scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-02 03:08:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

add SeccompProfile to Pod and Container accessors/mutators

Browse Source
This commit is contained in:
Stanislav Laznicka
2023-02-22 15:49:48 +01:00
parent 7e40d6d04e
commit c4a2bb82db
2 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
pkg/securitycontext/accessors_test.go
View File

@@ -22,6 +22,7 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/utils/pointer"
)
func TestPodSecurityContextAccessor(t *testing.T) {
@@ -41,6 +42,7 @@ func TestPodSecurityContextAccessor(t *testing.T) {
{RunAsUser: &runAsUser},
{RunAsGroup: &runAsGroup},
{SELinuxOptions: &api.SELinuxOptions{User: "bob"}},
{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
{SupplementalGroups: []int64{1, 2, 3}},
}
@@ -73,6 +75,9 @@ func TestPodSecurityContextAccessor(t *testing.T) {
if v := a.RunAsGroup(); !reflect.DeepEqual(expected.RunAsGroup, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.RunAsGroup, v)
}
if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
}
if v := a.SELinuxOptions(); !reflect.DeepEqual(expected.SELinuxOptions, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.SELinuxOptions, v)
}
@@ -102,6 +107,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
RunAsUser: nil,
RunAsGroup: nil,
RunAsNonRoot: nil,
SeccompProfile: nil,
SupplementalGroups: nil,
FSGroup: nil,
}
@@ -130,6 +136,7 @@ func TestPodSecurityContextMutator(t *testing.T) {
m.SetRunAsNonRoot(m.RunAsNonRoot())
m.SetRunAsUser(m.RunAsUser())
m.SetRunAsGroup(m.RunAsGroup())
m.SetSeccompProfile(m.SeccompProfile())
m.SetSELinuxOptions(m.SELinuxOptions())
m.SetSupplementalGroups(m.SupplementalGroups())
if !reflect.DeepEqual(sc, originalSC) {
@@ -240,6 +247,18 @@ func TestPodSecurityContextMutator(t *testing.T) {
}
}
// SeccompProfile
{
modifiedSC := nonNilSC(tc.newSC())
m := NewPodSecurityContextMutator(tc.newSC())
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")}
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeLocalhost, LocalhostProfile: pointer.String("verylocalhostey")})
if !reflect.DeepEqual(m.PodSecurityContext(), modifiedSC) {
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.PodSecurityContext()))
continue
}
}
// SupplementalGroups
{
modifiedSC := nonNilSC(tc.newSC())
@@ -272,6 +291,7 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
{RunAsGroup: &runAsGroup},
{RunAsNonRoot: &runAsNonRoot},
{ReadOnlyRootFilesystem: &readOnlyRootFilesystem},
{SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}},
{AllowPrivilegeEscalation: &allowPrivilegeEscalation},
}
@@ -304,6 +324,9 @@ func TestContainerSecurityContextAccessor(t *testing.T) {
if v := a.ReadOnlyRootFilesystem(); !reflect.DeepEqual(expected.ReadOnlyRootFilesystem, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.ReadOnlyRootFilesystem, v)
}
if v := a.SeccompProfile(); !reflect.DeepEqual(expected.SeccompProfile, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.SeccompProfile, v)
}
if v := a.AllowPrivilegeEscalation(); !reflect.DeepEqual(expected.AllowPrivilegeEscalation, v) {
t.Errorf("%d: expected %#v, got %#v", i, expected.AllowPrivilegeEscalation, v)
}
@@ -325,6 +348,7 @@ func TestContainerSecurityContextMutator(t *testing.T) {
return &api.SecurityContext{
Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}},
SELinuxOptions: &api.SELinuxOptions{},
SeccompProfile: &api.SeccompProfile{},
}
},
},
@@ -450,6 +474,18 @@ func TestContainerSecurityContextMutator(t *testing.T) {
}
}
// SeccompProfile
{
modifiedSC := nonNilSC(tc.newSC())
m := NewContainerSecurityContextMutator(tc.newSC())
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
continue
}
}
// SELinuxOptions
{
modifiedSC := nonNilSC(tc.newSC())
@@ -493,12 +529,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
{
PodSC: &api.PodSecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
RunAsUser: &runAsUser,
RunAsNonRoot: &runAsNonRoot,
},
SC: nil,
Effective: &api.SecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
RunAsUser: &runAsUser,
RunAsNonRoot: &runAsNonRoot,
},
@@ -506,12 +544,14 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
{
PodSC: &api.PodSecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
RunAsUser: &runAsUserPod,
RunAsNonRoot: &runAsNonRootPod,
},
SC: &api.SecurityContext{},
Effective: &api.SecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
RunAsUser: &runAsUserPod,
RunAsNonRoot: &runAsNonRootPod,
},
@@ -519,6 +559,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
{
PodSC: &api.PodSecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined},
RunAsUser: &runAsUserPod,
RunAsNonRoot: &runAsNonRootPod,
},
@@ -530,6 +571,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
RunAsUser: &runAsUser,
RunAsNonRoot: &runAsNonRoot,
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
},
Effective: &api.SecurityContext{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
@@ -539,6 +581,7 @@ func TestEffectiveContainerSecurityContextAccessor(t *testing.T) {
RunAsUser: &runAsUser,
RunAsNonRoot: &runAsNonRoot,
SELinuxOptions: &api.SELinuxOptions{User: "bob"},
SeccompProfile: &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault},
},
},
{
@@ -621,6 +664,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
newPodSC: func() *api.PodSecurityContext {
return &api.PodSecurityContext{
SELinuxOptions: &api.SELinuxOptions{User: "poduser"},
SeccompProfile: &api.SeccompProfile{},
RunAsNonRoot: &runAsNonRootPod,
RunAsUser: &runAsUserPod,
}
@@ -635,6 +679,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
return &api.SecurityContext{
Capabilities: &api.Capabilities{Drop: []api.Capability{"test"}},
SELinuxOptions: &api.SELinuxOptions{},
SeccompProfile: &api.SeccompProfile{},
}
},
},
@@ -667,6 +712,7 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
m.SetRunAsUser(m.RunAsUser())
m.SetRunAsGroup(m.RunAsGroup())
m.SetSELinuxOptions(m.SELinuxOptions())
m.SetSeccompProfile(m.SeccompProfile())
if !reflect.DeepEqual(podSC, originalPodSC) {
t.Errorf("%s: unexpected mutation: %#v, %#v", k, podSC, originalPodSC)
}
@@ -789,6 +835,18 @@ func TestEffectiveContainerSecurityContextMutator(t *testing.T) {
}
}
// SeccompProfile
{
modifiedSC := nonNilSC(tc.newSC())
m := NewContainerSecurityContextMutator(tc.newSC())
modifiedSC.SeccompProfile = &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
m.SetSeccompProfile(&api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined})
if !reflect.DeepEqual(m.ContainerSecurityContext(), modifiedSC) {
t.Errorf("%s: unexpected object:\n%s", k, diff.ObjectGoPrintSideBySide(modifiedSC, m.ContainerSecurityContext()))
continue
}
}
// SELinuxOptions
{
modifiedSC := nonNilSC(tc.newSC())