Merge pull request #14891 from bparees/root_builds

pass an internal pod object to SCC admission control so it works

Author: smarterclayton

pkg/build/controller/strategy/sti.go

@@ -112,27 +112,27 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildapi.Build) (*v1.Pod, e
 func (bs *SourceBuildStrategy) canRunAsRoot(build *buildapi.Build) bool {
 	var rootUser int64
 	rootUser = 0
-	pod := &v1.Pod{
+	pod := &kapi.Pod{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      buildapi.GetBuildPodName(build),
+			Name:      buildapi.GetBuildPodName(build) + "-admissioncheck",
 			Namespace: build.Namespace,
 		},
-		Spec: v1.PodSpec{
+		Spec: kapi.PodSpec{
 			ServiceAccountName: build.Spec.ServiceAccount,
-			Containers: []v1.Container{
+			Containers: []kapi.Container{
 				{
 					Name:  "sti-build",
 					Image: bs.Image,
-					SecurityContext: &v1.SecurityContext{
+					SecurityContext: &kapi.SecurityContext{
 						RunAsUser: &rootUser,
 					},
 				},
 			},
-			RestartPolicy: v1.RestartPolicyNever,
+			RestartPolicy: kapi.RestartPolicyNever,
 		},
 	}
 	userInfo := serviceaccount.UserInfo(build.Namespace, build.Spec.ServiceAccount, "")
-	attrs := admission.NewAttributesRecord(pod, pod, kapi.Kind("Pod").WithVersion(""), pod.Namespace, pod.Name, kapi.Resource("pods").WithVersion(""), "", admission.Create, userInfo)
+	attrs := admission.NewAttributesRecord(pod, nil, kapi.Kind("Pod").WithVersion(""), pod.Namespace, pod.Name, kapi.Resource("pods").WithVersion(""), "", admission.Create, userInfo)
 	err := bs.AdmissionControl.Admit(attrs)
 	if err != nil {
 		glog.V(2).Infof("Admit for root user returned error: %v", err)

test/extended/builds/s2i_root.go

@@ -0,0 +1,45 @@
+package builds
+
+import (
+	"fmt"
+
+	g "github.com/onsi/ginkgo"
+	o "github.com/onsi/gomega"
+
+	exutil "github.com/openshift/origin/test/extended/util"
+	s2istatus "github.com/openshift/source-to-image/pkg/util/status"
+)
+
+var _ = g.Describe("[builds][Conformance] s2i build with a root user image", func() {
+	defer g.GinkgoRecover()
+
+	var (
+		buildFixture = exutil.FixturePath("testdata", "s2i-build-root.yaml")
+		oc           = exutil.NewCLI("s2i-build-root", exutil.KubeConfigPath())
+	)
+
+	g.JustBeforeEach(func() {
+		g.By("waiting for builder service account")
+		err := exutil.WaitForBuilderAccount(oc.AdminKubeClient().Core().ServiceAccounts(oc.Namespace()))
+		o.Expect(err).NotTo(o.HaveOccurred())
+	})
+
+	g.Describe("Building using an image with a root default user", func() {
+		g.It("should fail the build immediately", func() {
+			oc.SetOutputDir(exutil.TestContext.OutputDir)
+
+			g.By(fmt.Sprintf("calling oc create -f %q", buildFixture))
+			err := oc.Run("create").Args("-f", buildFixture).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a test build")
+			// this uses the build-quota dir as the binary input source on purpose - we don't really care what we upload
+			// to the build since it will fail before we ever consume the inputs.
+			br, _ := exutil.StartBuildAndWait(oc, "s2i-build-root", "--from-dir", exutil.FixturePath("testdata", "build-quota"))
+			br.AssertFailure()
+			o.Expect(string(br.Build.Status.Reason)).To(o.Equal(string(s2istatus.ReasonPullBuilderImageFailed)))
+			o.Expect(string(br.Build.Status.Message)).To(o.Equal(string(s2istatus.ReasonMessagePullBuilderImageFailed)))
+
+		})
+	})
+})

test/extended/testdata/bindata.go

@@ -0,0 +1,18 @@
+---
+kind: BuildConfig
+apiVersion: v1
+metadata:
+  name: s2i-build-root
+  creationTimestamp:
+  labels:
+    name: s2i-build-root
+spec:
+  source:
+    binary:
+      asFile: ''
+  strategy:
+    type: Source
+    sourceStrategy:
+      from:
+        kind: DockerImage
+        name: centos