github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

impove the coverage

Browse Source 
Signed-off-by: mantuliu <240951888@qq.com>
This commit is contained in:
mantuliu 2023-02-01 10:47:38 +08:00
parent 52e7bf58cf
commit 3f8ada67c5
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/kubelet/sysctl/allowlist_test.go
View File

@ -36,6 +36,7 @@ func TestNewAllowlist(t *testing.T) {
{sysctls: []string{"net.*.foo"}, err: true}, {sysctls: []string{"net.*.foo"}, err: true},
{sysctls: []string{"net.*/foo"}, err: true}, {sysctls: []string{"net.*/foo"}, err: true},
{sysctls: []string{"foo"}, err: true}, {sysctls: []string{"foo"}, err: true},
{sysctls: []string{"foo*"}, err: true},
} { } {
_, err := NewAllowlist(append(SafeSysctlAllowlist(), test.sysctls...)) _, err := NewAllowlist(append(SafeSysctlAllowlist(), test.sysctls...))
if test.err && err == nil { if test.err && err == nil {
@ -67,12 +68,13 @@ func TestAllowlist(t *testing.T) {
{sysctl: "net.ipv4.ip_local_port_range.a.b.c", hostNet: false}, {sysctl: "net.ipv4.ip_local_port_range.a.b.c", hostNet: false},
{sysctl: "kernel.msgmax", hostIPC: true}, {sysctl: "kernel.msgmax", hostIPC: true},
{sysctl: "kernel.sem", hostIPC: true}, {sysctl: "kernel.sem", hostIPC: true},
{sysctl: "net.b.c", hostNet: true},
} }
pod := &v1.Pod{} pod := &v1.Pod{}
pod.Spec.SecurityContext = &v1.PodSecurityContext{} pod.Spec.SecurityContext = &v1.PodSecurityContext{}
attrs := &lifecycle.PodAdmitAttributes{Pod: pod} attrs := &lifecycle.PodAdmitAttributes{Pod: pod}
w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem")) w, err := NewAllowlist(append(SafeSysctlAllowlist(), "kernel.msg*", "kernel.sem", "net.b.*"))
if err != nil { if err != nil {
t.Fatalf("failed to create allowlist: %v", err) t.Fatalf("failed to create allowlist: %v", err)
} }
@ -81,7 +83,7 @@ func TestAllowlist(t *testing.T) {
if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil { if err := w.validateSysctl(test.sysctl, test.hostNet, test.hostIPC); err != nil {
t.Errorf("expected to be allowlisted: %+v, got: %v", test, err) t.Errorf("expected to be allowlisted: %+v, got: %v", test, err)
} }
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
status := w.Admit(attrs) status := w.Admit(attrs)
if !status.Admit { if !status.Admit {
t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status) t.Errorf("expected to be allowlisted: %+v, got: %+v", test, status)
@ -94,7 +96,7 @@ func TestAllowlist(t *testing.T) {
} }
pod.Spec.HostNetwork = test.hostNet pod.Spec.HostNetwork = test.hostNet
pod.Spec.HostIPC = test.hostIPC pod.Spec.HostIPC = test.hostIPC
pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{test.sysctl, test.sysctl}} pod.Spec.SecurityContext.Sysctls = []v1.Sysctl{{Name: test.sysctl, Value: test.sysctl}}
status := w.Admit(attrs) status := w.Admit(attrs)
if status.Admit { if status.Admit {
t.Errorf("expected to be rejected: %+v", test) t.Errorf("expected to be rejected: %+v", test)