 2018 Carl George - 1.0.1-1 +- Latest upstream + +* Wed Dec 06 2017 Carl George - 1.0.0-1 +- Latest upstream + +* Fri Nov 10 2017 Carl George - 1.0.0-0.5.beta.3 +- Latest upstream + +* Thu Oct 19 2017 Carl George - 1.0.0-0.4.beta.2 +- Own /etc/containerd + +* Thu Oct 12 2017 Carl George - 1.0.0-0.3.beta.2 +- Latest upstream +- Require runc 1.0.0 https://github.com/containerd/containerd/issues/1508#issuecomment-335566293 + +* Mon Oct 09 2017 Carl George - 1.0.0-0.2.beta.1 +- Add provides for vendored dependencies +- Add ctr command + +* Wed Oct 04 2017 Carl George - 1.0.0-0.1.beta.1 +- Initial package diff --git a/packages/redhat/containerd.toml b/packages/redhat/containerd.toml new file mode 100644 index 0000000000..fc3f9f771c --- /dev/null +++ b/packages/redhat/containerd.toml @@ -0,0 +1,15 @@ +#root = "/var/lib/containerd" +#state = "/run/containerd" +#subreaper = true +#oom_score = 0 + +#[grpc] +# address = "/run/containerd/containerd.sock" +# uid = 0 +# gid = 0 + +#[debug] +# address = "/run/containerd/debug.sock" +# uid = 0 +# gid = 0 +# level = "info" diff --git a/tests/post/features/seccomp.feature b/tests/post/features/seccomp.feature new file mode 100644 index 0000000000..3f786f2895 --- /dev/null +++ b/tests/post/features/seccomp.feature @@ -0,0 +1,6 @@ +@post @ci @local @seccomp +Feature: seccomp + Scenario: Running a Pod with the 'runtime/default' seccomp profile works + Given the Kubernetes API is available + When we create a utils Pod with labels {'test': 'seccomp1'} and annotations {'seccomp.security.alpha.kubernetes.io/pod': 'runtime/default'} + Then pods with label 'test=seccomp1' are 'Ready' diff --git a/tests/post/steps/conftest.py b/tests/post/steps/conftest.py index 97513543a7..e9f7ea6229 100644 --- a/tests/post/steps/conftest.py +++ b/tests/post/steps/conftest.py @@ -1,5 +1,5 @@ # coding: utf-8 -from pytest_bdd import given, parsers +from pytest_bdd import given, parsers, then from tests import kube_utils, utils @@ -46,11 +46,17 @@ def _wait_for_status(): ) # }}} + + +_PARSE_PODS_WITH_LABEL_STATUS = parsers.parse( + "pods with label '{label}' are '{expected_status}'") + + # Given {{{ -@given(parsers.parse("pods with label '{label}' are '{expected_status}'")) -def check_pod_status(request, host, k8s_client, label, expected_status): +@given(_PARSE_PODS_WITH_LABEL_STATUS) +def given_check_pod_status(request, host, k8s_client, label, expected_status): ssh_config = request.config.getoption('--ssh-config') _check_pods_status( @@ -66,3 +72,15 @@ def check_all_pods_status(request, host, k8s_client, expected_status): k8s_client, expected_status, ssh_config ) # }}} + +# Then {{{ + + +@then(_PARSE_PODS_WITH_LABEL_STATUS) +def then_check_pod_status(request, host, k8s_client, label, expected_status): + ssh_config = request.config.getoption('--ssh-config') + + _check_pods_status( + k8s_client, expected_status, ssh_config, label=label + ) +# }}} diff --git a/tests/post/steps/test_seccomp.py b/tests/post/steps/test_seccomp.py new file mode 100644 index 0000000000..9ebe53ccb3 --- /dev/null +++ b/tests/post/steps/test_seccomp.py @@ -0,0 +1,59 @@ +import os.path + +import yaml + +from kubernetes import client + +import pytest +from pytest_bdd import scenario, when + +from tests import kube_utils +from tests import utils + + +@scenario("../features/seccomp.feature", + "Running a Pod with the 'runtime/default' seccomp profile works") +def test_seccomp(host): + pass + + +@when("we create a utils Pod with labels {'test': 'seccomp1'} " + "and annotations " + "{'seccomp.security.alpha.kubernetes.io/pod': 'runtime/default'}") +def create_utils_pod(utils_pod): + pass + + +@pytest.fixture +def utils_pod(k8s_client, utils_image): + manifest_file = os.path.join( + os.path.realpath(os.path.dirname(__file__)), + "files", + "utils.yaml" + ) + with open(manifest_file, encoding="utf-8") as fd: + manifest = yaml.safe_load(fd) + + pod_name = 'test-seccomp1' + + manifest["spec"]["containers"][0]["image"] = utils_image + manifest["metadata"]["name"] = pod_name + manifest["metadata"]["annotations"] = { + "seccomp.security.alpha.kubernetes.io/pod": "runtime/default", + } + manifest["metadata"]["labels"] = { + "test": "seccomp1", + } + + k8s_client.create_namespaced_pod(body=manifest, namespace='default') + + try: + yield pod_name + finally: + k8s_client.delete_namespaced_pod( + name=pod_name, + namespace="default", + body=client.V1DeleteOptions( + grace_period_seconds=0, + ), + )