mirror of https://github.com/k3s-io/k3s
120 lines
3.1 KiB
Go
120 lines
3.1 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package user
|
|
|
|
import (
|
|
api "k8s.io/api/core/v1"
|
|
policy "k8s.io/api/policy/v1beta1"
|
|
"testing"
|
|
)
|
|
|
|
func TestNonRootOptions(t *testing.T) {
|
|
_, err := NewRunAsNonRoot(nil)
|
|
if err != nil {
|
|
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
|
}
|
|
_, err = NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
|
if err != nil {
|
|
t.Errorf("unexpected error initializing NewRunAsNonRoot %v", err)
|
|
}
|
|
}
|
|
|
|
func TestNonRootGenerate(t *testing.T) {
|
|
s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
|
if err != nil {
|
|
t.Fatalf("unexpected error initializing NewRunAsNonRoot %v", err)
|
|
}
|
|
uid, err := s.Generate(nil, nil)
|
|
if uid != nil {
|
|
t.Errorf("expected nil uid but got %d", *uid)
|
|
}
|
|
if err != nil {
|
|
t.Errorf("unexpected error generating uid %v", err)
|
|
}
|
|
}
|
|
|
|
func TestNonRootValidate(t *testing.T) {
|
|
goodUID := int64(1)
|
|
badUID := int64(0)
|
|
untrue := false
|
|
unfalse := true
|
|
s, err := NewRunAsNonRoot(&policy.RunAsUserStrategyOptions{})
|
|
if err != nil {
|
|
t.Fatalf("unexpected error initializing NewMustRunAs %v", err)
|
|
}
|
|
tests := []struct {
|
|
container *api.Container
|
|
expectedErr bool
|
|
msg string
|
|
}{
|
|
{
|
|
container: &api.Container{
|
|
SecurityContext: &api.SecurityContext{
|
|
RunAsUser: &badUID,
|
|
},
|
|
},
|
|
expectedErr: true,
|
|
msg: "in test case %d, expected errors from root uid but got none: %v",
|
|
},
|
|
{
|
|
container: &api.Container{
|
|
SecurityContext: &api.SecurityContext{
|
|
RunAsUser: &goodUID,
|
|
},
|
|
},
|
|
expectedErr: false,
|
|
msg: "in test case %d, expected no errors from non-root uid but got %v",
|
|
},
|
|
{
|
|
container: &api.Container{
|
|
SecurityContext: &api.SecurityContext{
|
|
RunAsNonRoot: &untrue,
|
|
},
|
|
},
|
|
expectedErr: true,
|
|
msg: "in test case %d, expected errors from RunAsNonRoot but got none: %v",
|
|
},
|
|
{
|
|
container: &api.Container{
|
|
SecurityContext: &api.SecurityContext{
|
|
RunAsNonRoot: &unfalse,
|
|
RunAsUser: &goodUID,
|
|
},
|
|
},
|
|
expectedErr: false,
|
|
msg: "in test case %d, expected no errors from non-root uid but got %v",
|
|
},
|
|
{
|
|
container: &api.Container{
|
|
SecurityContext: &api.SecurityContext{
|
|
RunAsNonRoot: nil,
|
|
RunAsUser: nil,
|
|
},
|
|
},
|
|
expectedErr: true,
|
|
msg: "in test case %d, expected errors from nil runAsNonRoot and nil runAsUser but got %v",
|
|
},
|
|
}
|
|
|
|
for i, tc := range tests {
|
|
errs := s.Validate(nil, nil, nil, tc.container.SecurityContext.RunAsNonRoot, tc.container.SecurityContext.RunAsUser)
|
|
if (len(errs) == 0) == tc.expectedErr {
|
|
t.Errorf(tc.msg, i, errs)
|
|
}
|
|
}
|
|
}
|