Merge pull request #40849 from k82cn/adm_exec

Automatic merge from submit-queue (batch tested with PRs 42672, 42770, 42818, 42820, 40849)

Improved the code coverage of plugin/pkg/admission/exec.

part of #39559 

refer to the attachment for code coverage: [combined-coverage.html.gz](https://github.com/kubernetes/kubernetes/files/746891/combined-coverage.html.gz)

plugin/pkg/admission/exec/admission_test.go

@@ -28,6 +28,17 @@ import (
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 )
 
+// newAllowEscalatingExec returns `admission.Interface` that allows execution on
+// "hostIPC", "hostPID" and "privileged".
+func newAllowEscalatingExec() admission.Interface {
+	return &denyExec{
+		Handler:    admission.NewHandler(admission.Connect),
+		hostIPC:    false,
+		hostPID:    false,
+		privileged: false,
+	}
+}
+
 func TestAdmission(t *testing.T) {
 	privPod := validPod("privileged")
 	priv := true
@@ -65,35 +76,22 @@ func TestAdmission(t *testing.T) {
 		},
 	}
 
-	// use the same code as NewDenyEscalatingExec, using the direct object though to allow testAdmission to
+	// Get the direct object though to allow testAdmission to inject the client
-	// inject the client
+	handler := NewDenyEscalatingExec().(*denyExec)
-	handler := &denyExec{
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
-	}
 
 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, tc.shouldAccept)
 	}
 
 	// run with a permissive config and all cases should pass
-	handler.privileged = false
+	handler = newAllowEscalatingExec().(*denyExec)
-	handler.hostPID = false
-	handler.hostIPC = false
 
 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, true)
 	}
 
 	// run against an init container
-	handler = &denyExec{
+	handler = NewDenyEscalatingExec().(*denyExec)
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    true,
-		hostPID:    true,
-		privileged: true,
-	}
 
 	for _, tc := range testCases {
 		tc.pod.Spec.InitContainers = tc.pod.Spec.Containers
@@ -102,9 +100,7 @@ func TestAdmission(t *testing.T) {
 	}
 
 	// run with a permissive config and all cases should pass
-	handler.privileged = false
+	handler = newAllowEscalatingExec().(*denyExec)
-	handler.hostPID = false
-	handler.hostIPC = false
 
 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, true)
@@ -121,7 +117,8 @@ func testAdmission(t *testing.T, pod *api.Pod, handler *denyExec, shouldAccept b
 		return true, nil, nil
 	})
 
-	handler.client = mockClient
+	handler.SetInternalKubeClientSet(mockClient)
+	admission.Validate(handler)
 
 	// pods/exec
 	{
@@ -186,14 +183,9 @@ func TestDenyExecOnPrivileged(t *testing.T) {
 		},
 	}
 
-	// use the same code as NewDenyExecOnPrivileged, using the direct object though to allow testAdmission to
+	// Get the direct object though to allow testAdmission to inject the client
-	// inject the client
+	handler := NewDenyExecOnPrivileged().(*denyExec)
-	handler := &denyExec{
+
-		Handler:    admission.NewHandler(admission.Connect),
-		hostIPC:    false,
-		hostPID:    false,
-		privileged: true,
-	}
 	for _, tc := range testCases {
 		testAdmission(t, tc.pod, handler, tc.shouldAccept)
 	}