Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
d152e20f
Commit
d152e20f
authored
Jun 05, 2017
by
Yu-Ju Hong
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Address the comments
parent
07a67c25
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
30 additions
and
15 deletions
+30
-15
security_context_test.go
pkg/kubelet/kuberuntime/security_context_test.go
+30
-15
No files found.
pkg/kubelet/kuberuntime/security_context_test.go
View file @
d152e20f
...
@@ -48,31 +48,44 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
...
@@ -48,31 +48,44 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
rootUser
:=
types
.
UnixUserID
(
0
)
rootUser
:=
types
.
UnixUserID
(
0
)
runAsNonRootTrue
:=
true
runAsNonRootTrue
:=
true
runAsNonRootFalse
:=
false
runAsNonRootFalse
:=
false
imageRootUser
:=
int64
(
0
)
imageNonRootUser
:=
int64
(
123
)
for
_
,
test
:=
range
[]
struct
{
for
_
,
test
:=
range
[]
struct
{
desc
string
desc
string
sc
*
v1
.
SecurityContext
sc
*
v1
.
SecurityContext
errStr
string
imageUser
int64
fail
bool
}{
}{
{
{
desc
:
"Pass if SecurityContext is not set"
,
desc
:
"Pass if SecurityContext is not set"
,
sc
:
nil
,
sc
:
nil
,
errStr
:
""
,
imageUser
:
imageRootUser
,
fail
:
false
,
},
},
{
{
desc
:
"Pass if RunAsNonRoot is not set"
,
desc
:
"Pass if RunAsNonRoot is not set"
,
sc
:
&
v1
.
SecurityContext
{
sc
:
&
v1
.
SecurityContext
{
RunAsUser
:
&
rootUser
,
RunAsUser
:
&
rootUser
,
},
},
errStr
:
""
,
imageUser
:
imageRootUser
,
fail
:
false
,
},
{
desc
:
"Pass if RunAsNonRoot is false (image user is root)"
,
sc
:
&
v1
.
SecurityContext
{
RunAsNonRoot
:
&
runAsNonRootFalse
,
},
imageUser
:
imageRootUser
,
fail
:
false
,
},
},
{
{
desc
:
"Pass if RunAsNonRoot is false"
,
desc
:
"Pass if RunAsNonRoot is false
(RunAsUser is root)
"
,
sc
:
&
v1
.
SecurityContext
{
sc
:
&
v1
.
SecurityContext
{
RunAsNonRoot
:
&
runAsNonRootFalse
,
RunAsNonRoot
:
&
runAsNonRootFalse
,
RunAsUser
:
&
rootUser
,
RunAsUser
:
&
rootUser
,
},
},
errStr
:
""
,
imageUser
:
imageNonRootUser
,
fail
:
false
,
},
},
{
{
desc
:
"Fail if container's RunAsUser is root and RunAsNonRoot is true"
,
desc
:
"Fail if container's RunAsUser is root and RunAsNonRoot is true"
,
...
@@ -80,22 +93,24 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
...
@@ -80,22 +93,24 @@ func TestVerifyRunAsNonRoot(t *testing.T) {
RunAsNonRoot
:
&
runAsNonRootTrue
,
RunAsNonRoot
:
&
runAsNonRootTrue
,
RunAsUser
:
&
rootUser
,
RunAsUser
:
&
rootUser
,
},
},
errStr
:
"container's runAsUser breaks non-root policy"
,
imageUser
:
imageNonRootUser
,
fail
:
true
,
},
},
{
{
desc
:
"Fail if image's user is root and RunAsNonRoot is true"
,
desc
:
"Fail if image's user is root and RunAsNonRoot is true"
,
sc
:
&
v1
.
SecurityContext
{
sc
:
&
v1
.
SecurityContext
{
RunAsNonRoot
:
&
runAsNonRootTrue
,
RunAsNonRoot
:
&
runAsNonRootTrue
,
},
},
errStr
:
"container has runAsNonRoot and image will run as root"
,
imageUser
:
imageRootUser
,
fail
:
true
,
},
},
}
{
}
{
pod
.
Spec
.
Containers
[
0
]
.
SecurityContext
=
test
.
sc
pod
.
Spec
.
Containers
[
0
]
.
SecurityContext
=
test
.
sc
err
:=
verifyRunAsNonRoot
(
pod
,
&
pod
.
Spec
.
Containers
[
0
],
int64
(
0
))
err
:=
verifyRunAsNonRoot
(
pod
,
&
pod
.
Spec
.
Containers
[
0
],
int64
(
0
))
if
len
(
test
.
errStr
)
==
0
{
if
test
.
fail
{
assert
.
No
Error
(
t
,
err
,
test
.
desc
)
assert
.
Error
(
t
,
err
,
test
.
desc
)
}
else
{
}
else
{
assert
.
EqualError
(
t
,
err
,
test
.
errSt
r
,
test
.
desc
)
assert
.
NoError
(
t
,
er
r
,
test
.
desc
)
}
}
}
}
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment