github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-17 23:19:26 +00:00
Code Issues Projects Releases Wiki Activity

Add PodSecurityContext and backward compatibility tests

Browse Source
This commit is contained in:
Paul Morie
2015-09-14 17:56:51 -04:00
parent 608244fbb0
commit 227dd82119
41 changed files with 717 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
plugin/pkg/admission/exec/admission.go
View File

@@ -90,11 +90,11 @@ func (d *denyExec) Admit(a admission.Attributes) (err error) {
return admission.NewForbidden(a, err)
}
if d.hostPID && pod.Spec.HostPID {
if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host pid"))
}
if d.hostIPC && pod.Spec.HostIPC {
if d.hostIPC && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host ipc"))
}

12
plugin/pkg/admission/exec/admission_test.go
View File

@@ -34,10 +34,12 @@ func TestAdmission(t *testing.T) {
}
hostPIDPod := validPod("hostPID")
hostPIDPod.Spec.HostPID = true
hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
hostPIDPod.Spec.SecurityContext.HostPID = true
hostIPCPod := validPod("hostIPC")
hostIPCPod.Spec.HostIPC = true
hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
hostIPCPod.Spec.SecurityContext.HostIPC = true
testCases := map[string]struct {
pod *api.Pod
@@ -130,10 +132,12 @@ func TestDenyExecOnPrivileged(t *testing.T) {
}
hostPIDPod := validPod("hostPID")
hostPIDPod.Spec.HostPID = true
hostPIDPod.Spec.SecurityContext = &api.PodSecurityContext{}
hostPIDPod.Spec.SecurityContext.HostPID = true
hostIPCPod := validPod("hostIPC")
hostIPCPod.Spec.HostIPC = true
hostIPCPod.Spec.SecurityContext = &api.PodSecurityContext{}
hostIPCPod.Spec.SecurityContext.HostIPC = true
testCases := map[string]struct {
pod *api.Pod

8
plugin/pkg/scheduler/factory/factory_test.go
View File

@@ -25,6 +25,7 @@ import (
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/testapi"
apitesting "k8s.io/kubernetes/pkg/api/testing"
"k8s.io/kubernetes/pkg/client/cache"
client "k8s.io/kubernetes/pkg/client/unversioned"
"k8s.io/kubernetes/pkg/runtime"
@@ -132,14 +133,9 @@ func PriorityTwo(pod *api.Pod, podLister algorithm.PodLister, nodeLister algorit
}
func TestDefaultErrorFunc(t *testing.T) {
grace := int64(30)
testPod := &api.Pod{
ObjectMeta: api.ObjectMeta{Name: "foo", Namespace: "bar"},
Spec: api.PodSpec{
RestartPolicy: api.RestartPolicyAlways,
DNSPolicy: api.DNSClusterFirst,
TerminationGracePeriodSeconds: &grace,
},
Spec: apitesting.DeepEqualSafePodSpec(),
}
handler := util.FakeHandler{
StatusCode: 200,