Merge pull request #40849 from k82cn/adm_exec

Automatic merge from submit-queue (batch tested with PRs 42672, 42770, 42818, 42820, 40849) Improved the code coverage of plugin/pkg/admission/exec. part of #39559 refer to the attachment for code coverage: [combined-coverage.html.gz](https://github.com/kubernetes/kubernetes/files/746891/combined-coverage.html.gz)
2025-07-28 22:17:14 +00:00 · 2017-03-25 14:27:29 -07:00 · 2017-03-25 14:27:29 -07:00 · 02ed99ac05
commit 02ed99ac05
parent 4f606b9c8d 9aad72f6c8
1 changed files with 21 additions and 29 deletions
--- a/plugin/pkg/admission/exec/admission_test.go
+++ b/plugin/pkg/admission/exec/admission_test.go
@ -28,6 +28,17 @@ import (
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 )

+// newAllowEscalatingExec returns `admission.Interface` that allows execution on
+// "hostIPC", "hostPID" and "privileged".
+func newAllowEscalatingExec() admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: false,
+	}
+}
+
 func TestAdmission(t *testing.T) {
 	privPod := validPod("privileged")
 	priv := true
@ -65,35 +76,22 @@ func TestAdmission(t *testing.T) {
 		},
 	}

-	// use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to
-	// inject the client
-	handler := &denyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
-	}
+	// Get the direct object though to allow testAdmission to inject the client
+	handler := NewDenyEscalatingExec().(*denyExec)

 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, tc.shouldAccept)
 	}

 	// run with a permissive config and all cases should pass
-	handler.privileged = false
-	handler.hostPID = false
-	handler.hostIPC = false
+	handler = newAllowEscalatingExec().(*denyExec)

 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, true)
 	}

 	// run against an init container
-	handler = &denyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
-	}
+	handler = NewDenyEscalatingExec().(*denyExec)

 	for _, tc := range testCases {
 		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
@ -102,9 +100,7 @@ func TestAdmission(t *testing.T) {
 	}

 	// run with a permissive config and all cases should pass
-	handler.privileged = false
-	handler.hostPID = false
-	handler.hostIPC = false
+	handler = newAllowEscalatingExec().(*denyExec)

 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, true)
@ -121,7 +117,8 @@ func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept b
 		return true, nil, nil
 	})

-	handler.client = mockClient
+	handler.SetInternalKubeClientSet(mockClient)
+	admission.Validate(handler)

 	// pods/exec
 	{
@ -186,14 +183,9 @@ func TestDenyExecOnPrivileged(t *testing.T) {
 		},
 	}

-	// use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to
-	// inject the client
-	handler := &denyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    false,
-		hostPID:    false,
-		privileged: true,
-	}
+	// Get the direct object though to allow testAdmission to inject the client
+	handler := NewDenyExecOnPrivileged().(*denyExec)
+
 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, tc.shouldAccept)
 	}