github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubelinter/kubelinter_test.go

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubelinter/kubelinter_test.go (about)

     1  package kubelinter
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/samber/lo"
     7  	"github.com/stretchr/testify/require"
     8  	"golang.stackrox.io/kube-linter/pkg/lintcontext"
     9  	corev1 "k8s.io/api/core/v1"
    10  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    11  )
    12  
    13  func TestLinter(t *testing.T) {
    14  	t.Run("checks for containerd sock mount", func(t *testing.T) {
    15  		r := require.New(t)
    16  
    17  		linter, err := New(lo.Keys(LinterRuleMap))
    18  		r.NoError(err)
    19  
    20  		checks, err := linter.Run([]lintcontext.Object{{
    21  			K8sObject: &corev1.Pod{
    22  				TypeMeta: metav1.TypeMeta{
    23  					Kind:       "Pod",
    24  					APIVersion: "v1",
    25  				},
    26  				ObjectMeta: metav1.ObjectMeta{
    27  					Name: "test_pod",
    28  				},
    29  				Spec: corev1.PodSpec{
    30  					Containers: []corev1.Container{
    31  						{
    32  							Name:  "test",
    33  							Image: "test-image",
    34  							VolumeMounts: []corev1.VolumeMount{
    35  								{
    36  									Name:      "containerd.sock",
    37  									MountPath: "/var/lib/containerd.sock",
    38  								},
    39  							},
    40  						},
    41  					},
    42  					Volumes: []corev1.Volume{
    43  						{
    44  							Name: "containerd.sock",
    45  							VolumeSource: corev1.VolumeSource{
    46  								HostPath: &corev1.HostPathVolumeSource{
    47  									Path: "/var/lib/containerd.sock",
    48  								},
    49  							},
    50  						},
    51  					},
    52  				},
    53  			},
    54  		}})
    55  		r.NoError(err)
    56  		r.Contains(checks[0].Failed.Rules(), "containerd-sock")
    57  	})
    58  
    59  	t.Run("checks for additional capabilities", func(t *testing.T) {
    60  		r := require.New(t)
    61  
    62  		linter, err := New(lo.Keys(LinterRuleMap))
    63  		r.NoError(err)
    64  
    65  		checks, err := linter.Run([]lintcontext.Object{{
    66  			K8sObject: &corev1.Pod{
    67  				TypeMeta: metav1.TypeMeta{
    68  					Kind:       "Pod",
    69  					APIVersion: "v1",
    70  				},
    71  				ObjectMeta: metav1.ObjectMeta{
    72  					Name: "test_pod",
    73  				},
    74  				Spec: corev1.PodSpec{
    75  					Containers: []corev1.Container{
    76  						{
    77  							Name:  "test",
    78  							Image: "test-image",
    79  							SecurityContext: &corev1.SecurityContext{
    80  								Capabilities: &corev1.Capabilities{
    81  									Add: []corev1.Capability{
    82  										"NET_ADMIN",
    83  									},
    84  								},
    85  							},
    86  						},
    87  					},
    88  				},
    89  			},
    90  		}})
    91  		r.NoError(err)
    92  		r.Contains(checks[0].Failed.Rules(), "additional-capabilities")
    93  	})
    94  }