From 9aad72f6c83376eb7d1376051b614f6bc9bd48e5 Mon Sep 17 00:00:00 2001 From: Klaus Ma Date: Thu, 2 Feb 2017 13:24:18 +0800 Subject: [PATCH] Improved the code coverage of plugin/pkg/admission/exec. --- plugin/pkg/admission/exec/admission_test.go | 50 +++++++++------------ 1 file changed, 21 insertions(+), 29 deletions(-) diff --git a/plugin/pkg/admission/exec/admission_test.go b/plugin/pkg/admission/exec/admission_test.go index 917de3fe0cc..0508331e5e2 100644 --- a/plugin/pkg/admission/exec/admission_test.go +++ b/plugin/pkg/admission/exec/admission_test.go @@ -28,6 +28,17 @@ import ( "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake" ) +// newAllowEscalatingExec returns `admission.Interface` that allows execution on +// "hostIPC", "hostPID" and "privileged". +func newAllowEscalatingExec() admission.Interface { + return &denyExec{ + Handler: admission.NewHandler(admission.Connect), + hostIPC: false, + hostPID: false, + privileged: false, + } +} + func TestAdmission(t *testing.T) { privPod := validPod("privileged") priv := true @@ -65,35 +76,22 @@ func TestAdmission(t *testing.T) { }, } - // use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to - // inject the client - handler := &denyExec{ - Handler: admission.NewHandler(admission.Connect), - hostIPC: true, - hostPID: true, - privileged: true, - } + // Get the direct object though to allow testAdmission to inject the client + handler := NewDenyEscalatingExec().(*denyExec) for _, tc := range testCases { testAdmission(t, tc.pod, handler, tc.shouldAccept) } // run with a permissive config and all cases should pass - handler.privileged = false - handler.hostPID = false - handler.hostIPC = false + handler = newAllowEscalatingExec().(*denyExec) for _, tc := range testCases { testAdmission(t, tc.pod, handler, true) } // run against an init container - handler = &denyExec{ - Handler: admission.NewHandler(admission.Connect), - hostIPC: true, - hostPID: true, - privileged: true, - } + handler = NewDenyEscalatingExec().(*denyExec) for _, tc := range testCases { tc.pod.Spec.InitContainers = tc.pod.Spec.Containers @@ -102,9 +100,7 @@ func TestAdmission(t *testing.T) { } // run with a permissive config and all cases should pass - handler.privileged = false - handler.hostPID = false - handler.hostIPC = false + handler = newAllowEscalatingExec().(*denyExec) for _, tc := range testCases { testAdmission(t, tc.pod, handler, true) @@ -121,7 +117,8 @@ func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept b return true, nil, nil }) - handler.client = mockClient + handler.SetInternalKubeClientSet(mockClient) + admission.Validate(handler) // pods/exec { @@ -186,14 +183,9 @@ func TestDenyExecOnPrivileged(t *testing.T) { }, } - // use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to - // inject the client - handler := &denyExec{ - Handler: admission.NewHandler(admission.Connect), - hostIPC: false, - hostPID: false, - privileged: true, - } + // Get the direct object though to allow testAdmission to inject the client + handler := NewDenyExecOnPrivileged().(*denyExec) + for _, tc := range testCases { testAdmission(t, tc.pod, handler, tc.shouldAccept) }