diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go index b6fa009df23..3deb21be623 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission_test.go @@ -1106,6 +1106,38 @@ func TestAdmitSysctls(t *testing.T) { psps: []*extensions.PodSecurityPolicy{emptySysctls}, shouldPass: false, }, + "pod with unsafe sysctls a, b request disallowed under aSysctls SCC": { + pod: podWithSysctls([]string{}, []string{"a", "b"}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: false, + }, + "pod with unsafe sysctls b request disallowed under aSysctls SCC": { + pod: podWithSysctls([]string{}, []string{"b"}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: false, + }, + "pod with unsafe sysctls a request allowed under aSysctls SCC": { + pod: podWithSysctls([]string{}, []string{"a"}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: true, + expectedPSP: aSysctl.Name, + }, + "pod with safe sysctls a, b request disallowed under aSysctls SCC": { + pod: podWithSysctls([]string{"a", "b"}, []string{}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: false, + }, + "pod with safe sysctls b request disallowed under aSysctls SCC": { + pod: podWithSysctls([]string{"b"}, []string{}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: false, + }, + "pod with safe sysctls a request allowed under aSysctls SCC": { + pod: podWithSysctls([]string{"a"}, []string{}), + psps: []*extensions.PodSecurityPolicy{aSysctl}, + shouldPass: true, + expectedPSP: aSysctl.Name, + }, "pod with unsafe sysctls request disallowed under emptySysctls PSP": { pod: podWithSysctls([]string{}, []string{"a", "b"}), psps: []*extensions.PodSecurityPolicy{emptySysctls},