github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 12:07:47 +00:00
Code Issues Projects Releases Wiki Activity

add test for authorizer type checking.

Browse Source
This commit is contained in:
Jiahui Feng 2023-06-08 15:51:05 -07:00
parent 04fa4184ed
commit 7ccc231783
1 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/typechecking_test.go
View File

@ -233,6 +233,42 @@ func TestTypeCheck(t *testing.T) {
}, },
}}, }},
}} }}
authorizerPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
{
Expression: "authorizer.group('').resource('endpoints').check('create').allowed()",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
},
},
},
}},
}}
authorizerInvalidPolicy := &v1alpha1.ValidatingAdmissionPolicy{Spec: v1alpha1.ValidatingAdmissionPolicySpec{
Validations: []v1alpha1.Validation{
{
Expression: "authorizer.allowed()",
},
},
MatchConstraints: &v1alpha1.MatchResources{ResourceRules: []v1alpha1.NamedRuleWithOperations{
{
RuleWithOperations: v1alpha1.RuleWithOperations{
Rule: v1alpha1.Rule{
APIGroups: []string{"apps"},
APIVersions: []string{"v1"},
Resources: []string{"deployments"},
},
},
},
}},
}}
for _, tc := range []struct { for _, tc := range []struct {
name string name string
schemaToReturn *spec.Schema schemaToReturn *spec.Schema
@ -327,6 +363,36 @@ func TestTypeCheck(t *testing.T) {
toHaveLengthOf(1), toHaveLengthOf(1),
}, },
}, },
{
name: "authorizer",
policy: authorizerPolicy,
schemaToReturn: &spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Properties: map[string]spec.Schema{
"foo": *spec.StringProperty(),
},
},
},
assertions: []assertionFunc{toBeEmpty},
},
{
name: "authorizer invalid",
policy: authorizerInvalidPolicy,
schemaToReturn: &spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Properties: map[string]spec.Schema{
"foo": *spec.StringProperty(),
},
},
},
assertions: []assertionFunc{
toHaveFieldRef("spec.validations[0].expression"),
toHaveLengthOf(1),
toContain("found no matching overload for 'allowed' applied to 'kubernetes.authorization.Authorizer"),
},
},
} { } {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
typeChecker := buildTypeChecker(tc.schemaToReturn) typeChecker := buildTypeChecker(tc.schemaToReturn)