github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Address the comments

pull/6/head
Yu-Ju Hong 2017-06-05 19:51:55 -07:00
parent 07a67c252c
commit d152e20f41
1 changed files with 30 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
pkg/kubelet/kuberuntime/security_context_test.go
View File

@ -48,31 +48,44 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
rootUser := types.UnixUserID(0) rootUser := types.UnixUserID(0)
runAsNonRootTrue := true runAsNonRootTrue := true
runAsNonRootFalse := false runAsNonRootFalse := false
imageRootUser := int64(0)
imageNonRootUser := int64(123)
for _, test := range []struct { for _, test := range []struct {
desc string desc string
sc *v1.SecurityContext sc *v1.SecurityContext
errStr string imageUser int64
fail bool
}{ }{
{ {
desc: "Pass if SecurityContext is not set", desc: "Pass if SecurityContext is not set",
sc: nil, sc: nil,
errStr: "", imageUser: imageRootUser,
fail: false,
}, },
{ {
desc: "Pass if RunAsNonRoot is not set", desc: "Pass if RunAsNonRoot is not set",
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
errStr: "", imageUser: imageRootUser,
fail: false,
}, },
{ {
desc: "Pass if RunAsNonRoot is false", desc: "Pass if RunAsNonRoot is false (image user is root)",
sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootFalse,
},
imageUser: imageRootUser,
fail: false,
},
{
desc: "Pass if RunAsNonRoot is false (RunAsUser is root)",
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootFalse, RunAsNonRoot: &runAsNonRootFalse,
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
errStr: "", imageUser: imageNonRootUser,
fail: false,
}, },
{ {
desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true", desc: "Fail if container's RunAsUser is root and RunAsNonRoot is true",
@ -80,22 +93,24 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot: &runAsNonRootTrue, RunAsNonRoot: &runAsNonRootTrue,
RunAsUser: &rootUser, RunAsUser: &rootUser,
}, },
errStr: "container's runAsUser breaks non-root policy", imageUser: imageNonRootUser,
fail: true,
}, },
{ {
desc: "Fail if image's user is root and RunAsNonRoot is true", desc: "Fail if image's user is root and RunAsNonRoot is true",
sc: &v1.SecurityContext{ sc: &v1.SecurityContext{
RunAsNonRoot: &runAsNonRootTrue, RunAsNonRoot: &runAsNonRootTrue,
}, },
errStr: "container has runAsNonRoot and image will run as root", imageUser: imageRootUser,
fail: true,
}, },
} { } {
pod.Spec.Containers[0].SecurityContext = test.sc pod.Spec.Containers[0].SecurityContext = test.sc
err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0)) err := verifyRunAsNonRoot(pod, &pod.Spec.Containers[0], int64(0))
if len(test.errStr) == 0 { if test.fail {
assert.NoError(t, err, test.desc) assert.Error(t, err, test.desc)
} else { } else {
assert.EqualError(t, err, test.errStr, test.desc) assert.NoError(t, err, test.desc)
} }
} }
} }