github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security_context_test.go(TestVerifyRunAsNonRoot): add more test cases.

pull/6/head
Slava Semushin 2017-12-20 18:02:52 +01:00
parent 51fbd6e637
commit a91e2dc4d2
1 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
pkg/kubelet/kuberuntime/security_context_test.go
View File

@ -45,16 +45,20 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
} }
rootUser := int64(0) rootUser := int64(0)
anyUser := int64(1000)
runAsNonRootTrue := true runAsNonRootTrue := true
runAsNonRootFalse := false runAsNonRootFalse := false
for _, test := range []struct { for _, test := range []struct {
desc string desc string
sc *v1.SecurityContext sc *v1.SecurityContext
uid *int64
username string
fail bool fail bool
}{ }{
{ {
desc: "Pass if SecurityContext is not set", desc: "Pass if SecurityContext is not set",
sc: nil, sc: nil,
uid: &rootUser,
fail: false, fail: false,
}, },
{ {
@ -62,6 +66,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
uid: &rootUser,
fail: false, fail: false,
}, },
{ {
@ -69,6 +74,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootFalse, RunAsNonRoot: &runAsNonRootFalse,
}, },
uid: &rootUser,
fail: false, fail: false,
}, },
{ {
@ -77,6 +83,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot: &runAsNonRootFalse, RunAsNonRoot: &runAsNonRootFalse,
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
uid: &rootUser,
fail: false, fail: false,
}, },
{ {
@ -85,6 +92,7 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue, RunAsNonRoot: &runAsNonRootTrue,
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
uid: &rootUser,
fail: true, fail: true,
}, },
{ {
@ -92,12 +100,35 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue, RunAsNonRoot: &runAsNonRootTrue,
}, },
uid: &rootUser,
fail: true, fail: true,
}, },
{
desc: "Fail if image's username is set and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
username: "test",
fail: true,
},
{
desc: "Pass if image's user is non-root and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
uid: &anyUser,
fail: false,
},
{
desc: "Pass if container's user and image's user aren't set and RunAsNonRoot is true",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue,
},
fail: false,
},
} { } {
pod.Spec.Containers[0].SecurityContext = test.sc pod.Spec.Containers[0].SecurityContext = test.sc
uid := int64(0) err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], test.uid, test.username)
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], &uid, "")
if test.fail { if test.fail {
assert.Error(t, err, test.desc) assert.Error(t, err, test.desc)
} else { } else {