Jail/chroot nginx process inside controller container (#8337)

* Initial work on chrooting nginx process * More improvements in chroot * Fix charts and some file locations * Fix symlink on non chrooted container * fix psp test * Add e2e tests to chroot image * Fix logger * Add internal logger in controller * Fix overlay for chrooted tests * Fix tests * fix boilerplates * Fix unittest to point to the right pid * Fix PR review
2022-04-09 01:48:04 -03:00 · 2022-04-09 01:48:04 -03:00 · 3def835a6a
commit 3def835a6a
parent 83ce21b4dd
41 changed files with 456 additions and 49 deletions
--- a/test/e2e/settings/access_log.go
+++ b/test/e2e/settings/access_log.go
@ -31,17 +31,19 @@ var _ = framework.DescribeSetting("access-log", func() {
 		ginkgo.It("use the default configuration", func() {
 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
-					return strings.Contains(cfg, "access_log /var/log/nginx/access.log upstreaminfo") &&
-						strings.Contains(cfg, "access_log /var/log/nginx/access.log log_stream")
+					return (strings.Contains(cfg, "access_log /var/log/nginx/access.log upstreaminfo") &&
+						strings.Contains(cfg, "access_log /var/log/nginx/access.log log_stream")) ||
+						(strings.Contains(cfg, "access_log syslog:server=127.0.0.1:11514 upstreaminfo") &&
+							strings.Contains(cfg, "access_log syslog:server=127.0.0.1:11514 log_stream"))
 				})
 		})

 		ginkgo.It("use the specified configuration", func() {
-			f.UpdateNginxConfigMapData("access-log-path", "/tmp/access.log")
+			f.UpdateNginxConfigMapData("access-log-path", "/tmp/nginx/access.log")
 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
-					return strings.Contains(cfg, "access_log /tmp/access.log upstreaminfo") &&
-						strings.Contains(cfg, "access_log /tmp/access.log log_stream")
+					return strings.Contains(cfg, "access_log /tmp/nginx/access.log upstreaminfo") &&
+						strings.Contains(cfg, "access_log /tmp/nginx/access.log log_stream")
 				})
 		})
 	})
@ -49,11 +51,12 @@ var _ = framework.DescribeSetting("access-log", func() {
 	ginkgo.Context("http-access-log-path", func() {

 		ginkgo.It("use the specified configuration", func() {
-			f.UpdateNginxConfigMapData("http-access-log-path", "/tmp/http-access.log")
+			f.UpdateNginxConfigMapData("http-access-log-path", "/tmp/nginx/http-access.log")
 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
-					return strings.Contains(cfg, "access_log /tmp/http-access.log upstreaminfo") &&
-						strings.Contains(cfg, "access_log /var/log/nginx/access.log log_stream")
+					return strings.Contains(cfg, "access_log /tmp/nginx/http-access.log upstreaminfo") &&
+						(strings.Contains(cfg, "access_log /var/log/nginx/access.log log_stream") ||
+							strings.Contains(cfg, "access_log syslog:server=127.0.0.1:11514 log_stream"))
 				})
 		})
 	})
@ -61,11 +64,12 @@ var _ = framework.DescribeSetting("access-log", func() {
 	ginkgo.Context("stream-access-log-path", func() {

 		ginkgo.It("use the specified configuration", func() {
-			f.UpdateNginxConfigMapData("stream-access-log-path", "/tmp/stream-access.log")
+			f.UpdateNginxConfigMapData("stream-access-log-path", "/tmp/nginx/stream-access.log")
 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
-					return strings.Contains(cfg, "access_log /tmp/stream-access.log log_stream") &&
-						strings.Contains(cfg, "access_log /var/log/nginx/access.log upstreaminfo")
+					return strings.Contains(cfg, "access_log /tmp/nginx/stream-access.log log_stream") &&
+						(strings.Contains(cfg, "access_log /var/log/nginx/access.log upstreaminfo") ||
+							strings.Contains(cfg, "access_log syslog:server=127.0.0.1:11514 upstreaminfo"))
 				})
 		})
 	})
@ -74,13 +78,13 @@ var _ = framework.DescribeSetting("access-log", func() {

 		ginkgo.It("use the specified configuration", func() {
 			f.SetNginxConfigMapData(map[string]string{
-				"http-access-log-path":   "/tmp/http-access.log",
-				"stream-access-log-path": "/tmp/stream-access.log",
+				"http-access-log-path":   "/tmp/nginx/http-access.log",
+				"stream-access-log-path": "/tmp/nginx/stream-access.log",
 			})
 			f.WaitForNginxConfiguration(
 				func(cfg string) bool {
-					return strings.Contains(cfg, "access_log /tmp/http-access.log upstreaminfo") &&
-						strings.Contains(cfg, "access_log /tmp/stream-access.log log_stream")
+					return strings.Contains(cfg, "access_log /tmp/nginx/http-access.log upstreaminfo") &&
+						strings.Contains(cfg, "access_log /tmp/nginx/stream-access.log log_stream")
 				})
 		})
 	})
--- a/test/e2e/settings/pod_security_policy_volumes.go
+++ b/test/e2e/settings/pod_security_policy_volumes.go
@ -82,10 +82,10 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with vo

 			deployment.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 				{
-					Name: "ssl", MountPath: "/etc/ingress-controller",
+					Name: "ssl", MountPath: "/etc/my-amazing-ssl",
 				},
 				{
-					Name: "tmp", MountPath: "/tmp",
+					Name: "tmp", MountPath: "/my-other-tmp",
 				},
 			}