Merge pull request #105748 from marosset/host-process-emphemeral-contianer-validation

Adding unit test coverage for API validation for ephemeral containers in hostprocess pods on Windows
2025-07-24 20:24:09 +00:00 · 2021-10-19 08:11:04 -07:00 · 2021-10-19 08:11:04 -07:00 · 2dbdd9461d
commit 2dbdd9461d
parent 5cdc3407ee 3ddff55fe6
1 changed files with 87 additions and 0 deletions
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@ -18567,11 +18567,98 @@ func TestValidateWindowsHostProcessPod(t *testing.T) {
 				}},
 			},
 		},
+		{
+			name:            "Non-HostProcess ephemeral container in HostProcess pod should not validate",
+			expectError:     true,
+			featureEnabled:  true,
+			allowPrivileged: true,
+			podSpec: &core.PodSpec{
+				SecurityContext: &core.PodSecurityContext{
+					HostNetwork: true,
+					WindowsOptions: &core.WindowsSecurityContextOptions{
+						HostProcess: &trueVar,
+					},
+				},
+				Containers: []core.Container{{
+					Name: containerName,
+				}},
+				EphemeralContainers: []core.EphemeralContainer{{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{
+						SecurityContext: &core.SecurityContext{
+							WindowsOptions: &core.WindowsSecurityContextOptions{
+								HostProcess: &falseVar,
+							},
+						},
+					},
+				}},
+			},
+		},
+		{
+			name:            "HostProcess ephemeral container in HostProcess pod should validate",
+			expectError:     false,
+			featureEnabled:  true,
+			allowPrivileged: true,
+			podSpec: &core.PodSpec{
+				SecurityContext: &core.PodSecurityContext{
+					HostNetwork: true,
+					WindowsOptions: &core.WindowsSecurityContextOptions{
+						HostProcess: &trueVar,
+					},
+				},
+				Containers: []core.Container{{
+					Name: containerName,
+				}},
+				EphemeralContainers: []core.EphemeralContainer{{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{},
+				}},
+			},
+		},
+		{
+			name:            "Non-HostProcess ephemeral container in Non-HostProcess pod should validate",
+			expectError:     false,
+			featureEnabled:  true,
+			allowPrivileged: true,
+			podSpec: &core.PodSpec{
+				Containers: []core.Container{{
+					Name: containerName,
+				}},
+				EphemeralContainers: []core.EphemeralContainer{{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{
+						SecurityContext: &core.SecurityContext{
+							WindowsOptions: &core.WindowsSecurityContextOptions{
+								HostProcess: &falseVar,
+							},
+						},
+					},
+				}},
+			},
+		},
+		{
+			name:            "HostProcess ephemeral container in Non-HostProcess pod should not validate",
+			expectError:     true,
+			featureEnabled:  true,
+			allowPrivileged: true,
+			podSpec: &core.PodSpec{
+				Containers: []core.Container{{
+					Name: containerName,
+				}},
+				EphemeralContainers: []core.EphemeralContainer{{
+					EphemeralContainerCommon: core.EphemeralContainerCommon{
+						SecurityContext: &core.SecurityContext{
+							WindowsOptions: &core.WindowsSecurityContextOptions{
+								HostProcess: &trueVar,
+							},
+						},
+					},
+				}},
+			},
+		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, testCase.featureEnabled)()
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.EphemeralContainers, true)()

 			opts := PodValidationOptions{AllowWindowsHostProcessField: testCase.featureEnabled}