From 37979da5b2e4e2b622b71b0221fcd40e69223a04 Mon Sep 17 00:00:00 2001
From: Madhu Rajanna <madhupr007@gmail.com>
Date: Tue, 16 Jun 2020 16:26:14 +0530
Subject: [PATCH] e2e: Add E2E for app readonly options

If the mount option is readonly in app
pod, the pod should not get the write
access to the mounted cephfs subvolume.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
---
 e2e/cephfs.go | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/e2e/cephfs.go b/e2e/cephfs.go
index 77af53ade..8e0d0c2e8 100644
--- a/e2e/cephfs.go
+++ b/e2e/cephfs.go
@@ -2,8 +2,10 @@ package e2e
 
 import (
 	"fmt"
+	"strings"
 
 	. "github.com/onsi/ginkgo" // nolint
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2elog "k8s.io/kubernetes/test/e2e/framework/log"
@@ -308,6 +310,49 @@ var _ = Describe("cephfs", func() {
 
 				})
 
+				By("Mount pvc as readonly in pod", func() {
+					// create pvc and bind it to an app
+					pvc, err := loadPVC(pvcPath)
+					if err != nil {
+						Fail(err.Error())
+					}
+
+					pvc.Namespace = f.UniqueName
+
+					app, err := loadApp(appPath)
+					if err != nil {
+						Fail(err.Error())
+					}
+
+					app.Namespace = f.UniqueName
+					label := map[string]string{
+						"app": app.Name,
+					}
+					app.Labels = label
+					app.Spec.Volumes[0].PersistentVolumeClaim.ClaimName = pvc.Name
+					app.Spec.Volumes[0].PersistentVolumeClaim.ReadOnly = true
+					err = createPVCAndApp("", f, pvc, app, deployTimeout)
+					if err != nil {
+						Fail(err.Error())
+					}
+
+					opt := metav1.ListOptions{
+						LabelSelector: fmt.Sprintf("app=%s", app.Name),
+					}
+
+					filePath := app.Spec.Containers[0].VolumeMounts[0].MountPath + "/test"
+					_, stdErr := execCommandInPodAndAllowFail(f, fmt.Sprintf("echo 'Hello World' > %s", filePath), app.Namespace, &opt)
+					readOnlyErr := fmt.Sprintf("cannot create %s: Read-only file system", filePath)
+					if !strings.Contains(stdErr, readOnlyErr) {
+						Fail(stdErr)
+					}
+
+					// delete pvc and app
+					err = deletePVCAndApp("", f, pvc, app)
+					if err != nil {
+						Fail(err.Error())
+					}
+				})
 				// Make sure this should be last testcase in this file, because
 				// it deletes pool
 				By("Create a PVC and Delete PVC when backend pool deleted", func() {