Jail/chroot nginx process inside controller container (#8337)

* Initial work on chrooting nginx process * More improvements in chroot * Fix charts and some file locations * Fix symlink on non chrooted container * fix psp test * Add e2e tests to chroot image * Fix logger * Add internal logger in controller * Fix overlay for chrooted tests * Fix tests * fix boilerplates * Fix unittest to point to the right pid * Fix PR review
2022-04-09 01:48:04 -03:00 · 2022-04-09 01:48:04 -03:00 · 3def835a6a
commit 3def835a6a
parent 83ce21b4dd
41 changed files with 456 additions and 49 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -100,13 +100,14 @@ jobs:
          REGISTRY: ingress-controller
        run: |
          echo "building images..."
-          make clean-image build image
+          make clean-image build image image-chroot
          make -C test/e2e-image image

          echo "creating images cache..."
          docker save \
            nginx-ingress-controller:e2e \
            ingress-controller/controller:1.0.0-dev \
+            ingress-controller/controller-chroot:1.0.0-dev \
            | pigz > docker.tar.gz

      - name: cache
@ -250,6 +251,65 @@ jobs:
          kind get kubeconfig > $HOME/.kube/kind-config-kind
          make kind-e2e-test

+  kubernetes-chroot:
+    name: Kubernetes chroot
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true')
+
+    strategy:
+      matrix:
+        k8s: [v1.21.10, v1.22.7, v1.23.4]
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: cache
+        uses: actions/download-artifact@v2
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ matrix.k8s }} cluster
+        id: kind
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.12.0
+          config: test/e2e/kind.yaml
+          image: kindest/node:${{ matrix.k8s }}
+
+      - uses: geekyeggo/delete-artifact@v1
+        with:
+          name: docker.tar.gz
+          failOnError: false
+
+      - name: Prepare cluster for testing
+        id: local-path
+        run: |
+          kubectl version
+          echo
+          echo "installing helm 3..."
+          curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          pigz -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_IMAGE_CREATION: true
+          IS_CHROOT: true
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
  test-image-build:
    permissions:
      contents: read  # for dorny/paths-filter to fetch a list of changed files