k8s.io/kubernetes@v1.29.3/pkg/securitycontext/util_test.go (about) 1 /* 2 Copyright 2014 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package securitycontext 18 19 import ( 20 "reflect" 21 "testing" 22 23 v1 "k8s.io/api/core/v1" 24 utilptr "k8s.io/utils/pointer" 25 ) 26 27 func TestAddNoNewPrivileges(t *testing.T) { 28 pfalse := false 29 ptrue := true 30 31 tests := map[string]struct { 32 sc *v1.SecurityContext 33 expect bool 34 }{ 35 "allowPrivilegeEscalation nil security context nil": { 36 sc: nil, 37 expect: false, 38 }, 39 "allowPrivilegeEscalation nil": { 40 sc: &v1.SecurityContext{ 41 AllowPrivilegeEscalation: nil, 42 }, 43 expect: false, 44 }, 45 "allowPrivilegeEscalation false": { 46 sc: &v1.SecurityContext{ 47 AllowPrivilegeEscalation: &pfalse, 48 }, 49 expect: true, 50 }, 51 "allowPrivilegeEscalation true": { 52 sc: &v1.SecurityContext{ 53 AllowPrivilegeEscalation: &ptrue, 54 }, 55 expect: false, 56 }, 57 } 58 59 for k, v := range tests { 60 actual := AddNoNewPrivileges(v.sc) 61 if actual != v.expect { 62 t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual) 63 } 64 } 65 } 66 67 func TestConvertToRuntimeMaskedPaths(t *testing.T) { 68 dPM := v1.DefaultProcMount 69 uPM := v1.UnmaskedProcMount 70 tests := map[string]struct { 71 pm *v1.ProcMountType 72 expect []string 73 }{ 74 "procMount nil": { 75 pm: nil, 76 expect: defaultMaskedPaths, 77 }, 78 "procMount default": { 79 pm: &dPM, 80 expect: defaultMaskedPaths, 81 }, 82 "procMount unmasked": { 83 pm: &uPM, 84 expect: []string{}, 85 }, 86 } 87 88 for k, v := range tests { 89 actual := ConvertToRuntimeMaskedPaths(v.pm) 90 if !reflect.DeepEqual(actual, v.expect) { 91 t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual) 92 } 93 } 94 } 95 96 func TestConvertToRuntimeReadonlyPaths(t *testing.T) { 97 dPM := v1.DefaultProcMount 98 uPM := v1.UnmaskedProcMount 99 tests := map[string]struct { 100 pm *v1.ProcMountType 101 expect []string 102 }{ 103 "procMount nil": { 104 pm: nil, 105 expect: defaultReadonlyPaths, 106 }, 107 "procMount default": { 108 pm: &dPM, 109 expect: defaultReadonlyPaths, 110 }, 111 "procMount unmasked": { 112 pm: &uPM, 113 expect: []string{}, 114 }, 115 } 116 117 for k, v := range tests { 118 actual := ConvertToRuntimeReadonlyPaths(v.pm) 119 if !reflect.DeepEqual(actual, v.expect) { 120 t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual) 121 } 122 } 123 } 124 125 func TestDetermineEffectiveRunAsUser(t *testing.T) { 126 tests := []struct { 127 desc string 128 pod *v1.Pod 129 container *v1.Container 130 wantRunAsUser *int64 131 }{ 132 { 133 desc: "no securityContext in pod, no securityContext in container", 134 pod: &v1.Pod{ 135 Spec: v1.PodSpec{}, 136 }, 137 container: &v1.Container{}, 138 wantRunAsUser: nil, 139 }, 140 { 141 desc: "no runAsUser in pod, no runAsUser in container", 142 pod: &v1.Pod{ 143 Spec: v1.PodSpec{ 144 SecurityContext: &v1.PodSecurityContext{}, 145 }, 146 }, 147 container: &v1.Container{ 148 SecurityContext: &v1.SecurityContext{}, 149 }, 150 wantRunAsUser: nil, 151 }, 152 { 153 desc: "runAsUser in pod, no runAsUser in container", 154 pod: &v1.Pod{ 155 Spec: v1.PodSpec{ 156 SecurityContext: &v1.PodSecurityContext{ 157 RunAsUser: new(int64), 158 }, 159 }, 160 }, 161 container: &v1.Container{ 162 SecurityContext: &v1.SecurityContext{}, 163 }, 164 wantRunAsUser: new(int64), 165 }, 166 { 167 desc: "no runAsUser in pod, runAsUser in container", 168 pod: &v1.Pod{ 169 Spec: v1.PodSpec{ 170 SecurityContext: &v1.PodSecurityContext{}, 171 }, 172 }, 173 container: &v1.Container{ 174 SecurityContext: &v1.SecurityContext{ 175 RunAsUser: new(int64), 176 }, 177 }, 178 wantRunAsUser: new(int64), 179 }, 180 { 181 desc: "no runAsUser in pod, runAsUser in container", 182 pod: &v1.Pod{ 183 Spec: v1.PodSpec{ 184 SecurityContext: &v1.PodSecurityContext{ 185 RunAsUser: new(int64), 186 }, 187 }, 188 }, 189 container: &v1.Container{ 190 SecurityContext: &v1.SecurityContext{ 191 RunAsUser: utilptr.Int64Ptr(1), 192 }, 193 }, 194 wantRunAsUser: utilptr.Int64Ptr(1), 195 }, 196 } 197 198 for _, test := range tests { 199 t.Run(test.desc, func(t *testing.T) { 200 runAsUser, ok := DetermineEffectiveRunAsUser(test.pod, test.container) 201 if !ok && test.wantRunAsUser != nil { 202 t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %v, want %d", test.pod, test.container, runAsUser, *test.wantRunAsUser) 203 } 204 if ok && test.wantRunAsUser == nil { 205 t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %d, want %v", test.pod, test.container, *runAsUser, test.wantRunAsUser) 206 } 207 if ok && test.wantRunAsUser != nil && *runAsUser != *test.wantRunAsUser { 208 t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %d, want %d", test.pod, test.container, *runAsUser, *test.wantRunAsUser) 209 } 210 }) 211 } 212 }