github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/global/config_test.go (about) 1 /* 2 * Copyright contributors to the Hyperledger Fabric Operator project 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at: 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package global_test 20 21 import ( 22 . "github.com/onsi/ginkgo/v2" 23 . "github.com/onsi/gomega" 24 . "github.com/onsi/gomega/gstruct" 25 26 config "github.com/IBM-Blockchain/fabric-operator/operatorconfig" 27 "github.com/IBM-Blockchain/fabric-operator/pkg/global" 28 "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container" 29 30 appsv1 "k8s.io/api/apps/v1" 31 batchv1 "k8s.io/api/batch/v1" 32 corev1 "k8s.io/api/core/v1" 33 ) 34 35 var _ = Describe("Global config", func() { 36 var ( 37 f = false 38 root = int64(0) 39 40 configSetter *global.ConfigSetter 41 ) 42 43 BeforeEach(func() { 44 configSetter = &global.ConfigSetter{ 45 Config: config.Globals{ 46 SecurityContext: &container.SecurityContext{ 47 RunAsNonRoot: &f, 48 Privileged: &f, 49 RunAsUser: &root, 50 AllowPrivilegeEscalation: &f, 51 }, 52 }, 53 } 54 }) 55 56 Context("security context on containers", func() { 57 Context("job", func() { 58 var job *batchv1.Job 59 60 BeforeEach(func() { 61 job = &batchv1.Job{ 62 Spec: batchv1.JobSpec{ 63 Template: corev1.PodTemplateSpec{ 64 Spec: corev1.PodSpec{ 65 InitContainers: []corev1.Container{ 66 { 67 Name: "initcontainer1", 68 }, 69 { 70 Name: "initcontainer2", 71 }, 72 }, 73 Containers: []corev1.Container{ 74 { 75 Name: "container1", 76 }, 77 { 78 Name: "container2", 79 }, 80 }, 81 }, 82 }, 83 }, 84 } 85 }) 86 87 It("updates security context", func() { 88 configSetter.UpdateSecurityContextForAllContainers(job) 89 90 for _, cont := range job.Spec.Template.Spec.InitContainers { 91 Expect(*cont.SecurityContext).To(MatchFields(IgnoreExtras, Fields{ 92 "RunAsNonRoot": Equal(&f), 93 "Privileged": Equal(&f), 94 "RunAsUser": Equal(&root), 95 "AllowPrivilegeEscalation": Equal(&f), 96 })) 97 } 98 99 for _, cont := range job.Spec.Template.Spec.Containers { 100 Expect(*cont.SecurityContext).To(MatchFields(IgnoreExtras, Fields{ 101 "RunAsNonRoot": Equal(&f), 102 "Privileged": Equal(&f), 103 "RunAsUser": Equal(&root), 104 "AllowPrivilegeEscalation": Equal(&f), 105 })) 106 } 107 }) 108 }) 109 110 Context("deployment", func() { 111 var dep *appsv1.Deployment 112 113 BeforeEach(func() { 114 dep = &appsv1.Deployment{ 115 Spec: appsv1.DeploymentSpec{ 116 Template: corev1.PodTemplateSpec{ 117 Spec: corev1.PodSpec{ 118 InitContainers: []corev1.Container{ 119 { 120 Name: "initcontainer1", 121 }, 122 { 123 Name: "initcontainer2", 124 }, 125 }, 126 Containers: []corev1.Container{ 127 { 128 Name: "container1", 129 }, 130 { 131 Name: "container2", 132 }, 133 }, 134 }, 135 }, 136 }, 137 } 138 }) 139 140 It("updates security context", func() { 141 configSetter.UpdateSecurityContextForAllContainers(dep) 142 143 for _, cont := range dep.Spec.Template.Spec.InitContainers { 144 Expect(*cont.SecurityContext).To(MatchFields(IgnoreExtras, Fields{ 145 "RunAsNonRoot": Equal(&f), 146 "Privileged": Equal(&f), 147 "RunAsUser": Equal(&root), 148 "AllowPrivilegeEscalation": Equal(&f), 149 })) 150 } 151 152 for _, cont := range dep.Spec.Template.Spec.Containers { 153 Expect(*cont.SecurityContext).To(MatchFields(IgnoreExtras, Fields{ 154 "RunAsNonRoot": Equal(&f), 155 "Privileged": Equal(&f), 156 "RunAsUser": Equal(&root), 157 "AllowPrivilegeEscalation": Equal(&f), 158 })) 159 } 160 }) 161 }) 162 }) 163 })